The gap between security and business
A gap exists between the goals of the security teams and the business objectives.
This is problematic because regulations and standards hold business stakeholders accountable for security. These business stakeholders rely on their security teams to provide information in a way that informs them to make decisions.
Unfortunately, while security teams collect a lot of useful information, it gets lost in communication because it fails to talk about the business value. As a result, it is difficult for a business stakeholder to make well-informed decisions. Assuming accountability for something they don’t understand well enough reinforces the notion that security teams “don't get it” or “security slows us down.”
The value provided by security teams
Security teams feel as though they are providing a lot of business value.
They focus their time on risk, compliance, and protecting the organization. They are subject matter experts focused on external threats and make use of frameworks and standards from ISO, NIST, and SANS to create effective guardrails.
They provide advice and guidance to the business on what to watch out for. Reports generally reinforce the value that security teams provide — number of blocked attempts, number of security trained developers, compliance reports, and so on.
How the business defines value
Business stakeholders, however, are focused on a different set of values.
Their goals are brand integrity, speed to market, competitive position, and profitability. Their concerns are about moving quickly in a competitive environment. Anything standing in the way is not enabling the business objectives.
Moving fast implies having the right information to make competitive decisions. If a security team is unable to provide relevant and defensible information, their business value quickly diminishes.
Bridging the gap between security and business
What we need is a common language or platform to discuss and describe things that a business stakeholder can understand. Security teams need to think of themselves in the context of a delivery agent. That is, framing their talking points in terms that the leadership can relate to.
For example, if we blocked a number of malicious attempts, then
Why is that relevant to the business?
How does that metric translate into making the business more competitive?
Or how did it reduce business continuity costs?
Bridging the gap between security teams and the business is all about workflow. Start by examining the interaction between security teams and business stakeholders. You will have certain inputs and outputs.
Identify where the business interacts with the outputs and focus on defining a glossary of business terms. This helps you build your own glossary of terms as a security professional. Understand why that information is important to the business. It's about listening with empathy, figuring out the language of your peers and your output partners, and then couching your security metrics in terms that they will recognize.
The goal is to ensure your message is being received correctly.
Depending on the business strategy or context, the required information for informing business decisions may change. Go back and revisit the inputs and outputs. Present the new information in a way that makes business sense. Working alongside business stakeholders in this way proves a partnership model that enables value creation.
Proactive security is built in this way; by understanding the true needs and configuring a set of security tools that feed into a business-centric dashboard or report.
Effective communication is the way to aligning goals
Security can be an effective enabler for the business. They can help the business balance risk without slowing the decision-making process. Security teams need to get past the technical jargon that is so prevalent and explain concepts to the business in a way they can understand.
This cannot be achieved by working in a silo.
It requires effective communication and empathy to determine what is valuable to the business — speed, revenue, regulatory compliance, and so on. In the end, the goal is not to demonstrate the technical prowess of a security team, but rather to enable effective communication so that business stakeholders can make informed decisions as they remain accountable for security. A change in mindset can help security teams enable the business need for balancing security and risk.
If you want to learn how you can connect software development with business value, listen to our podcast.