It has always been about the business and not IT! That IT is a means toward achieving business objectives is as familiar as motherhood and apple pie. So also is the case with the role of Network Security Controls in achieving the Risk & Compliance objectives of your enterprise.
However, Network Security Controls seem to have lost their once dominant stature and place on the pedestal in the protection of today’s enterprise networks as the first line of defense. Increasingly, we see controls at the application layer being touted as that. Certainly, attack surfaces have changed and correspondingly, so have attack vectors.
It is therefore essential to get the overall picture, and to utilize Governance, Risk & Compliance (GRC) to tie Network Security Controls with business requirements. We need answers for the following:
Governance-driven risk management helps one make better informed decisions based on business impact, and provides a mature platform to design and implement controls at various layers. Business risk-aware security provides for more effective data protection, continuity and privacy, and in turn paves way for effective and sustainable compliance. Without security, privacy becomes a question, and without either of them, compliance is a mirage.
Knowledge about business processes, applications and data that are being protected will help strengthen the controls that are designed and implemented at the network infrastructure level. The IT general controls at the network level cannot afford to be treated as generic controls that are oblivious to the business requirements.
Strategies and tactics that aid this alignment are characterized by “always-on” or “connected” collaboration between IT and business stakeholders, and governed by Senior Management. The techniques and tools that facilitate this evolution are Governance, Risk & Compliance (GRC). In essence, Network Security Controls and GRC are tightly interlinked, and can be viewed from both a Tops-Down or Bottoms-Up perspective. In the next update, we will dwell into the answers for the questions listed above.