The 5 Stages of Security Control Procurement: Getting to Acceptance

4 minute read
Peter Spier avatar

For those trying to obtain managerial buy in for security control, the stages in the process can often parallel the five stages of grief: denial, anger, bargaining, depression, acceptance.

The need for a firewall was at one time a common and hotly contested debate. Given persistent beliefs of individual anonymity and doubts as to the probability of any one business being of sufficient interest as to attract would be attackers, justifying their purchase or upgrade required a healthy dose of persuasion and available funds. Today, the thought of being without one is uncomfortable and strange.

Why was it once so difficult to convince business leaders of the necessity of a firewall to protect their network infrastructure?Unfortunately, security control procurement efforts frequently seem to align with the five stages of grief.

Stage 1: Denial

At first security controls appear to be paranoid and without sufficient basis as to prove relevant to the current threat environment.Sure, that Advanced Persistent Threat thing sounds like it could be trouble, but I’ll worry about it when I start to hear of practical exploits.

Stage 2: Anger

When the need for a given security control is repeated often enough to management or post-incident lessons learned processes solidly prove that the proposed control may have prevented the incident, anger ensues.Didn't we already discuss that?Why didn't anybody make that a priority?

Stage 3: Bargaining

As support for the procurement of a security control first gains momentum, questions as to the viability of cheaper alternatives begin.Can we write a script that will do the same thing?Is there an open source solution?Let’s pilot it with a smaller user base first as a proof of concept.

Stage 4: Depression

Upon determination that a given security control must be procured and that processes to support its use will affect daily operations, depression is a common response.We don’t have enough resources to manage what we already have…

Stage 5: Acceptance

Once the identified security control is successfully procured and implementation has completed without crippling the business, acceptance and unspoken wonder as to the cause for original concern is experienced.We should get another at our secondary data center!

Too often resistance to change and insufficient understanding of the risk posed by the absence of a given control results in inaction.To some degree, this may be due to security controls being largely perceived of as depreciable technology assets that are easily confused with the comparable value of other infrastructure.Yet in actuality these critical systems are designed to protect organizations and their sensitive information from risk of compromise.

Learning Opportunities

To better determine whether or not a security control appropriately mitigates organizational risks, assessment of the current threat environment and the probability and severity of impact must first be performed.Thereafter, given analysis of business priorities and risk tolerance, appropriate mitigation strategies may better be determined with strategic direction made apparent.

The result of such efforts may identify yet another technical control is needed.However, it may also identify more efficient uses of existing solutions or modified process as proving of sufficient mitigation.Should the former be concluded though, review of existing process and control state should be as important as is the product analysis to determine procurement source.

For example, when a security event manager need is identified, quantification of current log review efforts and inefficiencies and the forecasting of productivity gains can prove invaluable to effectively supporting the procurement request.Additionally, when successful, analysis of post-implementation metrics to actualize forecasted gains and baseline performance can provide further comfort to those business leaders who may not have at first supported the purchase decision.

In the end, persistent and qualified communication of security control value as it aligns to business priorities and risk mitigation needs more easily receive support.With any luck, acceptance is then just around the corner.

Image courtesy of Sergey Nivens (Shutterstock)

Editor's Note: To read more of Peter's thoughts on security, check out Enterprise Security: Your Biggest Risk is You

About the author

Peter Spier
Peter Spier is Managing Director PCI and Risk Assurance at Fortrex Technologies based in Atlanta, Georgia; and an adjunct instructor at the University of Maryland University College.Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of more than 15 years experience, has earned Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), Project Management Professional (PMP), Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA-QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST Common Security Framework (CSF) Assessor certifications; among other credentials.