Among challenges faced by information security teams, one of the most common is how best to align the security program with the larger business. While everyone comes together around the idea that security breaches are bad, balancing the costs of preventing them against other enterprise priorities is a trickier proposition. Unified stakeholders often diverge when forced to choose between security and other values like profitability or ease of use. It gets even harder when organizations struggle simply to agree on how risk should be defined or what acceptable security risk really means.
Since all security programs depend upon business owners for resources, cooperation, and support, it's in every CISO and security manager's best interests to be able to translate the benefits of security into the language of enterprise strategy. That means outreach messaging designed to do more than just scare the pants off everyone. FUD tends to be a self-defeating tactic over time. The audience either grows numb to it, or begins to actively resent the security team as a "party of no!" that only exists to make life harder for everyone. When security is seen as an adversary and not a business partner, half the battle is lost.
[ MORE ON CSO: The things end users do that drive security teams crazy ]
Three Tools for Security Strategy
For security programs exploring how to articulate their business value more effectively, several readily available tools can help. Three that I use with clients are the GQM method, logic modeling, and the Business Model Canvas. Each has a different approach, but all can support efforts to engage business stakeholders.
I discovered GQM researching my first book, IT Security Metrics. GQM developed out of software quality engineering and even after several decades it remains an elegant, powerful tool for balancing strategy with execution.
Conceptually, GQM is pretty simple. You start with strategy, and a goal you wish to achieve. For instance, maybe you want to eliminate all network vulnerabilities. To demonstrate you've met that goal, you'll need to answer some questions, like:
- How many vulnerabilities are there on the network today?
- How do we decide when a vulnerability has been eliminated?
- Who is responsible for eliminating these network vulnerabilities?
- ...and so on...
Data and metrics are required in order to answer these questions. They may show:
- 100 vulnerabilities exist today
- A vulnerability is considered eliminated when a patch or control has been implemented
- One program manager owns the overall vulnerability tracking and remediation process
GQM reduces uncertainty about strategic execution while driving strategy improvement. The process usually triggers more questions, like "How severe are those vulnerabilities?" or "Can one person really manage this alone?" As more data is analyzed, the strategy gets more refined.
GQM helps security teams avoid two common traps. In the first trap, strategy execution rarely gets measured. Without metrics, "No more network vulnerabilities" is more prayer than strategy. In the second trap, measurement doesn't support strategy. In security it's often easier to log events than to analyze them. But collecting data for no purpose is inefficient at best. At worst, it increases risk, especially when those data hoards may be legally discoverable.
Logic Modeling comes from monitoring and evaluation, a process discipline used by governments and large NGOs. If you're attempting something like improving public access to education, or reducing a water borne pathogen, you'll submit a logic model to the sponsor organization before getting support.
In essence, logic modeling is visual hypothesizing. You may believe a certain intervention (e.g. making more knowledge publicly available, or supplying at risk communities with water filters) will have a positive effect. That's your hypothesis: you do something and expect to get something. A logic model maps do's and get's by dividing them into formal inputs, outputs, and short and long term impacts. Consider the Wikimedia Foundation's program logic model.
Logic models can add value for security teams because security is an inherently interventionist process. Most initiatives pushed by a CISO are designed to effect a change. They rely on a hypothesis: "if we do X, we get Y..." That hypothesis can be tested empirically and the logic model defines that test. If the inputs don't produce the expected outputs and impacts, the intervention fails, either because the execution was flawed or the original hypothesis was.
Business Model Canvas (BMC)
BMC is another visual method for business alignment. Developed by Alexandar Osterwalder and available under a Creative Commons license, BMC puts the entire business model on one page. By exploring partners, resources, customers, costs, and revenues, BMC forces users to think about initiatives in business terms.
Completing a canvas, individually or through a facilitated workshop, encourages security teams to think about what they do like a product or service they are building and selling to customers both inside and outside the enterprise. This customer-centric brainstorming reveals insights about where security succeeds, struggles, or fails in the organization. Discussing security in terms of value propositions, customers, and channels help prepare members for talking to business stakeholders. Even unfamiliar concepts, like revenue, often have security parallels (chargebacks, budget increases, or money saved on incident response).
Security for the board, not the bored
It's always easier to appreciate a story when it's in your own language. That's why they invented movie subtitles. Audience is important, and no company was ever built just to support its information security team. It's always the other way around: security is a business function created to support business strategy and objectives. Most security objectives do support business objectives, but it can get frustrating if security owners can't talk about what they do in a language business owners care about. GQM, Logic Modeling, and the Business Model Canvas are three readily available tools every security team should consider the next time they need to talk security as a strategic business enabler.
This article is published as part of the IDG Contributor Network. Want to Join?