The information security function must be clearly aligned with the business needs of the organization. Information security professionals should be able to directly tie security controls to the strategy, goals, mission, and objectives of the organization through the use of business cases, budgeting, and resource allocation.
- [Narrator] Security professionals must always remember that they perform a supporting service for the organization. While security is extremely important, it is not the reason that the business exists. Every organization has its own mission, and security is just one of many tools that help the organization achieve that mission. Security Leaders should think of themselves as wearing two different hats. Certainly, they're the subject-matter experts in the organization on issues of confidentiality, integrity, and availability.
The organization will look to them for security leadership and the protection of information assets, response to security incidents, and other typical security functions. At the same time, Security Leaders must also be Business Leaders, who understand the primary mission of the organization, including both its strategic and tactical objectives. They must understand the short-term and long-term goals of the organization, and be able to seamlessly switch between their hats, thinking as both Security Leader and Business Leaders.
The reason that wearing these two hats is so important, is that security controls can often be a barrier to the efficient operation of the business. The challenge facing security professionals is that they must design a control environment that manages the risks facing the organization, but balances security against other business considerations. That can be a really difficult task, and it's one that many security professionals struggle with. When you're taking the exam, keep this balance in mind.
Watch out for questions that attempt to trick you into making decisions wearing only the security hat, that would have a disproportionately negative impact on the business. These are usually easy to spot in scenario questions, as long as you're approaching the exam with the image of those two hats in your mind. When proposing a new security control, security leaders often need to present a business case for that control that justifies the investment of time and money in the new control, as well as providing a solid basis for the impact on end users.
You should approach these business cases as you would any other important security decision. Keep two models in mind: the security and business hats that you wear and the three goals of information security, confidentiality, integrity, and availability. Then just spell out the investment required to implement the control and the expected return on that investment. Another situation where security leaders must wear the hat of a business leader, comes in the form of the many administrative tasks that fall to any leader in the organization.
Security professionals taking on management responsibilities will have to administer a budget, conduct performance reviews, council employees, and contribute to the organization's strategic planning processes. These non-security responsibilities are an important part of the information security professional's contributions to the broader organization. And they help maintain a solid connection to the rest of the business.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A complete learning path will be available once all the courses are released.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Planning for business continuity
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness
- Conducting security training