Why Business-Aligned Cybersecurity Means Less Cybersecurity

And Why That’s Just Fine

Helen Patton
7 min readSep 5, 2022

--

As the cybersecurity profession matures, security leaders are scolded that the cybersecurity program needs to be more “business-aligned”. This seems to flummox security leaders, who are usually operating with the best interest of the company in mind (“I’m only saying ‘no’ to protect you from yourself”). There is also the little problem that the business is often not interested in being “security-aligned” — which feels like a bad 80’s movie. But I digress…

Actor John Cusack, standing holding a boombox overhead, from the movie “say anything”
From RedBubble.com

I agree that aligning security to the business means a better security outcome for everyone. Yet few security leaders are taught how to make that happen. Even less understand that in order to make it happen, they and their team will spend less time doing security work, and more time helping the business be, well, the business.

First Step: Understand the Business

Before you even begin your security role, as a leader or even as an entry-level worker, you must know the kind of business you’re working in, and what that will mean for the security function. Financial services is a lot different than healthcare or retail; large organizations do security completely differently than start-ups; companies with years of existence have much technical debt that need different security skills; manufacturing security is not the same as a software development company; B2C companies have different drivers than B2B companies; the amount of regulation or the company location matters. From the outside looking in, you can make assumptions about the size of the security team, the kind of security being done, the maturity of the rest of the organization, and other factors that will drive what and how security will be. If your company is publicly traded read the quarterly and annual financial reports and see how much cybersecurity is mentioned (with changing SEC rules, you can expect more mentions than there used to be).

Some companies will offer training for “front line” activities for people who aren’t usually on the front lines. Take advantage of that training so you know what your security program means to your customers.

Once you arrive you can really get into the details. If you’re a CISO, talking to…

--

--

Helen Patton

Written by Helen Patton

1.2K Followers

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange

More from Helen Patton

See all from Helen Patton

Recommended from Medium

Lists

Kim Scott Radical Candor

How to Give Difficult Feedback

7 stories202 saves

How to Lead Well as a New Manager

14 stories208 saves

How to Run More Meaningful 1:1 Meetings

11 stories149 saves

Intro to People Ops: Not Your Mama's HR

8 stories25 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams