Security Capabilities

Being Capable

We talk a lot in security world. Most of the time we seem to talk about all the possibilities when we need to talk more about what we can actually do.

What are we capable of doing? We do we need to be capable of doing?

Being Capable with Capabilities

When we want to talk with our partners, whether those partners are business-related, very technical or just your managers, you need some consistent way to describe what security does. So many times we use a dozen terms that are all intermingled and ill-defined.

One way to bring some consistency to your communications, to your planning and even to your budgeting process is to use a capabilities map. By defining what you do and using those definitions across the board you can eliminate one source of confusion.

So what is a capability?

TOGAF says that a capability is

An ability that an organization, person, or system possesses. Capabilities are typically expressed in general and high-level terms and typically require a combination of organization, people, processes, and technology to achieve. For example, marketing, customer contact, or outbound telemarketing.

Most of the time capabilities are strictly business related but they can also be put in a different contexts. We can use them to describe what a security organization does or even what a functional area does within a larger organization. At its most basic level a capability is what you do but not how you do it.

An Example

A security organization may put together a capabilities map in order to determine where it needs to invest in order to meet the challenges of the day or to help deliver secure business requirements. The same map can be used across all areas of the business. The leaders and stakeholders can all discuss security and risk using a consistent view.

That is all a capabilities map really is. It is a view of the business or domain. If I bring up the ‘A’ word, Architecture, for a moment I would say that capabilities are a first step in determining a conceptual view of your area.

Start with a list of WHAT you provide:

  • Creating IDs
  • Resetting passwords
  • Managing access control
  • Configuration management

After you make a first pass try to group similar capabilities. Once you have a several items try to group them.

  • Identity and Access Management
    • Creating IDs
    • Resetting passwords
    • Access control
  • Network Security
    • IDS/IPS
    • NAC
  • Configuration

Spend some time determining the minimum number of groups. Concentrate on building out the first two layers of your capabilities. We will call the top layer Level 1 Capabilities and the next layer down Level 2 Capabilities.

  • Identity and Access Management
    • Manage Access Control
    • Manage Identity Lifecycle
  • Provide Infrastructure Security
    • Provide Boundary Protection
    • Manage Configuration

We can make our list more presentable too.



So what is a capability?

  • They are WHAT you do
  • A capability may include people, processes and technologies
  • They are part of a terminology and taxonomy
  • They can be represented with a picture
  • They can be represented with a list
  • Multiple levels of capabilities can be used to represent varying levels of complexity

Much more importantly what can we do once we have built a capabilities map.

  • A map provides a common picture to be used in communicating
  • The common terminology and views can help guide objectives and strategy
  • They can be a common thread through your maturity models, gap analysis, and roadmaps
  • You can easily see and communicate where you are investing your resources

Next Time

In Part II we will look to continue building out our example set of capabilities for a security organization. It would also be a good time to investigate why you can’t just reference all the other frameworks out there like ISO 27001, (ISC)2, or even SABSA.

comments powered by Disqus