Does your Security Program align with the organizations goals?

Sunday, October 11, 2009

Sean Inman


Do you know the GOALs of your organization?  Why does the organization exist?  What’s theorganization’s purpose?  Even if you work for a “security company,” the organization’s main goal is not going to be security (or at least it shouldn’t be).  The main goal of most private sector companies is to make money $$.  In most companies, providing security doesn’t make money.  It’s an operational expense or an investment.  All activities of the company should be moving it toward its goals of being profitable.

My impression is that many security professionals lose sight of their company’s goals.  It’s happened to me. I’ve gone through the motions of securing things without realizing how it moves the company toward making money.  In my enthusiasm for security, I’ve been guilty of non-productive activities that could harm my company. Security professionals live in a world of paradox.  Too much protection and our people can’t be productive.  Not enough and the business takes too much risk, which can also cause non-productivity.  With the right balance, we can move the company toward profitability.  The challenge is determining that balance.  Here are three tips for maintaining a balanced security program that will meet your organization’s goals:

1.     Know the goals of the organization.  You need to collaborate and ask questions to determine what makes your organization tick.  Understand how it makes money.  For public or non-profit organizations, find out the reason for its existence.  If you don’t understand your organization, then how can you properly secure it?

2.     Know the risk appetite of the organization.  This step is to understand the amount of risk the organization is willing to take.  This is a business decision, not a security decision, and should be based on the organization’s goals.

3.     Create a security program based on the organization’s goals and risk appetite.  Your security program should move the organization toward productivity and making money, not away from it.  The protections you recommend, implement, and maintain should always be driving the organization toward its goals.  They should also be in-line with their risk appetite.

In everything you do, ask yourself, “Is this moving us toward or away from our goals?”  If it’s away, then reconsider your actions. The security protections you have may be appropriate in your mind, but are they really right for the organization?  This can be a humbling experience, but it can also win you a lot of respect when you’re willing to compromise.  If you remember The Goal, your security program will go far.

Enterprise Security
Post Rating I Like this!
Phil Lambert Interesting thoughts, this of course is one of the biggest challenges for both IT and IT Security. Both IT and IT Security are internal "overhead" roles in most organizations, as such their customer is always internal line of business staff. As with any job, the days begin to blur and the challenges which arise begin to change the perspective of the customer from "customer" to “problem creator”. At this point the IT or IT Security organization is no longer aligned with the business.

From the business side this is when statements such as "IT or IT Security" is not a team player, they don't understand our business, what value does IT or IT Security bring to our business, would we have better results if we outsourced?

A prudent leader will recognize this as a problem and re-focus his/her team. There are tons of books, papers, frameworks which talk about the importance of IT and IT Security alignment to the business but this is where my personal beliefs begin to conflict with the experts.

It isn’t enough to understand how to layout a strategy, partner with the business, establish IT steering committees, or implement industry recognized frameworks. These are all great activities and do bring value and have their place but there is a cultural shift which must occur within IT and IT Security.

That shift is to begin to view them-selves as part of the business the same as HR or Legal, IT and IT Security are Subject Matter Experts whose purpose is to assist the business in the areas of IT and IT Security. This means when a new business requirement arises, instead of saying “No it won’t work” it is incumbent and imperative to respond with “Yes it can be done but we must do it in this manner” to ensure our mutual success.

The problem with saying Yes, that entails ownership and that results in additional work and potential blame when things go wrong. This is where the above mentioned frameworks and teaming become crucial, because then the business will assume ownership with you because IT and IT Security were “working together” to satisfy the business requirements.

Personally, if I am going to get blamed for a problem, I prefer that blame to be because my team provided direction, executed to the plan, and assisted the business with moving forward but didn’t encounter the success we expected versus, saying no and having the business blame you because you didn’t try to help them.

Just my .02,

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.