According to some old research from Ponemon and F5 I recently rediscovered today, 74% of the respondents to a 2017 survey said that their security programs weren’t aligned with the objectives of the businesses they were trying to protect. And even today, I spoke to a very modern bank in the middle of a massive investment in digital transformation and technology roll-out, and he told me how they were still stuck talking about “traditional” security and couldn’t connect to the business.
So I wanted to talk a little bit about where you are in relation to chipping away at that 74% of the organizations out there who can’t connect security to the business goals and objectives of the organization.
Where do you think you are?
Do you have confidence your security program is aligned to the business?
Can you prove it?
Not un-coincidentally, answering these questions is why I chose stakeholder interviewing as topic for the follow-up edition of the newsletter that launched The Agile Security System™ last month. Because if you can’t connect to the business, there’s no way you’re going to be able to demonstrate any level of support and alignment with them.
I know I’ve been harping on about this for almost a month now, and I’ve given you several different tips and approaches to gaining this knowledge. If you already have the Baseline Perspectives, you’ll already understand one of the ways you can use the interdomain relationships in the models to help you come up with the right questions to ask to help you understand what’s important to your customers in those areas.
Once you understand your customer’s worlds, it’s really pretty straightforward to figure out some links you can make that will help you build a stronger program.
But it’s 2019, and the major “outlets” are still writing articles about the divide between security and the business, and how we still need to fight the stigma of being “The Department of NO.”
And one of the articles I found, gave you much the same advice I have, and will in the upcoming September issue. But the difference is, rather than just telling you what to do, the newsletter helps you actually do it.
It helps you build the habits you need to consistently ask the right questions, and then the habits you need to be able to do the right things with those answers so you can confidently be in the 26% (probably less, in fairness, depending on how wide you cast your net).
However, I will warn you that the content of the upcoming September newsletter (which goes to the printer in just a few short days) isn’t all “cyber” or “security” or “controls” or anything talking about traditional security stuff.
Instead, we’re going to talk about how you actually prepare to communicate, and some things you need to know, if you want to actually be able to come close to understanding their worlds.
And that’s only important to understand your customers’ worlds…
…if you want to build a more effective security program.
Now, my guess is that you’re subscribed to this list because that’s something you’re interested in doing, but maybe it isn’t.
Or maybe you have your hands full, trying to just manage your day-to-day work, and you think you don’t have time. This could also be true.
But what I will say is that every minute you spend doing work you can’t directly justify as aligned with the business beyond, we need to patch this vulnerability, or we need to mitigate this threat or bad things will happen…
…is a minute you should be spending to figure out how to focus on the right things.
And that’s a tough choice, because something might need to burn while you prevent bigger fires in the future.
But if now isn’t the right time, when is?
Connecting with your security customers and knowing what they care about is one of the most important jobs you actually have as a security architect, risk professional, manager or other leader in the security team. And learning the best ways to engage those customers is the only way I know to find out what those things that they care about actually are.
If this is something you’re finding difficult to do, then you only have 4 days left before the September issue goes to the printer.
To make sure it arrives at your door, subscribe here: https://securitysanity.com
And after it arrives, you really will find a doorway to a whole new world: the world of your security customers in the business.
Andrew S. Townley
Archistry Chief Executive