How can security play a central role in enabling business growth?
Tom Scholtz, research vice-president at Gartner, shares seven domains that Gartner has identified as relevant to improved business alignment.
There is no single tactic or strategy that guarantees success in improving business alignment of security. Rather, a number of varied but interrelated actions need to be identified and executed to improve alignment over time. Different techniques are typically better suited to different corporate cultures and business environments. Gartner has identified seven domains that are all relevant to improved business alignment.
Culture: Develop an organisational culture in which users, managers and IT professionals all make good decisions about information risk.
Planning: The strategic and tactical planning activities of the information security organisation provide ample opportunity for aligning the resultant projects and actions to actual business requirements. For example, a key strategy is to leverage enterprise architecture principles in security planning practices.
Processes: Adopting a strategic process approach, such as the ISMS prescribed by ISO 27001, to the security management programme. It establishes the ability to assess, develop and implement security solutions as and when required by the business, rather than enforcing a "one size fits all" control baseline.
Communications: A primary objective should be to develop security-related service-level metrics that can be included in formal service-level agreements (SLAs) between IT, service providers and user constituencies.
Competencies: Business alignment often requires skills not normally associated with information security specialists such as architecture practice, personal communications, business knowledge and marketing skills.
Technology: The manner in which security technology is utilised can have a major impact on how security is perceived by technology users. The success of an integrated IT service delivery strategy, such as that prescribed by ITIL v3, will depend on how security controls are technically integrated with IT services.
Relationships: The importance of establishing and maintaining effective relationships with other roles and individuals within the organisation. Alignment depends on the cooperation and support of key influencers, decision makers and other stakeholders.
Alignment is a challenge that cannot be addressed in a piecemeal fashion. Organisations should invest time and resources into a comprehensive strategy for improving business alignment. The actions and projects resulting from this strategy must be executed in conjunction with, and not in place of, existing security projects.
Read more expert advice from the Computer Weekly Think Tank >>
This was first published in September 2009