Is your security program business aligned?

Building a security program without being aligned with the business occurs when teams get disconnected and start operating outside the context of the business goals. It’s like a ship navigating without GPS - it might be moving, just not necessarily in the right direction.

Understanding where to focus your efforts means understanding what will drive the outcomes that make the most meaningful impact to our business’s goals.

1️⃣ Learn how the business’s goals map to the work of other leaders across the company. Businesswide goals rarely map directly to security efforts.

“Prevent hacking” isn’t likely to be a business goal anymore than “Ensure employees get paid” or “Make sure the logout button works”. As a leader, you’re expected to take company-wide goals, your knowledge of the security domain and the context of the business and operations to synthesize them into a strategic plan.

2️⃣ Educate others on the importance of resilience to business goals. A narrow view of “security” doesn’t cut it anymore. We need to ensure resilient systems, able to adapt to failures regardless of whether they’re from security incidents or something else. Kelly Shortridge has done tons of amazing writing on this topic. The shift involves adopting a holistic perspective that encompasses the interactions between the systems that make up the entire organization.

3️⃣ The bread and butter - Risk assessments and threat modeling. Based on what you learn about how the goals relate to the various systems, processes and work, you have a higher fidelity feed for whatever framework you use to assess the risks to those goals, how they might happen and how you can reduce their impact.

4️⃣ Mapping to projects and efforts - You’ve learned the goals, how they map to work and priorities, and you’ve thought through how they could break or fail. Now’s the time to translate it into your strategy and plans. Look for ways to address upstream root causes and don’t fall into the trap of attending to symptoms.

What are the leading indicators of success and how will you move them?

🔁 Repeat! Incentivize ongoing communication and circular, free flowing feedback between the security team and other parts of the business as a top priority.

Alignment is a continuous process, not an endpoint. Teams need to always be considering what they’re building, how they build it and why in the context of the business at large. An aligned security program is not just a set of generic best practices but a tailored strategy that best supports key business goals.

❓ How do you keep your teams aligned with business goals?