When you are first starting out in redefining how you are operating your security program in a customer-centric context, you need to think about a few key concepts familiar to any new business.

What business you are actually in?

Do you want to be perceived, and perhaps more importantly, do you want to operate, as the carrot or the stick? In other words, do you want to play the role of the enforcer or the motivator/enabler? All too often our profession seems to lean towards that of the enforcer. Or, in many cases, more like a first responder. We have historically been very reactive in our approach to managing security. As a matter of fact, we have built entire product  areas on managing event streams for purely reactionary purposes (like the IDS and SIEM markets).

While these are worthwhile monitoring concepts and shouldn’t be ignored, there is a vast ocean of untapped opportunity around a more consultative and proactive approach.

Who are your customers?

Just like a start-up, you need to identify who in your organization (and in some cases, those beyond your organization) are your customers. Don’t forget to include those parties that you only see occasionally, such as external auditors, and possibly even suppliers or other business partners. Your information can be a valuable part of their engagement with your organization as well.

This is a critical component to deciding the next step, which is what services and products (i.e.; packaged information for decision support you are offering and how best to ensure that it is useful to the recipients.

Choosing your product and service mix.

Now that you have decided who would be consuming your value-added information, it’s time to identify what makes up your product and service portfolio. The best place to start is to look at the controls spreadsheet that your internal and external auditors use to track the control objectives and activities they are responsible for testing.

While it isn’t a comprehensive set of controls for your security program, it is the minimum set of functions that you should look at for building out your business model. It also comes “pre-loaded’ with a target market and allows you to start building a rapport with the consumers of the information you are providing so that you can make sure that you package it correctly and deliver it in a manner that makes it easier for them to use.

Here is the slide deck that accompanies this portion of the Competitive Compliance curriculum we have developed. Feel free to spread the link around, or even download the PDF of the deck if you find it useful. As always, your feedback is greatly appreciated. Not just on how this site can be improved, but also what other content or ideas you’d like to see in the curriculum or content on this site.

Please join Brightfly’s Managing Director of Research, Brandon Dunlap, on May 11th in Chicago, IL for “Fact Not FUD-Managing What You Can Measure” as part of (ISC)²‘s Security Leadership Series. In this highly interactive (and some would say, controversial) session , you’ll learn about a new “business model” for security operations and the metrics you should be tracking to manage your programs effectively.

The event will be held at the Donald E Stephens Convention Center:

5555 North River Road
Rosemont, IL
60018

Brightfly would like to thank the generous supporters of (ICS)²‘s Security Leadership Series. Thanks to them, this event is free to (ISC)² members and only $99 for non-members.

Just click the button below to register for the event. Hurry, they fill up quickly!