Information Security Isn't a Standalone Discipline

Information security exists to help organizations achieve corporate objectives, not as a goal in itself. Security professionals must understand how they fit into Finance, Legal, HR, IT, Marketing, and Line of Business. Connect security efforts with what the rest of the organization is doing to be noticed and appreciated.

Safeguarding the organization’s data is not the goal in itself. Information security exists to help the organization reach its corporate objectives, such as those tied to making money or serving a non-profit function.

It’s easy for infosec professionals to become comfortable in the world of information systems, firewalls, security patches, and incident response. We sometimes forget that we’re part of an ecosystem that’s supposed to help the organization achieve its corporate objectives. As Michael Cloppert put it, we should be active participants “in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost.”

Infosec personnel should understand the context within which their direct job responsibilities exist. Here are some of the ways in which information security can fit into the overall organization: Finance

Stay within budgetary constraints
Account for the value of data and protection costs
Safeguard financial data

Legal

Support regulatory and contractual compliance efforts
Address legal risks that involve security of the organization’s data
Safeguard protected legal data

Human Resources

Support regulatory and contractual compliance efforts
Address legal risks that involve security of the organization’s data
Safeguard protected legal data

Information Technology

Integrate into the IT risk management program
Provide operational security services
Oversee or audit the use of IT to address misuse

Marketing and Communications

Help ensure trustworthiness of communications
Oversee the use of sensitive customer data
Integrate into the customer privacy program
Participate in notifications regarding security incidents

Line of Business

Provide infosec support for organization’s products or services
Safeguard proprietary data
Help enable the organization’s pursuit of its strategic objectives

Don’t fall into the trap of thinking that the security work you do is so important, that the value you add should be self-evident to your colleagues. You need to connect your security efforts with what the rest of the organization is doing if you want to be noticed and appreciated for your work. To do this, understand what people in non-security departments do, how they fit into the corporate ecosystem, and how your responsibilities link to theirs.

For more thoughts along these lines, see my earlier post Depth of IT Knowledge is Not Enough.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →