Information Security Isn’t a Standalone Discipline

Safeguarding the organization’s data is not the goal in itself. Information security exists to help the organization reach its corporate objectives, such as those tied to making money or serving a non-profit function.

It’s easy for infosec professionals to become comfortable in the world of information systems, firewalls, security patches, and incident response. We sometimes forget that we’re part of an ecosystem that’s supposed to help the organization achieve its corporate objectives. As Michael Cloppert put it, we should be active participants “in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost.”

Infosec personnel should understand the context within which their direct job responsibilities exist. Here are some of the ways in which information security can fit into the overall organization:

Finance

  • Stay within budgetary constraints
  • Account for the value of data and protection costs
  • Safeguard financial data

Legal

  • Support regulatory and contractual compliance efforts
  • Address legal risks that involve security of the organization’s data
  • Safeguard protected legal data

Human Resources

  • Support regulatory and contractual compliance efforts
  • Address legal risks that involve security of the organization’s data
  • Safeguard protected legal data

Information Technology

  • Integrate into the IT risk management program
  • Provide operational security services
  • Oversee or audit the use of IT to address misuse

Marketing and Communications

  • Help ensure trustworthiness of communications
  • Oversee the use of sensitive customer data
  • Integrate into the customer privacy program
  • Participate in notifications regarding security incidents

Line of Business

  • Provide infosec support for organization’s products or services
  • Safeguard proprietary data
  • Help enable the organization’s pursuit of its strategic objectives

Don’t fall into the trap of thinking that the security work you do is so important, that the value you add should be self-evident to your colleagues. You need to connect your security efforts with what the rest of the organization is doing if you want to be noticed and appreciated for your work. To do this, understand what people in non-security departments do, how they fit into the corporate ecosystem, and how your responsibilities link to theirs.

For more thoughts along these lines, see my earlier post Depth of IT Knowledge is Not Enough.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more