Forrester’s 2011 Security Strategy Recommendations

According to CIO Magazine, most CISOs are struggling with the same technical and business issues, ranging from the changing threat landscape to supporting the increasing adoption of social technologies, employee-owned mobile devices, and cloud services.

Many senior business and IT leaders are asking CISOs to support and align with business and IT objectives, requesting more interaction and updates from security teams.  Forrester has identified recommendations for security strategies that address the broad security trends in the current market, falling into three major themes:

  1. Better governance structures;
  2. More mature security processes
  3. Improved analytics and reporting capabilities

I tend to agree with most of the commentary in this excellent CIO article.  The bulk of the recommendations tend to focus on developing metrics for measuring success.  Anyone that knows me knows that I am a metrics-man, swearing by the spreadsheet, monitoring trends and always seeking out performance indicators.  There is also some high level advice on how to support the business, making security an enabler, and producing policy to align objectives.  I do believe that this is a two-way street, however, and that the business MUST be educated about the risks inherent in activities focused on increased convenience, and in most cases, a compromise should be struck rather than disregarding security concerns.

Both the article and the report should be read, and offer food for thought.