Traditionally, network security revolves around scanning the servers for vulnerabilities, reviewing them and the risk to the server by drilling down through the reporting to assess how vulnerabilities could be exploited, and then looking at how those risks can be remediated. Looking at vulnerabilities in this technical context leaves a lot to be desired in terms of actual impact on the business.
No compromise when it comes to risk
These risks can be put into two groups. There is the security risk, which is about compromise. How can the network be compromised and what would happen if the vulnerability was exploited? What damage would be done, and what information could be lost? Assessing these types of risk is usually the domain of the infosecurity team.
The second type of risk is operational. How the business is impacted by addressing the vulnerabilities. This area of security is usually managed by the IT team, who will plan downtime to patch or upgrade the server. But with planned downtime comes unplanned downtime too, as often a fix wonít go according to plan and the fix can create a whole new set of issues for the network.
But it isnít the network that runs the business, it is a platform to enable the business. So wouldnít it be more valuable and practical to assess security from the perspective of a business application, which enables the business to run?
In fact, a 2013 survey by AlgoSec revealed that it is common among infosecurity, network operations and application professionals to struggle with managing business critical applications effectively, because of the heavy workload, complexity involved and for them to just keep up with the evolving needs of the business. Nearly 50% of respondents would prefer to see vulnerabilities from a business perspective, and it is this piece that is missing when they are assessing risk.
A higher level of understanding
When you really think about what is at risk from the organisationís perspective, it isnít the server; it is the application that relies on that server. Therefore, to take security to that of the business applications, you need to know which servers run which applications over them. Then, all the discovered and reported vulnerabilities on those servers are really vulnerabilities that will affect the application.
If you look at it from this perspective, that is, gathering the vulnerabilities at the server and applying the vulnerabilities to the application level, another group of people becomes involved in the security risk assessment process. These are the business application owners such as HR, finance and sales.
The business application owners are able to add balance to the decisions made about risks posed to the network: between the risk of compromise, and that of planned and unplanned downtime. For at this level, they are able to give input as to how important and business critical the application is, and what impact to the business there will be if staff, customers or third parties arenít able to access it. So rather than being a pure IT and security decision, it becomes one with the business operations at the heart of it.