Design a Business-Aligned Security Program

Focus on business value first.

EXECUTIVE BRIEF

Analyst Perspective

Business alignment is no accident.

Security leaders often tout their choice of technical security framework as the first and most important program decision they make. While the right framework can help you take a snapshot of the maturity of your program and produce a quick strategy and roadmap, it won’t help you align, modernize, or transform your program to meet emerging business requirements. Common technical security frameworks focus on operational controls rather than business services and value creation. They are difficult to convey to business stakeholders and provide little program management or implementation guidance. Focus on business value first, and the security services that enable it. Your organization has its own distinct character and profile. Understand what makes your organization unique, then design and refine the design of your security program to ensure it supports the right capabilities. Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place to support the implementation of the security program.

Michel Hébert Research Director, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

You are a business leader who supports business goals and mitigates risk. Focus first on business value and the security services that enable it, not security controls.

Your challenge

The need for a solid and responsive security program has never been greater.

• You need to build a security program that enables business services and secures the technology that makes them possible.
• Building an effective, business-aligned security program requires that you coordinate many components, including technologies, processes, organizational structures, information flows, and behaviors.
• The program must prioritize the right capabilities, and support its implementation with clear accountabilities, roles, and responsibilities.
• You must communicate effectively with stakeholders to describe the risks the organization faces, their likely impact on organizational goals, and how the security program will mitigate those risks and support the creation of business value.

• Ransomware is a persistent threat to organizations worldwide across all industries.

Cybercriminals deploying ransomware are evolving into a growing and sophisticated criminal ecosystem that will continue to adapt to maximize its profits.

• Critical infrastructure is increasingly at risk.

Malicious agents continue to target critical infrastructure to harm industrial processes and the customers they serve State-sponsored actors are expected to continue to target critical infrastructure to collect information through espionage, pre-position in case of future hostilities, and project state power.

• Disruptive technologies bring new threats.

Malicious actors increasingly deceive or exploit cryptocurrencies, machine learning, and artificial intelligence technologies to support their activities.

Sources: CCCS (2023), CISA (2023), ENISA (2023)

Your challenge

Most security programs are not aligned with the overall business strategy.

50% Only half of leaders are framing the impact of security threats as a business risk.

49% Less than half of leaders align security program cost and risk reduction targets with the business.

57% Most leaders still don’t regularly review security program performance of the business.

Source: Tenable, 2021

Common obstacles

Misalignment is hurting your security program and making you less influential.

Organizations with misaligned security programs have 48% more security incidents...

…and the cost of their data breaches are 40% higher than those with aligned programs.

37% of stakeholders still lack confidence in their security program.

54% of senior leaders still doubt security gets the goals of the organization.

Source: Frost & Sullivan, 2019

Source: Ponemon, 2023

Common obstacles

Common security frameworks won’t help you align your program.

• Common security frameworks focus on operational controls rather than business value creation, are difficult to convey to stakeholders, and provide little implementation guidance.
• A security strategy based on the right framework can provide a snapshot of your program, but it won’t help you modernize, transform, or align your program to meet emerging business requirements.
• The lack of guidance leads to a lack of structure in the way security services are designed and managed, which reduces service quality, increases security friction, and reduces business satisfaction.

There is no unique, one-size-fits-all security program.

• Each organization has a distinct character and profile and differs from others in several critical respects. The security program for a cloud-first, DevOps environment must emphasize different capabilities and accountabilities than one for an on-premise environment and a traditional implementation model.

Info-Tech’s approach

You are a business leader who supports business goals and mitigates risk.

• Understand what makes your organization unique, then design and refine a security program with capabilities that create business value.
• Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place, and build an implementation roadmap to ensure its components work together over time.

Security needs to evolve as a business strategy.

• Laying the right foundations for your security program will inform future security program decisions and give your leadership team the information they need to support your success. You can do it in two steps:
  • Evaluate the design factors that make your organization unique and prioritize the security capabilities to suit. Info-Tech’s approach is based on the design process embedded in the latest COBIT framework.
  • Review the key components of your security program, including security governance, security strategy, security architecture, service design, and service metrics.

If you build it, they will come

“There's so much focus on better risk management that every leadership team in every organization wants to be part of the solution.

If you can give them good data about what things they really need to do, they will work to understand it and help you solve the problem.”

Dan Bowden, CISO, Sentara Healthcare (Tenable)

Design a Business-Aligned Security Program

Choose your own adventure

This blueprint is ideal for new CISOs and for program modernization initiatives.

1. New CISO

“I need to understand the business, prioritize core security capabilities, and identify program accountabilities quickly.”

2. Program Renewal

“The business is changing, and the threat landscape is shifting. I am concerned the program is getting stale.”

Use this blueprint to understand what makes your organization unique:

1. Prioritize security capabilities.
2. Identify program accountabilities.
3. Plan program implementation.

If you need a deep dive into governance, move on to a security governance and management initiative.

3. Program Update

“I am happy with the fundamentals of my security program. I need to assess and improve our security posture.”

Move on to our guidance on how to Build an Information Security Strategy instead.

Info-Tech’s methodology for security program design

Insight Map

You are a business leader first and a security leader second

Technical security frameworks are static and focused on operational controls and standards. They belong in your program’s solar system but not at its center. Design your security program with business value and the security services that enable it in mind, not security controls.

There is no one-size-fits-all security program
Tailor your security program to your organization’s distinct profile to ensure the program generates value.

Lay the right foundations to increase engagement
Map out accountabilities, roles, and responsibilities to ensure the components of your security program work together over time to secure and enable business services.

If you build it, they will come
Your executive team wants to be part of the solution. If you give them reliable data for the things they really need to do, they will work to understand and help you solve the problem.

Blueprint deliverables

Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

Security Program Design Tool

Tailor the security program to what makes your organization unique to ensure alignment.

Security Program Implementation Tool

Assess the current state of different security program components and plan next steps.

SecurityProgram Design and Implementation Plan

Communicate capabilities, accountabilities, and implementation initiatives.

Key deliverable

Security Program Design and Implementation Plan

The design and implementation plan captures the key insights your work will generate, including:

• A prioritized set of security capabilities aligned to business requirements.
• Security program accountabilities.
• Security program implementation initiatives.

Blueprint benefits

Measure the value of using Info-Tech’s approach

Assess the effectiveness of your security program with a risk-based approach.

Measure the impact of your project

Use Info-Tech diagnostics before and after the engagement to measure your progress.

• Info-Tech diagnostics are standardized surveys that produce historical and industry trends against which to benchmark your organization.
• Run the Security Business Satisfaction and Alignment diagnostic now, and again in twelve months to assess business satisfaction with the security program and measure the impact of your program improvements.
• Reach out to your account manager or follow the link to deploy the diagnostic and measure your success. Diagnostics are included in your membership.

Inform this step with Info-Tech diagnostic results

• Info-Tech diagnostics are standardized surveys that accelerate the process of gathering and analyzing pain point data.
• Diagnostics also produce historical and industry trends against which to benchmark your organization.
• Reach out to your account manager or follow the links to deploy some or all these diagnostics to validate your assumptions. Diagnostics are included in your membership.

Governance & Management Maturity Scorecard
Understand the maturity of your security program across eight domains.
Audience: Security Manager

Security Business Satisfaction and Alignment Report
Assess the organization’s satisfaction with the security program.
Audience: Business Leaders

CIO Business Vision
Assess the organization’s satisfaction with IT services and identify relevant challenges.
Audience: Business Leaders

Executive Brief Case Study

INDUSTRY: Higher Education

SOURCE: Interview

Building a business-aligned security program

Portland Community College (PCC) is the largest post-secondary institution in Oregon and serves more than 50,000 students each year. The college has a well-established information technology program, which supports its education mission in four main campuses and several smaller centers.

PCC launched a security program modernization effort to deal with the evolving threat landscape in higher education. The CISO studied the enterprise strategy and goals and reviewed the college’s risk profile and compliance requirements. The exercise helped the organization prioritize security capabilities for the renewal effort and informed the careful assessment of technical controls in the current security program.

Results

Laying the right foundations for the security program helped the security function understand how to provide the organization with a clear report of its security posture. The CISO now reports directly to the board of directors and works with stakeholders to align cost, performance, and risk reduction objectives with the needs of the college.

The security program modernization effort prioritized several critical design factors

• Enterprise Strategy
• Enterprise Goals
• IT Risk Profile
• IT-Related Issues
• IT Threat Landscape
• Compliance Requirements

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 6 calls over the course of 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Customize your journey

The security design blueprint pairs well with security governance and security strategy.

• The prioritized set of security capabilities you develop during the program design project will inform efforts to develop other parts of your security program, like the security governance and management program and the security strategy.
• Work with your member services director, executive advisor, or technical counselor to scope the journey you need. They will work with you to align the subject matter experts to support your roadmap and workshops.