How to Align Your Security Strategy with Your Business Goals
Information Security Business Alignment: 3 Key Elements to Keep in Mind
Aligning your cybersecurity posture with your overall business objectives is essential to protect your business against breaches and intrusions. Security leaders are charged with implementing impactful and effective cybersecurity strategies that improve the organization’s cybersecurity posture.
How can you improve your cybersecurity defenses in practical terms? It all starts with understanding, defining and eventually aligning the relationship between your core business functions, IT assets and data.
How Business Functions, IT Assets and Data Work Together
By taking a closer look on how these elements are interrelated, it will be easier for you to decide which security controls you should implement for each of them:
- Business functions will rely on IT assets
- IT assets will generate data
- Data will provide business functions
As an executive, you are responsible for implementing security controls to business functions, IT assets and data. You will have to face internal and external risk and base yourself on best practices to protect your business functions, IT assets and data against breaches, intrusions and theft.
Only when security initiatives are aligned throughout the organization, you can strengthen your cybersecurity posture, protect your critical assets and applications against breaches, theft and intrusions, demonstrate that your security initiatives are effective and maximize your return on investment.
A business function is a process or operation that is performed routinely to carry out a part of the mission of an organization. Examples includes R&D, Sales, Marketing, HR, Finance, Purchasing, Manufacturing etc.
We need security controls to protect business functions, which are typically based on governance, management, policies and planning.
- Frameworks: They relate to the norms of the International Standardization Organization (ISO), such as ISO38500 for governance, ISO31000 for business continuity management and ISO22301 for risk, and COBIT 5.
- Related Services: Governance, Management Roles & Responsibilities, Business Continuity Planning, Crisis Management Planning, Risk Management Planning
IT assets include all elements of hardware and software used in the course of business activities and in the IT environment. Examples include operational infrastructure, routers, switches, servers and server components, desktops, mobile devices, backup devices etc.
Security controls for IT assets are very different to security controls for business functions. You will have to evaluate whether your IT assets are vulnerable to threats and, if so, to which extent:
- Frameworks: Here, you will be able to assess vulnerabilities based on the OWASP Top 10 or CVSS.
- Related Services: Vulnerability Scans, Penetration Testing, Social Engineering
Also, you will have to implement certain security controls in addition to the vulnerability-related evaluation:
- Frameworks: Security controls for IT assets relate to norms such as ISO20000, ISO270xx, SANS CIS 20 Critical Security Controls, PCI DSS, NIST, COBIT5, etc.
- Related Services: To protect your IT assets, related services include InfoSec Management Systems (policies & processes, procedures & standards, roles & responsibilities), Security Architecture Reviews, Threat Modeling, IT Disaster Recovery Planning, Security Incident Planning, Security Metrics and Dashboards etc.
By definition, data is a collection of facts (numbers, words, measurements, observations, etc.) that has been translated into a form that computers can process. In today’s digitalized world, businesses use increasingly large amounts of data to carry out their activities and influence their strategic decision making.
Even with all these security controls in place, you still need to protect your data and deal with data breaches. Ideally, organizations should have defined processes in place to monitor their environments continuously and respond to security incidents if needed. In fact, the work is not over after having implemented all security controls. It’s one thing to understand your enterprise information security, it’s even better to align all your security controls between business functions, IT assets and data to identify what works and defend what’s critical to your business.