Big targets are easier to hit
Some security leaders get caught up in the service professional's dream of delivering just the needed service at the bare minimum cost. That's a fool's dream when you have more than a handful of requirements. You'll end up nickel and diming your staff, straining budgets, and letting your customers dictate your priorities. Worse yet, every additional security requirement you try to tailor increases the chances of security failure.
I'm not saying you shouldn't deliver the service level the customer wants. I'm saying it's OK to meet that promise by overdelivering for some and just meeting it for others. By creating security bands, you become the leader again.
If you have an unmanageable number of security requirements, review the various requirements: response times, availability, security permissions, domain separation, backup storage, anti-malware, hardening, and so on. Find the components that are common to the various requirements and note the different values under each component. Then group the requirements into a handful of security bands. Each band should indicate the minimum level of security that will be delivered. Document each security band so that you can hand customers and managers a single page listing the bands and their service level agreements. Group every existing client or application you have into a security band. When new clients or applications come on board, ask the owners to pick a security band.
Try hard to avoid making one-off security bands for clients or applications that need just one change. You may think you're being accommodating, but you will just end up re-creating the structure you worked so hard to get away from.
This story, "Win the security numbers game," was originally published at InfoWorld.com. Follow the latest developments in information security, risk management, and regulatory compliance at InfoWorld.com.