In April, I discussed the need to focus on the maturity of the security organization itself. I remain convinced that this is the most important priority for security and risk professionals. If we don’t change, we’ll always find ourselves reacting to the next IT shift or business innovation, never predicting or preparing for it ahead of time. It reminds me of the Greek myth of Sisyphus. Sisyphus was a crafty king who earned the wrath of the Gods. For punishment, the Gods forced him to roll a huge boulder up a steep hill, only to watch it roll back down just before he reached the top — requiring him to begin again. Gods tend to be an unforgiving lot, so Sisyphus has to repeat this process for the rest of eternity.

If my protestations don’t convince you, perhaps some data will. The following are the top five Forrester reports read by security and risk professionals in Q2:

• Security Organization 2.0: Building A Robust Security Organization


• Twelve Recommendations For Your 2010 Information Security Strategy


• CISO Handbook: Presenting To The Board


• SOC 2.0: Virtualizing Security Operations


• Market Overview: Managed Security Services

These reports focus on overall information security and risk strategy, the structure of the security organization itself, and the redesigning of traditional security operations. What you don’t see on this list are reports about point security products. In fact, even if I expanded this to the top 10 reports, the first reference to technology doesn’t occur until No. 10: HeatWave: Hot Client Security Technologies For Big Spenders And Bargain Hunters. Even this report has less to do with technology and more to do with peer comparison — giving clients a view into what technologies their peers are purchasing.

Here’s another data point to consider: According to Forrester’s Enterprise And SMB IT Security Survey, North America And Europe, Q3 2009, approximately 6% of enterprises cited “unavailability of products/services that meet our needs” as a major security challenge. There is a plethora of available security products and services; in fact, too many of us buy point products without using them in a coordinated fashion or as part of a holistic information risk management strategy.

That’s why much of our Q3 and Q4 research themes as well as the theme of our upcoming Security Forum will continue to focus on “Building The High-Performance Security Organization.” We’re using the image of a winning cycling team as a representation of the high-performance security organization. I chose this image because high-performance cycling and security teams surprisingly have some of the same requirements. Allow me to explain:

• Strategy, organization, and teamwork: Although only one cyclist wins the race, it requires a team of cyclists with specialized roles and skills to achieve victory. A good security organization needs an overarching strategy, well-defined responsibilities, and strong governance.


• Effective processes: The team uses a series of tactics to help the leader win. Team members take turns shielding him from the wind and pacing the team up the hills, etc. Likewise, the security organization needs solid processes in place for everything from identity and access management to secure application development to overall information risk management.


• Architecture and technology: The cycle plays a critical role. Over the years, improvements in suspension and braking make for a safer and more comfortable ride, and advances in material technology have made cycles much more lightweight. Likewise, security organizations must implement the architectures and technologies that balance security and compliance with flexibility and operational efficiency. I want to emphasize here that yes, technology is important, but too often that’s all we focus on. You can have the latest, greatest bike but it can’t pedal itself across the finish line and a single cyclist could never win the Tour de France alone.

I read today that a herd of sheep disrupted the Tour de France. No one was injured, but cyclists did have to brake suddenly and in some cases swerve around the sheep. It’s likely the sheep were just befuddled and lost, but there’s a part of me that would like to think it was a coordinated attack. So sheep aren’t the equivalent of an advanced persistent threat (unless you frequently drive in the countryside of France), but it is a good example of risk or incident that you could reasonably predict and prepare for, since the tour takes cyclists up through the countryside.

If improving the performance of your security organization is one of your top priorities, I hope you can join us at our upcoming Security Forum. If you can’t, I hope you’ll take the time to tell us about your priorities and toughest challenges and if they line up with what we’re seeing from our clients and research.

Save an additional $200 off the Early Bird rate when you register by August 6th with promo code SF10BLG.