Business Objectives – why you should care!
Security Managers often try to apply as many controls as they can. This is to ensure that the capability is secure as possible, regardless of the success or failure of the capability achieving its objectives.
This method of just applying security controls regardless of any context makes the whole security effort easy. It can be standardised and applied to anything. It also means that security can be outsourced and run separately from project management.
But isn’t there an issue here? What’s the point in having a security manager if this whole thing can be done in cookie-cutter style, irrespective of the context?
For example, let’s imagine a new cruise missile modification destined for Ukraine where time is of essence to support our ally. If we apply all manner of security controls, some of them may delay and restrict the effectiveness of the new missile, making mission success less likely.
So, we must consider objectives, the context and the environment that the capability will be operating in. Security activities will have to align to these so that the capability and security are working together and not against each other. This may feel quite uncomfortable as the tendency is to think that more security is best. The best security, however, enables objectives to be achieved.
At Bee.Net, we understand that the success of the capability must come first. We know how to talk to business leaders in their own, business focused language. We use our Cyber Design Accelerator to help our clients understand how risks can impact objectives so that cyber risks can be used to understand business risk.