Mark Curphey - SecurityBuddha.com

I wanted to post a “rah rah” message to Rich Mogul when he posted that GRC platforms Are Dead. He was so spot on in my humble opinion that he made me smile for a week or so. I may be a bolshy arrogant git confident but re-assurance from smart people is always comforting. Today I checked my RSS reader and spotted another great post on the topic from the Burton Group (story found via Rich’s Blog).

It’s no great secret that at Microsoft many product teams spin up similar projects and the very best of Darwinism is allowed to thrive. We are 90,000 + people and there will always be things that aren’t aligned with your way of thinking. It’s natural; we are a big company. When I first joined I didn’t get Darwinism, now I think it’s part of the very essence that delivers the best results and I have embraced it. Collaborate where appropriate and compete where appropriate. It delivers the best results for our shareholders and customers in the long run.

I often get asked if what we are doing in the Connected Information Security Group (the team I run) is like “this project” or like “that project”. The answer so far has always been no and I often end up explaining that the problem we are solving, the approach we are taking and why it is different. This conversation usually involves describing or talking about the narrow slice of Information Security that I believe is GRC (see above posts from Rich or the Burton Group despite what the marketers will tell you). I use these three slides to explain the problem space we are focused on.

Essentially we are focused on Connecting People, Process and Technology. It’s about building a framework and applications on which you can run a corporate information security program. I call this an Information Security Business Process Management System (or ISBPM if you need an acronym). We will be running our own program at Microsoft on the platform first as it emerges in the next few years so we will be eating our own dog food. It’s what’s referred to as IT Integrity and is not just important, it’s considered critical.

At this point some people will be getting hung up on the boxes around the edge and the taxonomy in the graphics above. I defer to the next image. It’s all about the framework!

Focusing on developing a technology framework from which people can build faster, better and cheaper security management solutions is critical for several reasons including;

1. Ensuring that solutions can be built which are aligned to support the business rather than requiring the business to realign to fit the software. This is often the case with GRC’s or “Security Departments in a Box” as I like to call them.

2. No two security programs are the same nor should they be. That’s because no two businesses are the same.

3. If anyone thinks they understand the exact requirements for a system to power their business today then I think they are marginally delusional. Even if they did the business will be different at this time next year. It’s about flexibility, adaptability and extensibility.

4. Security solutions for tomorrow should build on and connect to existing business infrastructure and not replace them with security stove pipes.

It’s all about the framework!

I could go on and I will when we open our blog for the Connected Information Security Group in a few weeks. We may even show a proof of concept or two and a few humorous videos!