At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:
I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.
I think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.
This was reiterated by Andy Ellis at a session at RSA where he said precisely this;
are you the conscience of the business or an enabler to the business?
Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them out), for the good of the business.
What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.