search menu icon-carat-right cmu-wordmark

Managing for Enterprise Security

Technical Note
In this 2004 report, the authors itemize characteristics of common approaches to security that limit effectiveness and success.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2004-TN-046
DOI (Digital Object Identifier)
10.1184/R1/6575252.v1

Abstract

Security has become one of the most urgent issues for many organizations. It is an essential requirement for doing business in a globally networked economy and for achieving organizational goals and mission. But it is no small task. The technical and environmental complexity of today's organizations and the ever-increasing dependence on technology to drive and automate processes and create competitive advantages make security a challenging activity. Adding to this complexity is a growing list of vulnerabilities and increasingly sophisticated threats to which organizations are subjected on a daily basis. 

Organizations can no longer be effective in managing security from the technical sidelines. Security lives in an organizational and operational context, and thus cannot be managed effectively as a stand-alone discipline. Because security is a business problem, the organization must activate, coordinate, deploy, and direct many of its existing core competencies to work together to provide effective solutions. And to sustain success, security at an enterprise level requires that the organization move toward a security management process that is strategic, systematic, and repeatable—in other words, efficient at using security resources and effective at meeting security goals on a consistent basis. Managing for enterprise security defines a disciplined and structured means for realizing these objectives. 

This report presents the interim results of work done by members of the Networked Systems Survivability Program at the Software Engineering Institute in exploring these issues. The authors offer a view of the changing environment in which security must be performed and, from their field work and research, itemize characteristics of common existing approaches to security that limit effectiveness and success. A "desired state" as a security target for the organization is outlined, and the organizational transformation that the authors believe is essential for approaching security as a business problem is presented. Finally, the authors describe their current work in exploring solutions that they believe will enable this transformation.

Cite This Technical Note

Caralli, R., Allen, J., Stevens, J., Willke, B., & Wilson, W. (2004, December 1). Managing for Enterprise Security. (Technical Note CMU/SEI-2004-TN-046). Retrieved February 29, 2024, from https://doi.org/10.1184/R1/6575252.v1.

@techreport{caralli_2004,
author={Caralli, Richard and Allen, Julia and Stevens, James and Willke, Bradford and Wilson, William},
title={Managing for Enterprise Security},
month={Dec},
year={2004},
number={CMU/SEI-2004-TN-046},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6575252.v1},
note={Accessed: 2024-Feb-29}
}

Caralli, Richard, Julia Allen, James Stevens, Bradford Willke, and William Wilson. "Managing for Enterprise Security." (CMU/SEI-2004-TN-046). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, December 1, 2004. https://doi.org/10.1184/R1/6575252.v1.

R. Caralli, J. Allen, J. Stevens, B. Willke, and W. Wilson, "Managing for Enterprise Security," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2004-TN-046, 1-Dec-2004 [Online]. Available: https://doi.org/10.1184/R1/6575252.v1. [Accessed: 29-Feb-2024].

Caralli, Richard, Julia Allen, James Stevens, Bradford Willke, and William Wilson. "Managing for Enterprise Security." (Technical Note CMU/SEI-2004-TN-046). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Dec. 2004. https://doi.org/10.1184/R1/6575252.v1. Accessed 29 Feb. 2024.

Caralli, Richard; Allen, Julia; Stevens, James; Willke, Bradford; & Wilson, William. Managing for Enterprise Security. CMU/SEI-2004-TN-046. Software Engineering Institute. 2004. https://doi.org/10.1184/R1/6575252.v1