Cybersecurity Magazine recently featured an article looking at how to develop a security strategy for a business. This article elaborates a little on the importance of keeping the business strategy in mind when developing a security strategy. This is something that can far too often be forgotten, or ignored, when implementing a security strategy.
Business strategies can be simple, or they can be complex, but in general there are a few core components:
- More customers
- More revenue
- More growth
The details surrounding these components are often more complex since they have to fit into the reality of the business. It can get even more complex in areas with heavy regulation, such as medical or finance businesses.
Every company would like to make more money, but how they approach this goal differs for individual companies. In crisis times the goal is often achieved by reducing costs. When things are good, competitor companies are bought.
I am unaware of any companies that would like to have fewer customers, but how will a company go about acquiring these? More revenue and growth will usually result from more customers, so more customers might be the most important component in any business strategy. I say might, because some business will have different goals at different times, like getting a new product to market on time. You could argue that this will result in new, or more, customers but business strategies will be both short term and long-term. In a short-term strategy, a new product might be the one and only focus.
The list below, will outline some of the steps a company can take, or use, in a strategy:
- Better customer service
- Better quality products
- Buy competing companies
- Aggressive marketing
There are a plethora of additional points and steps beyond these points, just think about the complexities in buying another company and the scrutiny that might follow from governmental organizations like the EU, worried about the competitive impact of a merger or buyout of a company. Whatever the business strategy is, or how it is being implemented, this strategy will have an impact on our security strategies.
We now have some insights, into what a business strategy might include, this we can use as input into our security strategy. How? Well, let’s break it down a little. What information from above can we use as input?
- Better Customer Service
- What would a company like to use, to provide a better customer service? More data on the customers comes to mind as one possibility. More data that will likely be sensitive to privacy concerns, and thus needs to be protected.
- What kind of customer data is being collected?
- How do we want to protect this data – Encryption?
- Where do we want to protect it – CRM system, Database?
In all cases where companies are collecting data on customers or clients, risk and threat assessments should be conducted, and possibly limitations of the collection of the data for security or compliance reasons. Any additional data collection must be included in the security strategy for protection, maintenance and final deletion when no longer needed.
In the case of buying competing companies, it can be a security nightmare, especially when integrating a completely different company infrastructure into an existing one. Attackers are always looking at news talking about company mergers or buyouts, because they know that these scenarios contain plenty of opportunities.
Having a strategy that considers these merger scenarios, will make the life of any security professional a lot easier. Not to say that mergers are easy but having in place a plan for merging infrastructures will, at the very least, mitigate the risk of doing so without one.
The purpose of this article is to highlight the need for security professionals to create security strategies which consider the strategies of the business. This article has only scratched the surface of the options for input into a security strategy from a business strategy. Make no mistake, browsing through a business strategy and identifying the points that should be part of a security strategy can be laborious.
The benefit that a security strategy will get from considering the overall business strategy cannot be overestimated. In addition, it can also make security professionals a trusted partner to the business, something that is often, unfortunately, lacking. Next time you are hired or asked to develop a security strategy, or something like it, keep in mid the data input that the business strategy can provide. It will make the final product far more useful to the business.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.