Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Three ways to align security programs to enterprise strategy

Lance Hayden | May 10, 2016
Security programs work best in partnership with business owners. These three tools can help organizations improve the business value of security operations.

GQM helps security teams avoid two common traps. In the first trap, strategy execution rarely gets measured. Without metrics, "No more network vulnerabilities" is more prayer than strategy. In the second trap, measurement doesn't support strategy. In security it's often easier to log events than to analyze them. But collecting data for no purpose is inefficient at best. At worst, it increases risk, especially when those data hoards may be legally discoverable.

Logic Modeling

Logic Modeling comes from monitoring and evaluation, a process discipline used by governments and large NGOs. If you're attempting something like improving public access to education, or reducing a water borne pathogen, you'll submit a logic model to the sponsor organization before getting support.

In essence, logic modeling is visual hypothesizing. You may believe a certain intervention (e.g. making more knowledge publicly available, or supplying at risk communities with water filters) will have a positive effect. That's your hypothesis: you do something and expect to get something. A logic model maps do's and get's by dividing them into formal inputs, outputs, and short and long term impacts. Consider the Wikimedia Foundation's program logic model.

wiki exampled logic model
By JAnstee (WMF) (Own work) [CC BY-SA 3.0 (], via Wikimedia Commons

Logic models can add value for security teams because security is an inherently interventionist process. Most initiatives pushed by a CISO are designed to effect a change. They rely on a hypothesis: "if we do X, we get Y..." That hypothesis can be tested empirically and the logic model defines that test. If the inputs don't produce the expected outputs and impacts, the intervention fails, either because the execution was flawed or the original hypothesis was.

Business Model Canvas (BMC)

BMC is another visual method for business alignment. Developed by Alexandar Osterwalder and available under a Creative Commons license, BMC puts the entire business model on one page. By exploring partners, resources, customers, costs, and revenues, BMC forces users to think about initiatives in business terms.

business model canvas
By Business Model Alchemist ( [CC BY-SA 1.0 (], via Wikimedia Commons

Completing a canvas, individually or through a facilitated workshop, encourages security teams to think about what they do like a product or service they are building and selling to customers both inside and outside the enterprise. This customer-centric brainstorming reveals insights about where security succeeds, struggles, or fails in the organization. Discussing security in terms of value propositions, customers, and channels help prepare members for talking to business stakeholders. Even unfamiliar concepts, like revenue, often have security parallels (chargebacks, budget increases, or money saved on incident response).


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.