Why Business-Aligned Cybersecurity Means Less Cybersecurity

And Why That’s Just Fine

Helen Patton

--

As the cybersecurity profession matures, security leaders are scolded that the cybersecurity program needs to be more “business-aligned”. This seems to flummox security leaders, who are usually operating with the best interest of the company in mind (“I’m only saying ‘no’ to protect you from yourself”). There is also the little problem that the business is often not interested in being “security-aligned” — which feels like a bad 80’s movie. But I digress…

Actor John Cusack, standing holding a boombox overhead, from the movie “say anything”
From RedBubble.com

I agree that aligning security to the business means a better security outcome for everyone. Yet few security leaders are taught how to make that happen. Even less understand that in order to make it happen, they and their team will spend less time doing security work, and more time helping the business be, well, the business.

First Step: Understand the Business

Before you even begin your security role, as a leader or even as an entry-level worker, you must know the kind of business you’re working in, and what that will mean for the security function. Financial services is a lot different than healthcare or retail; large organizations do security completely differently than start-ups; companies with years of existence have much technical debt that need…

--

--

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange