It’s a common message on social media, conferences, and even at office water coolers:

1. No one seems to take security seriously or understand the risk;
2. No one listens to the security team;
3. The company always seems to do what they want and don’t spend the money needed.

Why do so many CISOs feel like they’re constantly fighting an uphill battle, only to have their concerns dismissed by the business? There is often still a disconnect between the business and the cybersecurity team, and it often turns into an “us vs. them” situation.

Consider the consequences of this disconnect—without understanding, cooperation, or effective communication, organizations face increased risks of breaches, compliance failures, and security issues that disrupt productivity, operations, and ultimately, profitability.

The big question is: why is this happening and what can be done?

The business comes first mantra is also repeatedly taught to us at security courses, including any PECB security-related training course. Connected to this is the concept of aligning your cybersecurity strategies and values with the organizations business objectives.

Like any self-respecting cyber-professional we have to ask AI what this is about. Google AI has this to say:

“Aligning security with business objectives means integrating cybersecurity strategies and practices directly with a company’s overall goals, ensuring that security measures protect critical assets and enable business operations to function smoothly while mitigating potential risks, ultimately supporting the company’s growth and success; this involves understanding business priorities, conducting risk assessments, and implementing security controls that are tailored to those specific needs, fostering a security-conscious culture within the organization.” 

There is some great stuff contained in there but what does this mean in the real world and how do you go about making a success of this exercise? Certainly, these things seem obvious but how do you actually do it? Putting our practical hat on, I would adjust this slightly and go by the following approach:

1. Understand your business and its goals
2. Identify stakeholders and design a collaborative communication approach

3. Align the risk methodology—including methods, appetite, and strategy—with business goals
4. Develop security controls that effectively address risks while aligning with your business goals
5.  
6. Develop security controls which line up to risk aligned to those goals
7. Ensure staff awareness and support
8. Monitor, test, and communicate the status with stakeholders

1. Understand your business and its goals

Anyone joining an organization should spend time understanding the structure, company’s culture, industry, and how they operate and make profits. The first question is what is the business purpose and how do they put this into practice? If you are able to see the core purpose of the company and what is success for you together with the business then this should guide you in your thinking as a security professional. Think of how primary objectives like customer acquisition, innovation, operational efficiency, or market expansion all highlight what this business is about.

2. Identify stakeholders and design a collaborative communication approach

As part of the understanding of the business you should now engage at the business level and identify key areas and their goals. It’s critical to communicate with them how important collaboration is and that you are seeking to align your security objectives with their goals and the relevant risks.

Building alliances across the business and having support across the business from stakeholders who understand the risks and their role in supporting you is a critical factor to success.

3. Align the risk methodology—including methods, appetite, and strategy—with business goals

When you have got clear objectives from the exercises above, the risk and strategy should be designed matched to the information gathered.

There are a lot of shared risks across industries but the way in which the business responds would be different in some cases based on industry, risk level, and how the objectives would be affected. Think of the differences between a bank’s objectives and a non-profit/charity’s objectives as an example, as they will have vastly different objectives.

Conducting thorough risk assessments to identify potential threats and vulnerabilities, then prioritizing security controls based on the level of risk to critical business assets and with the business goals in mind.

Think about how a company in a dynamic, young, lightly regulated environment will respond to heavy handed restrictive practices or alternatively how laisses-faire controls and attitude will not suit conservative heavily regulated insurance companies. Probably won’t suit any companies in our current environment but risk must tie into business goals and your regulatory environment as a start. 

4. Develop security controls that effectively address risks while aligning with your business goals

Taking into account the results of the risk assessment matched the strategy, we would then integrate security considerations into the development and implementation of systems, applications, and processes and adjust the levels required in line with objectives.

Things like encryption, stronger password controls, and additional monitoring would be used in areas where the business objectives will be affected without these controls. Having passwords that change monthly in certain environments will have an impact on productivity and business goals, thus, looking at efficient alternatives, including MFA and biometrics, might actually support the business goals.

5. Ensure staff awareness and support

Another critical aspect is educating employees about cybersecurity best practices, including password hygiene, phishing awareness, and data handling protocols, to minimize human error risks. 

The best way to do this is ensuring staff is aware on how it aligns to the business objective and their role within the business. If staff clearly understands how it affects the objectives and strategies of the business they will be more likely to take it more seriously and work with the security teams.

Boring, repetitive training with unclear objectives does not cut it as employees will ignore these channels and you will have the scenario we mentioned in the introduction where there is a disconnect between security and staff/management.

6. Monitor, test, measure, and communicate the status with stakeholders

The key aspect of this program is to then show how well the security strategies have aligned to the business objectives and how much they have protected and hopefully improved the business.

The communication and collaboration strategy must include measurable metrics to demonstrate how well it aligns with business objectives. These metrics should also be used to further gain support from both management and users.

So once this has been effectively implemented there will be benefits but the trick is to understand them, make them visible, and market these successes. Then see how you can adjust certain aspects to maximize these benefits and improve areas where there are still issues.

The main benefit ideally should be an overall improved security posture.The key metrics for me always are: have we improved our security posture and are we effectively maintaining our controls.

By aligning our strategy to business objectives we ideally have gained support and collaboration from the business which means our security controls are operating more effectively. Specifically this means:

1. Reduced risk of data breaches: Proactive security measures help protect sensitive data, customer information, and staff buy-in and are more aware, and therefore, follow best practices to reduce these events and communicate and assist with quick responses when they do occur. 
2. Improved operational resilience: A direct financial saving can be measured by how well we are minimizing disruptions, and in some cases, stopping historical issues caused by cyber incidents, which ensures business continuity. 
3. Enhanced customer trust: Often a more difficult one to quantify, but through effective security and lack of breaches, we can demonstrate a commitment to data privacy and security which can maintain or even build customer confidence.  
4. Cost optimization: There are direct and indirect costs related to data breaches, operational incidents, and poorly designed IT systems and controls, as well as the associated legal liabilities. Reducing these cost issues is crucial to demonstrating value, which can be achieved through efficient security controls and measurable savings that gain business support.
5. Competitive advantage: The final point ties into all the areas above, where security plays a supportive role, but the key is how the business maximizes the benefits that security provides.

A strong security posture can differentiate a company in the market, and in many industries not having this is a huge inhibitor to dealing with customers and partners, therefore, it is even more critical. 

So in summary when you as a security or compliance/risk professional are having issues with buy-in, support, budget, or even having clashes with the business the best advice is to:

• Revisit your strategies and evaluate the gaps in terms of their alignment to the business objectives; and
• Improve the strategies together with your collaboration and communication with the business.

My core message, one I emphasize every day, is to prioritize communication in every aspect of your role as a security professional. Engage with colleagues, build strong relationships, and make security a shared responsibility across the organization.