Course Contents
1. The Security Framework
- Establish a Business-driven focus to ensure Security is always delivered in the context of the Business mission and objectives
- Define a repeatable approach to understand requirements and make meaningful decisions within the complexity of the modern Enterprise
- Inform the way the Security team approaches their work and frame the questions they ask
- Create a common structure, a common language, common principles, and a common means by which diverse specialists can collaborate, interact, and make decisions
- Integrate and align in a security context, the diverse Enterprise methods, frameworks, and standards, whatever they are, whatever they become
- Balance the need to protect what matters while embracing innovation in a coherent, holistic, systemic way
- Deploy techniques to resolve complexity and deliver clarity of risk ownership, governance, and policy
2. Requirements
- Define and articulate what Security means and what it must achieve in your unique Enterprise context
- Create a stakeholder engagement and communications technique to cross the chasm between Business and Security
- Apply a method to model Business Requirements as normalised, measurable, demonstrable, re-usable, reportable requirements for Security
- Demonstrate the ability to understand what matters most, articulate it, and validate it with stakeholders at all levels in the most instinctive way possible
3. Value
- Overcome the legacy of Security as a constraint to progress, innovation, and change
- Transform perceptions into those of a pro-active, beneficial, and Business-enabling function
- Answer the important “So what?” questions
- Understand what stakeholder success looks like and how to support it
- Demonstrably contribute to Business and client success
- Provide traceability that requirements are met
- Ensure transparency of solutions value
- Develop the capability to identify and assess real value from supplier snake oil, magic silver bullets, and claims that one-size-fits-all
- Deliver in-context measures, metrics, and reporting
4. Risk
- Architect Security Risk in the context of Business Risk
- Achieve an appropriate balance between realising opportunities for gain while minimising loss
- Apply an architecturally structured and comprehensive approach
- Integrate and align risk silos to holistically embed risk management into all levels and perspectives of Enterprise
- Traceably align risk management activities to Enterprise context
- Customise ‘risk thinking’ to be instinctive to the Enterprise culture
- Provide a method to include and engage Stakeholders at all levels in meaningful terms
- Deliver clarity and certainty of risk ownership
- Empower risk owners to make objective and proportionate risk decisions in-context
- Cater for the systemic, interconnected, interdependent nature of risk complexity
- Create an ability to clearly define risk appetite
- Distribute Business risk appetite downwards to specialist technical areas, and report risk performance upwards to Business
5. Governance
- Define clear dominions of authority
- Understand and communicate the dependencies and inter-dependencies of authorities both internally and externally in a complex interacting Enterprise
- Resolve the competing and conflicted interests of authorities
- Allocate and enact clear Accountability
- Allocate and enact clear Responsibilities
- Define the necessary channels and types of communication required between Accountable and Responsible parties
- Understand trust requirements and enable trusted relationships
6. Policy
- Transform a rules-based enforcement culture with policy that is advocated and embraced
- Ensure policy is Business-driven and clearly embeds and supports stakeholder objectives
- Overcome constraints to policy success
- Create a simplified structure that is easy to maintain and adaptable to change
- Provide an integrated and holistic Architectural policy structure that embeds control and enablement objectives for what really matters, with dominions of authority for what matters, and clearly defined authority, roles, and responsibilities
7. Making it Happen
- Resolve the strategist’s eternal dilemma – how to turn strategy into reality
- Provide a method to translate ever-changing complex requirements into a definitive Security Strategy
- Specify the Security Roadmap to deliver the Strategy through prioritised actionable transformations, programs, and solutions
- Ensure that the roadmap encompasses requirements for strategic transformation, remediation of current-state issues, and has the capability to adapt to changing circumstances and priorities
- Create a problem-solving framework for dealing with tomorrow’s problems