- Apr 5, 2014
- 6,008
Among challenges faced by information security teams, one of the most common is how best to align the security program with the larger business. While everyone comes together around the idea that security breaches are bad, balancing the costs of preventing them against other enterprise priorities is a trickier proposition. Unified stakeholders often diverge when forced to choose between security and other values like profitability or ease of use. It gets even harder when organizations struggle simply to agree on how risk should be defined or what acceptable security risk really means.
Since all security programs depend upon business owners for resources, cooperation, and support, it's in every CISO and security manager's best interests to be able to translate the benefits of security into the language of enterprise strategy. That means outreach messaging designed to do more than just scare the pants off everyone. FUD tends to be a self-defeating tactic over time. The audience either grows numb to it, or begins to actively resent the security team as a "party of no!" that only exists to make life harder for everyone. When security is seen as an adversary and not a business partner, half the battle is lost.
Since all security programs depend upon business owners for resources, cooperation, and support, it's in every CISO and security manager's best interests to be able to translate the benefits of security into the language of enterprise strategy. That means outreach messaging designed to do more than just scare the pants off everyone. FUD tends to be a self-defeating tactic over time. The audience either grows numb to it, or begins to actively resent the security team as a "party of no!" that only exists to make life harder for everyone. When security is seen as an adversary and not a business partner, half the battle is lost.
