How do you align yourself with the business you are supporting? What value are you creating? These are the questions that every CISO should be thinking on regular basis. In a typical organization, the CEO has a list of business goals and objectives that trickle down through chain of leadership. Objective for IT leaders are usually derived from CEO’s business objectives to support the organization. Understanding the organizational objectives as well as the personalities of business leaders helps in creating and aligning the information security strategy.
Most of the business objectives fall into one of the following areas:
- Business goals (e.g. increase revenue by X percent, open 20 new retail locations, mobile workforce)
- Industry drivers (e.g. use of mobile apps, video analytics, IoT to monitor and collect data, be compliant with a new standard)
- Internal issues and improvements (e.g. improve response time of banking application)
Success of information security program is to manage risk while supporting the corporate goals and objectives. Understanding corporate business objectives is the first step towards achieving this success.
Following are some specific actions that a CISO can take to align his/her strategy with the business objectives.
- Goal Alignment – Find annual goals and objectives of your CEO. Make sure your strategy and projects are tied to one or more of these objectives.
- Personality Understanding – Understand leadership personalities, their approach towards IT and information security, do they like to build internal resources or rely more on vendors, etc. Take notes of important personality traits.
- Periodic Review – There may be a periodic review of corporate goals and objectives. Be part of this review and demonstrate how information security is helping in achieving corporate objectives. Risk management and information security budget management can be easily tied to organizational objectives. Schedule a quarterly review meeting for information security strategy.
- Mutual Cooperation – It is much easy to bundle security objectives with corporate goals. For example, if there is an objective of increasing online business through redesign of an ecommerce application, you may be able to implement/enhance identity management as part of it.
You can use a mind map like the following to list corporate objectives and tie information security objectives with corporate objectives.