Transparence, Transparence, Transparence
Risk management can be seen from two different angels. The traditional view comes with Vulnerability, Threat and Risk. The more modern one comes with an enablement approach. Let’s make an example. You left your apartment with the window tilted. Is this already a risk? Depending on the location of the window and the weather outside probably not, right? With a rainstorm coming up this existing vulnerability (tilted window), together with this now existing threat (rainstorm) turn the situation into a risk which could be the flooding of your home.
The other picture I often use is a fancy sport car parked with a sunset behind. The question here is: Why do we install big brakes onto this car? The reactive approach normally is: To be able to stop or not to kill someone. The real reason nevertheless is: To allow this car to go fast and faster as it would not be able to without big brakes. The same situation but a different angle to look at. Let’s think about a situation in the real business world.
Globalization is key to success for many companies around the globe. Seamless sharing of information and collaboration with external parties plays a very important role in that. Internal applications are used to manage most of the information elements within a company. Allowing external partners to work with the same set of information normally requires a complex infrastructure set-up with servers in DMZ’s, replication of data between internal and external sources, different authentication approaches resulting in high cost and high time to market for the business. Don’t get me wrong, I am aware of all kinds of nice implementation possibilities trying to make such scenarios less painful.
Nevertheless let’s think for a moment about a scenario which would allow the business to work on the same set of information together with the external partners. This is not about sharing all of the information assets rather the once the business has chosen to share with others. If the IT organization would come up with a scenario which would allow a time to market in hours or days instead of weeks and months and a reduced complexity which is less prone to failure. How would the business react to that???
It sounds nice from a business case of point view, right? But what about the security implications? Is something like this possible and is the risk going along manageable? Many IT groups are stopping at this point as they see only the issues and not the opportunities.
The Information Security expert starts with a CIA (confidentiality, integrity and availability) assessment. Based on my own experience I can say that I haven’t seen many large enterprise companies in the industry where the amount of classified information was higher then 10%. I would even go further and say not higher then 5%. That means in average that 95% of all information assets are in best case classified as “Business use only”, “Public” or not classified at all. The probability that our application which is in scope for this collaboration scenario hosts classified information is relatively small, right? OK but without knowing what the classification requirements for the application in scope are you can’t go any further. Full transparency is needed to become able to take informed decisions.
I mentioned “in average” before. Have you ever thought about the fact that if we talk about average that half of the people in scope must be below that line? Strange isn’t it. Please forget about all the statistical possibilities around distributions. It’s just to make the case.
The next Blog entry will take a closer look at the mentioned scenario. We will show you the business case going along with such a case. I just came back from a visit in California where I met one of the growing players in this field.
The other picture I often use is a fancy sport car parked with a sunset behind. The question here is: Why do we install big brakes onto this car? The reactive approach normally is: To be able to stop or not to kill someone. The real reason nevertheless is: To allow this car to go fast and faster as it would not be able to without big brakes. The same situation but a different angle to look at. Let’s think about a situation in the real business world.
Globalization is key to success for many companies around the globe. Seamless sharing of information and collaboration with external parties plays a very important role in that. Internal applications are used to manage most of the information elements within a company. Allowing external partners to work with the same set of information normally requires a complex infrastructure set-up with servers in DMZ’s, replication of data between internal and external sources, different authentication approaches resulting in high cost and high time to market for the business. Don’t get me wrong, I am aware of all kinds of nice implementation possibilities trying to make such scenarios less painful.
Nevertheless let’s think for a moment about a scenario which would allow the business to work on the same set of information together with the external partners. This is not about sharing all of the information assets rather the once the business has chosen to share with others. If the IT organization would come up with a scenario which would allow a time to market in hours or days instead of weeks and months and a reduced complexity which is less prone to failure. How would the business react to that???
It sounds nice from a business case of point view, right? But what about the security implications? Is something like this possible and is the risk going along manageable? Many IT groups are stopping at this point as they see only the issues and not the opportunities.
The Information Security expert starts with a CIA (confidentiality, integrity and availability) assessment. Based on my own experience I can say that I haven’t seen many large enterprise companies in the industry where the amount of classified information was higher then 10%. I would even go further and say not higher then 5%. That means in average that 95% of all information assets are in best case classified as “Business use only”, “Public” or not classified at all. The probability that our application which is in scope for this collaboration scenario hosts classified information is relatively small, right? OK but without knowing what the classification requirements for the application in scope are you can’t go any further. Full transparency is needed to become able to take informed decisions.
I mentioned “in average” before. Have you ever thought about the fact that if we talk about average that half of the people in scope must be below that line? Strange isn’t it. Please forget about all the statistical possibilities around distributions. It’s just to make the case.
The next Blog entry will take a closer look at the mentioned scenario. We will show you the business case going along with such a case. I just came back from a visit in California where I met one of the growing players in this field.
Responses
Re: Transparence, Transparence, Transparence
That means in average that 95% of all information assets are in best case classified as “Business use only”, “Public” or not classified at all.
"Not classified at all" is the problem - because it often means the business hasn't bothered to classify it, but it may still be confidential.