To align, she says, security leaders must “know the objectives the business has and use those to shape strategy, whether it’s cost containment, going into new markets, adopting cloud. The playbook starts from understanding the organizational priorities and then layering in what threat actors are doing in that industry and what could go wrong, what is the risk we can live with, and understanding and articulating the business impact of security incidents.”
Ayan Roy, Americas cybersecurity competency leader at professional services firm EY, cites another example of alignment involving one company acquiring another as part of a strategy to enter new markets. The company’s CISO, knowing that building trust with customers was critical to growth post-merger, devised a strategy to strengthen the acquired company’s security to the levels necessary to ensure successful integration, corporate expansion, and growth.
Robert T. Lee, chief AI officer and chief of research at security training and certification firm SANS, says alignment can also be seen in other ways, such as when and how security works with the business. For example, CISOs who recognize the need to boost security while reducing friction often have their security departments work with business units at the earliest stages of initiatives. Security teams integrated into R&D units so “they’re able to deploy things with much more or a trust model” is another sign of alignment, Lee says.
