• United States




Three ways to align security programs to enterprise strategy

May 10, 20166 mins
IT LeadershipIT SkillsIT Strategy

Security programs work best in partnership with business owners. These three tools can help organizations improve the business value of security operations.

Among challenges faced by information security teams, one of the most common is how best to align the security program with the larger business. While everyone comes together around the idea that security breaches are bad, balancing the costs of preventing them against other enterprise priorities is a trickier proposition. Unified stakeholders often diverge when forced to choose between security and other values like profitability or ease of use. It gets even harder when organizations struggle simply to agree on how risk should be defined or what acceptable security risk really means.

Since all security programs depend upon business owners for resources, cooperation, and support, it’s in every CISO and security manager’s best interests to be able to translate the benefits of security into the language of enterprise strategy. That means outreach messaging designed to do more than just scare the pants off everyone. FUD tends to be a self-defeating tactic over time. The audience either grows numb to it, or begins to actively resent the security team as a “party of no!” that only exists to make life harder for everyone. When security is seen as an adversary and not a business partner, half the battle is lost.

[ MORE ON CSO: The things end users do that drive security teams crazy ]

Three Tools for Security Strategy

For security programs exploring how to articulate their business value more effectively, several readily available tools can help. Three that I use with clients are the GQM method, logic modeling, and the Business Model Canvas. Each has a different approach, but all can support efforts to engage business stakeholders.

Goal-Question-Metric (GQM)

I discovered GQM researching my first book, IT Security Metrics. GQM developed out of software quality engineering and even after several decades it remains an elegant, powerful tool for balancing strategy with execution.

Conceptually, GQM is pretty simple. You start with strategy, and a goal you wish to achieve. For instance, maybe you want to eliminate all network vulnerabilities. To demonstrate you’ve met that goal, you’ll need to answer some questions, like:

  • How many vulnerabilities are there on the network today?
  • How do we decide when a vulnerability has been eliminated?
  • Who is responsible for eliminating these network vulnerabilities?
  • …and so on…

Data and metrics are required in order to answer these questions. They may show:

  • 100 vulnerabilities exist today
  • A vulnerability is considered eliminated when a patch or control has been implemented
  • One program manager owns the overall vulnerability tracking and remediation process

GQM reduces uncertainty about strategic execution while driving strategy improvement. The process usually triggers more questions, like “How severe are those vulnerabilities?” or “Can one person really manage this alone?” As more data is analyzed, the strategy gets more refined.

GQM helps security teams avoid two common traps. In the first trap, strategy execution rarely gets measured. Without metrics, “No more network vulnerabilities” is more prayer than strategy. In the second trap, measurement doesn’t support strategy. In security it’s often easier to log events than to analyze them. But collecting data for no purpose is inefficient at best. At worst, it increases risk, especially when those data hoards may be legally discoverable.

Logic Modeling

Logic Modeling comes from monitoring and evaluation, a process discipline used by governments and large NGOs. If you’re attempting something like improving public access to education, or reducing a water borne pathogen, you’ll submit a logic model to the sponsor organization before getting support.

In essence, logic modeling is visual hypothesizing. You may believe a certain intervention (e.g. making more knowledge publicly available, or supplying at risk communities with water filters) will have a positive effect. That’s your hypothesis: you do something and expect to get something. A logic model maps do’s and get’s by dividing them into formal inputs, outputs, and short and long term impacts. Consider the Wikimedia Foundation’s program logic model.

wiki exampled logic model By JAnstee (WMF) (Own work) [CC BY-SA 3.0 (], via Wikimedia Commons

Logic models can add value for security teams because security is an inherently interventionist process. Most initiatives pushed by a CISO are designed to effect a change. They rely on a hypothesis: “if we do X, we get Y…” That hypothesis can be tested empirically and the logic model defines that test. If the inputs don’t produce the expected outputs and impacts, the intervention fails, either because the execution was flawed or the original hypothesis was.

Business Model Canvas (BMC)

BMC is another visual method for business alignment. Developed by Alexandar Osterwalder and available under a Creative Commons license, BMC puts the entire business model on one page. By exploring partners, resources, customers, costs, and revenues, BMC forces users to think about initiatives in business terms.

business model canvas By Business Model Alchemist ( [CC BY-SA 1.0 (], via Wikimedia Commons

Completing a canvas, individually or through a facilitated workshop, encourages security teams to think about what they do like a product or service they are building and selling to customers both inside and outside the enterprise. This customer-centric brainstorming reveals insights about where security succeeds, struggles, or fails in the organization. Discussing security in terms of value propositions, customers, and channels help prepare members for talking to business stakeholders. Even unfamiliar concepts, like revenue, often have security parallels (chargebacks, budget increases, or money saved on incident response).

Security for the board, not the bored

It’s always easier to appreciate a story when it’s in your own language. That’s why they invented movie subtitles. Audience is important, and no company was ever built just to support its information security team. It’s always the other way around: security is a business function created to support business strategy and objectives. Most security objectives do support business objectives, but it can get frustrating if security owners can’t talk about what they do in a language business owners care about. GQM, Logic Modeling, and the Business Model Canvas are three readily available tools every security team should consider the next time they need to talk security as a strategic business enabler.


Dr. Lance Hayden, the Chief Privacy and Security Officer for ePatientFinder, is also an author, speaker, and researcher with over 25 years experience in the field of information security. A leading expert on security behavior and culture, Dr. Hayden is the author of People-Centric Security: Transforming Your Enterprise Security Culture and IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data.

Dr. Hayden began his career as a human intelligence (HUMINT) officer with the CIA, which contributed to a philosophy emphasizing human behavior, organizational psychology, and strategic leadership as central to a successful InfoSec program. Dr. Hayden's career includes security roles at KPMG, FedEx, Cisco, and the Berkeley Research Group before joining ePatientFinder, where he has executive responsibility for all enterprise data protection and security-related regulatory compliance.

Dr. Hayden received his Ph.D. in Information Science from the University of Texas at Austin. As a professor at the UT iSchool, Dr. Hayden develops and teaches graduate and undergraduate courses on subjects including information security, privacy, surveillance and the intelligence community. His industry credentials include CISSP, CISM, CRISC and ISO 27001 Certified Lead Auditor certifications.

The opinions expressed in this blog are those of Lance Hayden and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.