Security hinders business, says CERT boffin

By Dave Nixon

Security has to develop into something that supports business, as opposed to the other way around, according to a senior member of the technical staff at Carnegie Mellon University’s Computer Emergency Response Team (CERT).

Security has got a bad reputation in today’s enterprises, said Lisa Young. The propensity is to want to start locking things down. This way security has become something that disables, not enables, business, she added.

Young said this was still an area where hardware and technology ruled. “Solving your security problems by buying another box is just wishful thinking. But security is bigger than that,” Young said. “As security managers it’s up to us to elevate the profession, and include both people, processes, not just technology.”

She added that IT managers hadn’t thought of a way of incorporating security as part of the business process. “People just haven’t thought of security as a discipline that can be measured, managed and mapped. It’s a new way of looking at it,” Young said.

To make simpler labors to make changes to security policy, Young’s development team at CERT has developed the Resiliency Engineering Framework (REF), which was launched last year.

It doesn’t vie with other frameworks, such as ITIL. REF identifies enterprise-wide processes for managing operational resiliency, including everything from training to compliance management, and gives a structure from which an organisation can begin to improve.