There probably isn’t a more consistent theme we write about than the alignment of IT security with business goals: Understand your business first, then build your security empire to support and protect the business; lofty goals and heady stuff for sure.
I’m as guilty as anyone of writing stuff centered on the notion of alignment. But maybe that’s too abstract a notion? Maybe it’s the word “goals” that’s off? Maybe we should be writing about the alignment of security with business mandates? The goal of the majority of, if not all, businesses is to make money. And IT security leaders certainly don’t call the shots inside an enterprise. You’re told what to do, what to buy and when to buy it. If your CIO or CFO says your top priority is SOX compliance, guess what’s at the top of your to-do list every day?
It’s easy for journalists or industry experts, like last week’s panel at InfoSecWorld, to wedge ourselves onto a lofty perch atop that ivory tower and pontificate about what those who hold actual enterprise security management titles should be doing with their programs, policies and buying decisions. But how often is it realistic for a CISO to march into the CFO’s office, stomp their feet and hold their breath until they turn blue or until the CFO signs off on a major overhaul of the perimeter security investments someone else made 10 years ago?
Ideally, those things should be overhauled because they don’t work anymore. But the Titanic couldn’t turn on a dime 100 years ago, and neither does big business today. Other priorities that make money get the attention of business decision makers before budgeting for the latest and greatest security widget is stamped “approved” by the CFO or CEO.
Taking shots at security managers who are handed a budget that essentially maintains the status quo does nothing to advance the industry. Taking shots at security managers who have no choice but to listen to auditors first does nothing to advance the industry.
Ideally, yes, alignment of security and business goals is awesome. You do need to know how and why your business makes money. You do need to prioritize your efforts in that direction. You do need to understand who your adversaries are and what tactics they’re using to penetrate your defenses. But at the end of the day, if your boss tells you do something that keeps you from being idealistic, that doesn’t necessarily mean you’re not a leader or not a good security manager. It just means you’re employed.