“There is of course continuous pressure to extend BYOD (bring your own device to work) access across our estate and we are struggling to achieve an architecture which will allow us to deploy popular applications like Outlook Web Access for 3rd party devices whilst still achieving 2FA and without impinging on the integrity of our service platforms – not so much because of the technical challenges of slicing and dicing security configurations in vmware etc. as trying to second guess how the business and our other tenants will appropriate the processes we encourage them to implement.” – Conn Crawford, Sunderland City Council
In the cyber environment the balance between benefit and harm so clearly articulated by Francis Maude can also be found at the organisational, as well as national and global, level. Cyber space enables many opportunities and provides an environment in which businesses can diversify and tailor their services. At the same time, this range of opportunities also creates critical vulnerabilities to attack or exploit. In order to protect their estate security managers combine organisational, physical and technical controls to provide robust information asset protection. Control lists such as the one found in Annex A of ISO 27001 have long acknowledged the need for the three types of controls but no security management methods are available to systematically combine them. In the complex cyber environment a security manager has limited visibility of technical, physical and organisational compliance behaviours and controls and this makes it difficult to know when and how to select and combine controls.
Research has, to date, not been undertaken to understand how a security manager selects the appropriate control combination. In addition, risk management techniques do not include visualisation methods that can present a combined picture of organisational and technical asset compliance behaviours. This problem is exacerbated by the lack of systematic research of the cultural and organisational techniques used by security managers resulting in limited guidance on cultural and organisational security management approaches.