Information Security Isn’t a Standalone Discipline

Safeguarding the organization’s data is not the goal. Information security exists to help the organization reach its corporate objectives, such as those tied to making money or serving a non-profit function.

It’s easy for infosec professionals to become comfortable in the world of information systems, firewalls, security patches, and intrusion detection. We sometimes forget that we’re part of an ecosystem that’s supposed to help the organization achieve its corporate objectives. As Michael Cloppert put it, we should be active participants “in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost.”

Infosec personnel should understand the context within which their direct job responsibilities exist. Here are some of the ways in which information security can fit into the overall organization:

Finance

  • Stay within budgetary constraints
  • Account for the value of data and protection costs
  • Safeguard financial data

Legal

  • Support regulatory and contractual compliance efforts
  • Address legal risks that involve security of the organization’s data
  • Safeguard protected legal data

Human Resources

  • Support regulatory and contractual compliance efforts
  • Address legal risks that involve security of the organization’s data
  • Safeguard protected legal data

Information Technology

  • Integrate into the IT risk management program
  • Provide operational security services
  • Oversee or audit the use of IT to address misuse

Marketing & Communications

  • Help ensure trustworthiness of communications
  • Oversee the use of sensitive customer data
  • Integrate into the customer privacy program
  • Participate in notifications regarding security incidents

Line of Business

  • Provide infosec support for organization’s products or services
  • Safeguard proprietary data
  • Help enable the organization’s pursuit of its strategic objectives

Don’t fall into the trap of thinking that the security work you do is so important, that the value you add should be self-evident to your colleagues. You need to connect your security efforts with what the rest of the organization is doing if you want to be noticed and appreciated for your work. To do this, understand what people in non-security departments do, how they fit into the corporate ecosystem, and how your responsibilities link to theirs.

For more thoughts along these lines, see my earlier post Depth of IT Knowledge is Not Enough.

Lenny Zeltser

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more