Take a business-level view of security and risk management, so you can prioritize security activities and focus on those that make the most strategic sense. With this white paper, learn to direct resources to mitigate risk and costs.
Business-driven securityWhite paper
Take a holistic approach to business-driven security.
March 2008Take a holistic approach to business-driven security.2
OverviewContents Today's corporate leaders face multiple challenges, including the need to
2 Overview innovate in extremely competitive business climates, address highly dynamic
3 Optimize and protect business regulatory and compliance challenges, speed returns on investments to counter
processes shrinking IT budgets and secure the enterprise against a wide barrage of new
4 Secure business processes across and evolving sophisticated threats. However, unlike other business challenges,
all risk domains organizations typically take a technology-driven approach to securing their
6 Elevate IT security to a business- infrastructure, when in reality, a business-driven approach is warranted.
driven approach 7 Maximize business success with IBM A business-driven approach to security is unlike a technology-centric
8 For more information approach in that the business goals drive the requirements in securing the
8 About IBM Service Management enterprise. Organizations often take a bottoms-up approach to security because security solution vendors typically promote this approach to their clients. To close identified security gaps, enterprises broaden and bolster their defenses by continually building on top of or adding to their existing security investments. This technology-centric methodology often creates an excessively complex and disjointed security infrastructure. It becomes difficult to manage and prone to unseen vulnerability gaps, needlessly escalates IT costs and eventually fosters unnecessary operational inefficiencies that inhibit business growth rather than enhance it.
Instead of trying to protect against every conceivable threat, organizations should understand and prioritize the security risk management activities that make the most sense for their organization. By understanding the level of risk tolerance within an organization, the IT team can more easily focus on mitigating risks that the organization can't afford to neglect. Overemphasizing certain risks leads to wasted resources and efforts, while underemphasizing others can have disastrous consequences.
Organizations can find it difficult to achieve a strategic, end-to-end security approach that supports business goals such as driving innovation and reducing organizational costs, as well as operational requirements to address Take a holistic approach to business-driven security.3
compliance measures and protect against internal and external threats. This "Every business continuously balances risk and paper introduces actions that organizations can take to drive security efforts reward to find a way to achieve the best returns from a business and operational perspective and discusses how security at an acceptable level of risk. For IT security leadership from IBM can help enable their success. professionals, this is the most difficult part of the job: objectively analyzing risk in the context Optimize and protect business processesof the business goals and possible return on The common security model ingrained in today's corporate world involves investment. It may seem counterintuitive, but implementing a broad set of capabilities to protect against the most publicized the end-goal for the business as a whole is not threats of the day. This security approach results in the deployment of an to achieve zero risk - shutting down would be array of siloed security tools. Not only do these tools lack the means to the best way to achieve that, just as the server work together to effectively protect against today's highly sophisticated and least vulnerable to attack is the server that is not organized attacks, but they can hinder business operations, generate cost turned on. Rather, the business goal is to allow redundancies, create IT complexity, operate in isolation of business objectives the maximum acceptable level of risk - to live and fail to provide appropriate metrics to allow today's business-minded at the limit of the organization's 'risk tolerance.' security executives to determine their effectiveness. Every business decision is about risk - getting the maximum return for a given level of risk; IT Security should not be addressed in isolation from other busi... [download for more]
