Three Ways to Align Your Security Roadmap to Business Objectives
After I left the U.S. Marine Corps, I started my security career as a consultant. And I quickly learned that what the customer asked for and actually needed could be two very different things. For example, a customer could hire you to do a Red Team, however, they might really need a vulnerability assessment.
Ultimately, you need alignment between your team goals and the company objectives. However, Security teams often have siloed ideas of what's crucial to move the business forward. Why? When you are a specialist in a particular profession, like Security, you tend to only look through the security lens. And this can be said for most specialists within a company. The first thing we have to accept is that our small slice of the bigger picture is most likely not the most important or at most is tied with several other areas.
That’s why my approach is to align the security roadmap to business objectives rather than direct security prioritization from purely academic or risk viewpoints. Throughout my career, finding alignment, middle ground, or as I like to call the, “70 percent solutions,” is something I’m incredibly passionate about. Here are three ways to help your Security teams find alignment with the business.
Step One: What actually is Security’s job
When I joined Opendoor last year, I immediately evaluated what the Security team was currently doing by reviewing active and past workloads. I talked to executives, directors, and key stakeholders. I asked them what they think Security should be doing (i.e. what Security’s job is to them and how well they think they're doing it). I examined the company trends and how we were allocating work internally. This provided the information I needed to calibrate Security’s purpose at Opendoor to their actual work allocation.
At its core, Security’s job—at least at Open door—is to prevent harm to the business, respond to risk, enable business processes and provide informed decisions
At its core, Security’s job—at least at Opendoor—is to prevent harm to the business, respond to risk, enable business processes and provide informed decisions. Everything Security does falls into one of those buckets. These buckets or directives further break down to top-level bullets that we can evaluate our performance against.
Step two: Understand the problems
Now that you know what Security should be doing, you can measure it. By taking each of the top-level initiatives under each directive and rating it based on the following:
• Do any processes or items for the initiative exist at the company?
• Does the current process provide value?
• Is the process easy to use, automated, and well documented?
• Does the current state of the item present an increased risk to the company?
Once you have evaluated the current posture, the next thing to do is brief stakeholders, which is twofold. The first part is providing a document that simply states Security’s job at the company, the directives, initiatives, and how they will be assessed. Once that has been agreed upon, the next step is setting up a meeting to provide a briefing on the actual findings from the evaluation.
Step three: Set the priorities and align on future outlook
Once you’re on the same page regarding the issues at play, figure out how you’ll prioritize those issues. I use an 18-month plan and align it to the current business roadmap to correctly order milestones. The plan should detail the steps for moving from the current status of each initiative to an improved state.
As you head into planning for each quarter, you need a phase where you're reaching out to other teams and finding out what they’re working on. Here are a few key questions to ask:
• Do we need to add this to the roadmap?
• Do we need to allocate more/less time to a project?
• How are we going to budget our time?
By drawing stakeholders or executives back to the roadmap during planning, it achieves two key things. First, it clearly illustrates trade-offs to your stakeholders. For example, if we add X to the roadmap, we need to drop Y. Secondly, it allows you to benchmark and track for company changes and team trajectories over the planning year. But remember, the 18-month plan is a guideline. Your north star should be a living document highlighting long-term focus areas.
Once you’ve completed all of these steps, you’ll find that the company is aligned with Security and vice versa. There should be no ambiguity. Finding alignment will not only help your Security team be successful but, most importantly, will help the overall business succeed.