How CISOs Can Align Security Plans With The Business

“The future belongs to the business-aligned security leader,” proclaims Forrester Research. “By 2023, 30 percent of a CISO’s effectiveness will be directly measured on the ability to create value for the business,” concurs Gartner. CISOs should “frame the security agenda along business risks and opportunities, not technical solutions,” advises IDC.

What does it mean for CISOs to be aligned with the business? For many of us, this entails leaving the comfort zone of threat and tech-focused conversations, and instead discussing how the security initiatives support our companies’ business goals. Here’s one way of using this mindset when preparing budget requests or otherwise planning for security advancements.

Business Scenarios and Goals

Start by understanding how your company’s leadership envisions the future. This will likely involve multiple business scenarios, since the uncertainty of economic and geopolitical events make it impractical to reliably predict what will happen. For every scenario, determine what business goals your company will be pursuing. You might come up with a table like this:

Business Scenario	Business Goal
Business stays about the same (baseline)	Support existing customers Maintain current sales activities Release minor product improvements
Business improves	Support existing customers Accelerate sales activities Release major product enhancements
Business worsens	Slow down and cut costs Wait out the downturn
Business pivots	Pursue new markets Adjust products

The table above is an example, so it’s more vague than the wording you will likely produce. The business scenarios and goals for your organization will likely include some baseline scenario that describes the future that resembles your current state. Your table might also include scenarios where the business improves and worsens.

Security Objectives that Support Business Goals

Next, list the high-level security objectives of your program, and link them to the business goals you’ve identified. A single security objective might support multiple business goals, and a single business goal might depend on several security objectives. If initially you’re having a hard time defining direct business-to-security mappings, you can generalize by listing the security objectives needed to support all business goals in each scenario. For example:

Business Scenario	Business Goal	Security Objective
Business stays about the same (baseline)	Support existing customers Maintain current sales activities Release minor product improvements	Maintain the current security posture to: Defend infrastructure Earn customer trust Support R&D security efforts
Business improves	Support existing customers Accelerate sales activities Release major product enhancements	Here you can refer to the baseline and add security objectives to increase the scope of your efforts.
Business worsens	Slow down and cut costs Wait out the downturn	Here you can refer to the baseline and remove security objectives to decrease the scope of your efforts.
Business pivots	Pursue new markets Adjust products	Here you can define the security objectives to support the new business direction.

By associating security objectives with business goals, you allow yourself to explain the reasons for having certain security plans in a way that will make sense to other executives in the organization. If you’re having a hard time linking a security objective to the business goal, then you should evaluate whether you need that security objective.

Security Capabilities in Support of Your Security Objectives

Security objectives are meant to be high-level, strategic goals for the security organization. Once you’ve identified them (and linked them to business goals), it’s time to think more tactically. Which capabilities will allow you to achieve those objectives?

In this context, a capability is a set of tools and/or processes that implement security measures. This is the level at which you should be able to estimate expenses, perhaps as part of your budgeting process. You could describe security capabilities as tasks you need to perform. You can capture these plans in the following sample table, which adds to the details discussed above the Security Capability column.

Business Scenario	Business Goal	Security Objective	Security Capability
Business stays about the same (baseline)	Support existing customers Maintain current sales activities Release minor product improvements	Maintain the current security posture to: Defend infrastructure Earn customer trust Support R&D security efforts	Manage access controls Handle vendor security reviews Collect and review security events Maintain security policies Conduct security assessments Understand compliance requirements Address customers’ security questions Provide security feedback on product design
Business improves	Support existing customers Accelerate sales activities Release major product enhancements	Here you can refer to the baseline and add security objectives to increase the scope of your efforts.	Here you can refer to the baseline and add security capabilities to support additional security objectives.
Business worsens	Slow down and cut costs Wait out the downturn	Here you can refer to the baseline and remove security objectives to decrease the scope of your efforts.	Here you can refer to the baseline and remove security capabilities based on which security capabilities are removed from the scope.
Business pivots	Pursue new markets Adjust products	Here you can define the security objectives to support the new business direction.	Here you can adjust the security capabilities according to the corresponding security objectives.

This is just an example, of course. Your plans for maintaining, adding, or removing security capabilities will be specific to your organization. If using a table to capture this information feels awkward to you, you might prefer the more visual approach facilitated by a mind-mapping tool to create a diagram like this for every business scenario:

Mind Map Business Stays the Same (Baseline)

Now that you’ve linked security capabilities to security objectives and business goals, you can have insightful, business-focused conversations with executives and other stakeholders about the value that the security program brings to the organization.

You can also explain the effects on the business of deciding not to fund some of the security capabilities. For instance, in the sample baseline scenario above, decreasing security assessment funding would weaken your ability to defend infrastructure, which would jeopardize your ability to support the business goal of supporting existing customers.

Business-Centric, Rather than Threat-Centric Security Planning

The details behind your security capabilities will be informed by your understanding of the threat landscape. You’ll need to anticipate attackers’ advancements and determine what security measures will allow you to reach the expected maturity levels of your defenses. However, if you try to hold threat-centric discussions with people outside of the security organization, you’ll probably struggle justifying your plans.

Instead, align your security plans with business goals and speak in terms that other executives in your organization understand. You’ll be a business-aligned security executive appreciated for creating value for your company. Do this, and the future will belong to you.