From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Aligning security with the business

- [Instructor] Security professionals must always remember that they perform a supporting service to the organization. While security is extremely important, it's not the reason that the business exists. Every organization has its own mission, and security is one of many tools that help the organization achieve that mission. Security leaders should think of themselves as wearing two different hats. Certainly, they are the subject matter experts in the organization on issues of confidentiality, integrity, and availability. The organization will look to them for leadership in the protection of information assets, response to security incidents, and other typical security functions. At the same time, security leaders must also be business leaders who understand the primary mission of the organization, including both its strategic and tactical objectives. They must understand the short-term and long-term goals of the organization and be able to seamlessly switch between their hats, thinking as both security leaders and business leaders. The reason that wearing these two hats is so important is that security controls can often be a barrier to the efficient operation of the business. The challenge facing security professionals is that they must design a control environment that manages the risks facing the organization but balances security against other business considerations. That can be a really difficult task, and it's one that many security professionals struggle with. When you're taking the exam, keep this balance in mind. Watch out for questions that attempt to trick you into making decisions wearing only your security hat but would have a disproportionately negative impact on the business. These are usually easy to spot in scenario questions as long as you're approaching the exam with the image of those two hats in your mind. When proposing a new security control, security leaders need to present a business case that justifies the investment of time and money in the new control, as well as providing a solid basis for the impact on users. Approach these business cases as you would any other important security decision. Keep the two models in mind, the security and business hats that you wear, and the three goals of information security: confidentiality, integrity, and availability, then spell out the investment required to implement the control and the expected return on that investment. Another situation where security leaders must wear the hat of a business leader comes in the form of the many administrative tasks that fall to any leader in the business. Security professionals taking on management responsibilities will have to manage a budget, conduct performance reviews, counsel employees, and contribute to the organization's strategic planning processes. These non-security responsibilities are an important part of the information security professionals' contributions to the broader organization, and they help maintain a solid connection to the rest of the business.

Contents