Why Business-Aligned Cybersecurity Means Less Cybersecurity
And Why That’s Just Fine
As the cybersecurity profession matures, security leaders are scolded that the cybersecurity program needs to be more “business-aligned”. This seems to flummox security leaders, who are usually operating with the best interest of the company in mind (“I’m only saying ‘no’ to protect you from yourself”). There is also the little problem that the business is often not interested in being “security-aligned” — which feels like a bad 80’s movie. But I digress…
I agree that aligning security to the business means a better security outcome for everyone. Yet few security leaders are taught how to make that happen. Even less understand that in order to make it happen, they and their team will spend less time doing security work, and more time helping the business be, well, the business.
First Step: Understand the Business
Before you even begin your security role, as a leader or even as an entry-level worker, you must know the kind of business you’re working in, and what that will mean for the security function. Financial services is a lot different than healthcare or retail; large organizations do security completely differently than start-ups; companies with years of existence have much technical debt that need…