March 2012 - BMIS: Business Model for Information Security


As the ever more dramatic failures of information security continue unabated, security professionals struggle to balance protection with entrepreneurial risk -- taking in a complex, evolving threat landscape. It has become abundantly clear that current methods of controlling risk have proven inadequate and there is a gap between the management of information assets and the people who use them. Current security frameworks do not address issues, such as culture, human factors, and rapid change. Security professionals need a more effective method to manage enterprise information assets.

Information security has become the business unit responsible for the most important asset that an enterprise holds: its corporate information. While the transmission, integrity, and availability of that information are critical in conducting global business, its protection is equally important.

The Business Model for Information Security (BMIS) applies a systems approach to present a holistic, dynamic solution for designing, implementing, and managing information security. As an alternative to applying controls to apparent security symptoms in a linear cause-and-effect pattern, BMIS examines the entire enterprise system, allowing management to address the true source(s) of problems, while maximizing elements of the system that can most benefit the enterprise.

By studying the significant factors that introduce uncertainty and correlating them for understanding actual organizational needs, BMIS complements any framework or standard already in place. It will assist enterprises in effectively managing information risk to minimize threats and ensure confidentiality, integrity, and availability of information assets, while harnessing enterprise information assets to create value.

In this presentation, we will explore BMIS and its relevance to the practice of information security, as well as some practical implementation approaches.


Krag Brotby, CISM, CGEIT

Krag Brotby has thirty years of experience in the areas of enterprise computer security architecture, governance, risk, and metrics, and he is certified as a CISM® and CGEIT® and is approved as a SANS GSLC and the first CISM trainer. He has developed a number of related courses in governance, metrics, GRC, and risk and trained thousands on five continents during the past decade.

He has served on the ISACA Security Practice Development Committee, appointed to the Test Enhancement Committee in 2008 responsible for testing development, and to a new committee developing a systems approach to information security, called the Business Model for Information Security (BMIS). Krag is the recipient of the 2009 ISACA John W. Lainhart IV Common Body of Knowledge Award for noteworthy contributions to the Information Security body of knowledge for the benefit of the global information security community. He currently serves on the ISACA QAT committee.

Krag's experience includes intensive involvement in current and emerging security architectures, IT and information security metrics, and governance. He holds a foundation patent for digital rights management and has published a variety of technical and IT security related articles and books. He has served as principal author, editor, researcher, and / or contributor to the following publications:

  • ISACA Certified Information Security Manager Review Manual, since 2005;
  • Widely circulated Information Security Governance, A Guide for Directors and Executive Management, 2nd ed.;
  • Information Security Governance : Guidance for Information Security Managers;
  • A New Approach to Information Security Management Metrics; Auerbach 2009;
  • Information Security Governance; a practical development and implementation approach; Wiley 2009;
  • A new book, Pragmatic Security Metrics - Applying Metametrics to Information Security, is due for release in Spring 2012.