What does it really mean to be aligned to the business mission?

"The truth about information security alignment is that it requires an enormous amount of work to accomplish"

Information security programs have struggled with this one for years. They are told the program needs to be aligned with business operations and the mission. It sounds good, and it's the right thing to do, but many fail to understand what it actually means. Does it mean if your organizations mission is to be world-class that your program should also be world-class? If the mission is to deliver innovative products and services, should your program align and be innovative as well? These are some of the questions that arise when security and IT leaders take the important step towards business alignment.

The truth about information security alignment is that it requires an enormous amount of work to accomplish. To be truly aligned with the business means the program is doing more than advertising missions statements and slide presentations that say so. It's important to keep in mind; however, that alignment with the business shouldn't be an option or a point of differentiation for security programs. Alignment is a requirement to deliver security properly within an organization and quite simply, there is no other way to match the success a program and organization will gain from it.

Let's look at an example organizational model and mission and what real business alignment would look like:

ABC Company is a privately held organization, manufacturing medical equipment. They are a 250 employee organization and realizing over 250 million in annual revenue. The mission is to develop world-class medical-grade equipment and to empower people to live healthier lives.

ABC Company recognizes the risk in not having a dedicated cybersecurity team and invests in a mix of full time staff and outsourced consulting services. So where do we start?

How does the business make money

The first question every security program should be asking is "how do we really make money?" In the case of ABC Company, it's through cost-effective manufacturing and wholesale to medical equipment distribution organizations. This is important information for a security program, as we now understand that adding over-complexity to manufacturing processes and client relationship interactions does not align with the mission of this business.

Governance

The topic of governance tends to be vague, overused, and difficult to get a straight answer on. In the context of business alignment; however, governance is extremely important. We're talking about a quarter-billion dollar organization here. Building security policies and making programmatic decisions in a vacuum will fail in extraordinary fashion. To remain aligned, a program needs to build executive committee and/or task-force models throughout the organization. These committees should be used in order to let the business set the direction of the program. It offers business leaders skin in the game and gives them all a sense of program ownership if executed correctly.

Business Enablers

Security and enabling the business are not topics typically discussed together. In fact, most people trying to enable the business are concerned that security standards may make it impossible to do so. This is a problem that must be solved by all programs. We now know the mission of ABC Company and how they make money. With that information a program has enough to start developing a strategic plan that not only introduces a high level of security, but also enables business operations while doing so. This is your programs chance to prove to business leadership that you understand the bottom line and where security fits within it. Use internal and external evidence to guide your planning and ensure that no implementations are in direct conflict of accomplishing the mission. If a necessary business practice introduces risk, find a better way to accomplish the same mission safely before removing what's in place today.

Stakeholder Relationships

Developing relationships within an organization can happen organically over time, but security leaders and consultants also need to proactively pursue them when the opportunities exist to do so. Business leaders should spend enough time with you to make sure you understand their challenges, and they understand your intent and strategy to empower them through safe technologies and processes. It's your job to extend the olive branch with your business leaders in order to gain their trust, advocacy, and partnership.

Being aligned with the business mission takes time and significant investment for security programs. It is more than a written statement and entirely a product of evidence over years of work building relationships, implementing enabling safeguards, and strategically planning alongside the leaders responsible for executing on the overall mission of the organization in order to continue driving the bottom line in a positive direction.

For more information, please contact info@advosec.com

#cybersecuity #governance #mission #strategy #leadership