Indicators of alignment: One barometer of security-business alignment in action, Thielemann says, is when security teams engage with the business and use business metrics to determine security’s effectiveness.As an example, she points to the partnership between security and engineering at a manufacturing plant that had devices using software no longer supported by the vendor. The two teams worked together to implement needed security measures, such as segmentation, that wouldn’t interfere with operations but added the necessary security. Knowing to schedule security work during plant downtime further demonstrated the alignment.”That’s showing security knows the business and is not just doing cybersecurity as a discipline,” Thielemann says.To align, she says, security leaders must “know the objectives the business has and use those to shape strategy, whether it’s cost containment, going into new markets, adopting cloud. The playbook starts from understanding the organizational priorities and then layering in what threat actors are doing in that industry and what could go wrong, what is the risk we can live with, and understanding and articulating the business impact of security incidents.”Ayan Roy, Americas cybersecurity competency leader at professional services firm EY, cites another example of alignment involving one company acquiring another as part of a strategy to enter new markets. The company’s CISO, knowing that building trust with customers was critical to growth post-merger, devised a strategy to strengthen the acquired company’s security to the levels necessary to ensure successful integration, corporate expansion, and growth.Robert T. Lee, chief AI officer and chief of research at security training and certification firm SANS, says alignment can also be seen in other ways, such as when and how security works with the business. For example, CISOs who recognize the need to boost security while reducing friction often have their security departments work with business units at the earliest stages of initiatives. Security teams integrated into R&D units so “they’re able to deploy things with much more or a trust model” is another sign of alignment, Lee says.”Alignment in all of information security really focuses on the idea of supporting operations. It’s about risk management with an emphasis on enabling operations,” says Dr. James Jaurez, National University’s department chair of cybersecurity and technology.And there is value in security-business alignment. According to the 2025 EY Global Cybersecurity Leadership Insights Study, “cybersecurity contributes 11% to 20%, or a median of US$36M, in value to each enterprise-wide strategic initiative it is involved in.”
Lack of alignment persists for many: But, as the EY study found, alignment exists in a fraction of organizations. And as Jaurez says, just as there are indicators of security-business alignment, there are signs when it’s absent.One indicator, he says, is being “over secure,” where the costs of the security measures and the friction they introduce into the organization’s work processes and operations exceed the value they provide. Another is when security leaders don’t know or can’t articulate the organization’s vision or strategic goals, he says.Others point to security feeling left out or brought into initiatives after they’re under way as indicators that alignment is missing.”When security is not aligned, security is reacting to changes rather than shaping changes,” says Matt Gorham, leader of PwC’s Cyber and Risk Innovation Institute. “But when security isn’t chasing the business it’s because it’s at the table from the beginning and is saying, ‘Here’s how I can help the business grow and grow securely.’”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4080670/what-does-aligning-security-to-the-business-really-mean.html
