Among challenges faced by information security teams, one of the most common is how best to align the security program with the larger business. While everyone comes together around the idea that security breaches are bad, balancing the costs of preventing them against other enterprise priorities is a trickier proposition. Unified stakeholders often diverge when forced to choose between security and other values like profitability or ease of use. It gets even harder when organizations struggle simply to agree on how risk should be defined or what acceptable security risk really means.
Since all security programs depend upon business owners for resources, cooperation, and support, it's in every CISO and security manager's best interests to be able to translate the benefits of security into the language of enterprise strategy. That means outreach messaging designed to do more than just scare the pants off everyone. FUD tends to be a self-defeating tactic over time. The audience either grows numb to it, or begins to actively resent the security team as a "party of no!" that only exists to make life harder for everyone. When security is seen as an adversary and not a business partner, half the battle is lost.
When security is seen as an adversary and not a business partner, half the battle is lost.
Three Tools for Security Strategy
For security programs exploring how to articulate their business value more effectively, several readily available tools can help. Three that I use with clients are the GQM method, logic modeling, and the Business Model Canvas. Each has a different approach, but all can support efforts to engage business stakeholders.
I discovered GQM researching my first book, IT Security Metrics. GQM developed out of software quality engineering and even after several decades it remains an elegant, powerful tool for balancing strategy with execution.
Conceptually, GQM is pretty simple. You start with strategy, and a goal you wish to achieve. For instance, maybe you want to eliminate all network vulnerabilities. To demonstrate you've met that goal, you'll need to answer some questions, like:
- How many vulnerabilities are there on the network today?
- How do we decide when a vulnerability has been eliminated?
- Who is responsible for eliminating these network vulnerabilities?
- ...and so on...
Data and metrics are required in order to answer these questions. They may show:
- 100 vulnerabilities exist today
- A vulnerability is considered eliminated when a patch or control has been implemented
- One program manager owns the overall vulnerability tracking and remediation process
GQM reduces uncertainty about strategic execution while driving strategy improvement. The process usually triggers more questions, like "How severe are those vulnerabilities?" or "Can one person really manage this alone?" As more data is analyzed, the strategy gets more refined.
Sign up for Computerworld eNewsletters.