Carnegie Mellon University's Software Engineering Institute's CERT® Centers are working with executives in commercial and government organizations to develop a practical framework for enterprise-wide security management. They have found that current efforts to manage security vulnerabilities and security risks only take an enterprise so far, with results degrading over time and as complexity increases. What is needed is a framework that (1) mobilizes key enterprise functions to achieve and sustain a desired security state in the normal course of business and (2) addresses the proliferation of security regulations, standards, checklists, scorecards, assessments, and audits. This presentation describes work in progress on such a framework.
This presentation first describes the problem from a reactive/intruder-based perspective, as we in the security community typically consider it. What becomes clear is that we cannot continue to attempt to solve the 'security problem' solely from this point of view. We will never catch up or be able to fully anticipate new and increasingly sophisticated attack patterns or even old ones with known solutions that continue to proliferate. We must begin to broaden the solution to encompass an enterprise wide, proactive, and controls- and process-based approach that addresses impact, not just threat and vulnerability.
From this broader vantage point, we offer several promising ways to think about the problem and tackle it effectively, based on current work with high performing organizations. We call this approach Enterprise Security Management.