Safeguarding the organization's data is not the goal in itself. Information security exists to help the organization reach its corporate objectives, such as those tied to making money or serving a non-profit function.
It's easy for infosec professionals to become comfortable in the world of information systems, firewalls, security patches, and incident response. We sometimes forget that we're part of an ecosystem that's supposed to help the organization achieve its corporate objectives. As Michael Cloppert put it, we should be active participants "in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost."
Infosec personnel should understand the context within which their direct job responsibilities exist. Here are some of the ways in which information security can fit into the overall organization:
Finance
- Stay within budgetary constraints
- Account for the value of data and protection costs
- Safeguard financial data
Legal
- Support regulatory and contractual compliance efforts
- Address legal risks that involve security of the organization’s data
- Safeguard protected legal data
Human Resources
- Support regulatory and contractual compliance efforts
- Address legal risks that involve security of the organization’s data
- Safeguard protected legal data
Information Technology
- Integrate into the IT risk management program
- Provide operational security services
- Oversee or audit the use of IT to address misuse
Marketing and Communications
- Help ensure trustworthiness of communications
- Oversee the use of sensitive customer data
- Integrate into the customer privacy program
- Participate in notifications regarding security incidents
Line of Business
- Provide infosec support for organization's products or services
- Safeguard proprietary data
- Help enable the organization’s pursuit of its strategic objectives
Don't fall into the trap of thinking that the security work you do is so important, that the value you add should be self-evident to your colleagues. You need to connect your security efforts with what the rest of the organization is doing if you want to be noticed and appreciated for your work. To do this, understand what people in non-security departments do, how they fit into the corporate ecosystem, and how your responsibilities link to theirs.
For more thoughts along these lines, see my earlier post Depth of IT Knowledge is Not Enough.