September 7, 2017 By Domenico Raguseo 2 min read

The principle of security by design suggests that security needs to be aligned with business objectives. But what, exactly, does that mean and where should security professionals start? Below are some factors to consider when aligning security with business objectives.

Best Practices for Aligning Security With Business Objectives

First and foremost, given the increasingly complex regulatory landscape, organizations must ensure that their environments are in line with global privacy laws and standards. Many of these regulations impose heavy fines for violations that could impact the organization’s bottom line. To maintain compliance, security professionals must have a clear understanding of configuration items and their attributes, as well as visibility into the applications, infrastructure, data, transactions, networks, servers, clients, identities and access.

The next critical step is to perform a risk assessment based on the value of the service and assets at hand. Imagine a camera installed in a remote hotel corridor, for instance. The value of the service and the hardware itself is likely minimal, but breaching the camera could be the first step toward a widespread distributed denial-of-service (DDoS) attack. To avoid such scenarios, organizations must recognize the intrinsic value of security.

In addition to an asset’s attributes, it is important to know where assets and data are stored. Cloud storage, for example, carries its own set of risks and security implications. The cloud was a delivery model before it became a business model, and the workloads of existing services are often already hosted there. Since security starts with full visibility, it is critical to identify which services and assets are stored in the cloud.

When implementing security controls, organizations should invest in solutions based on the assumption that they will be attacked. Local security reports and public Computer Security Incident Response Team (CSIRT) data can help incident response teams prepare to deal with a data breach.

Tailoring the Security Operations Center to Business Needs

Finally, organizations should establish security operations centers (SOCs) to facilitate much of the work described above. A company without a SOC is more vulnerable to ransomware, even if it has implemented security controls. An SOC offers visibility into the enterprise and improves the speed and accuracy of incident response.

It is also important to consider which type of SOC aligns most closely with business objectives. If the SOC focuses solely on security information and event management (SIEM), for example, the intelligence it generates is less valuable than if it were integrated with a vulnerability management solution. The SOC can also be equipped with cognitive technologies to share data from a security incident, forensic capabilities to investigate an attack after it strikes and risk management tools to track the evolution of threats.

Securing Your Bottom Line

When aligning security with business objectives, critical assets and services must be secure by design. That means developing products and applications from the ground up and considering security at every step.

Due to the rapidly expanding regulatory landscape and the value of sensitive information to customers and cybercriminals alike, security is essential to any organization’s bottom line. While a data breach is virtually inevitable, ensuring security in every aspect of the business can help organizations respond more effectively. Most importantly, it provides the visibility analysts need to learn from security incidents and bolster the organization’s infrastructure accordingly.

Download the Ponemon Institute 2017 Cost of Data Breach Study

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today