Three Ways to Align Your Security Roadmap to Business Objectives
CIOReview
CIOREVIEW >> Data Security >>

Three Ways to Align Your Security Roadmap to Business Objectives

Noah Beddome, Chief Information Security Officer, Opendoor
Noah Beddome, Chief Information Security Officer, Opendoor

Noah Beddome, Chief Information Security Officer, Opendoor

After I left the U.S. Marine Corps, I started my security career as a consultant. And I quickly learned that what the customer asked for and actually needed could be two very different things. For example, a customer could hire you to do a Red Team, however, they might really need a vulnerability assessment. 

Ultimately, you need alignment between your team goals and the company objectives. However, Security teams often have siloed ideas of what's crucial to move the business forward. Why? When you are a specialist in a particular profession, like Security, you tend to only look through the security lens. And this can be said for most specialists within a company. The first thing we have to accept is that our small slice of the bigger picture is most likely not the most important or at most is tied with several other areas.

That’s why my approach is to align the security roadmap to business objectives rather than direct security prioritization from purely academic or risk viewpoints. Throughout my career, finding alignment, middle ground, or as I like to call the, “70 percent solutions,” is something I’m incredibly passionate about. Here are three ways to help your Security teams find alignment with the business.

Step One: What actually is Security’s job 

When I joined Opendoor last year, I immediately evaluated what the Security team was currently doing by reviewing active and past workloads. I talked to executives, directors, and key stakeholders. I asked them what they think Security should be doing (i.e. what Security’s job is to them and how well they think they're doing it). I examined the company trends and how we were allocating work internally. This provided the information I needed to calibrate Security’s purpose at Opendoor to their actual work allocation.

 

 At its core, Security’s job—at least at Open door—is to prevent harm to the business, respond to risk, enable business processes and provide informed decisions


  

At its core, Security’s job—at least at Opendoor—is to prevent harm to the business, respond to risk, enable business processes and provide informed decisions. Everything Security does falls into one of those buckets. These buckets or directives further break down to top-level bullets that we can evaluate our performance against. 

Step two: Understand the problems 

Now that you know what Security should be doing, you can measure it. By taking each of the top-level initiatives under each directive and rating it based on the following:

• Do any processes or items for the initiative exist at the company?

• Does the current process provide value?

 Is the process easy to use, automated, and well documented?

 Does the current state of the item present an increased risk to the company?

Once you have evaluated the current posture, the next thing to do is brief stakeholders, which is twofold. The first part is providing a document that simply states Security’s job at the company, the directives, initiatives, and how they will be assessed. Once that has been agreed upon, the next step is setting up a meeting to provide a briefing on the actual findings from the evaluation.

Step three: Set the priorities and align on future outlook

Once you’re on the same page regarding the issues at play, figure out how you’ll prioritize those issues. I use an 18-month plan and align it to the current business roadmap to correctly order milestones. The plan should detail the steps for moving from the current status of each initiative to an improved state.

As you head into planning for each quarter, you need a phase where you're reaching out to other teams and finding out what they’re working on. Here are a few key questions to ask:

• Do we need to add this to the roadmap?

 Do we need to allocate more/less time to a project?

 How are we going to budget our time?

By drawing stakeholders or executives back to the roadmap during planning, it achieves two key things. First, it clearly illustrates trade-offs to your stakeholders. For example, if we add X to the roadmap, we need to drop Y. Secondly, it allows you to benchmark and track for company changes and team trajectories over the planning year. But remember, the 18-month plan is a guideline. Your north star should be a living document highlighting long-term focus areas. 

Once you’ve completed all of these steps, you’ll find that the company is aligned with Security and vice versa. There should be no ambiguity. Finding alignment will not only help your Security team be successful but, most importantly, will help the overall business succeed.

Read Also

For Richer Insights

Heidi Mastellone, Director, Customer Experience, Selective Insurance

Delivering Unique Customer Experience via Technology

Brian Powers, Customer Experience Officer, Likewize

A Modern Policy Admin Platform with Cost and Customer Experience in Mind

Chris Eberly, VP, Life IT, Lincoln Financial Group

Laying the Foundation of a Satisfying Commuter Experience

Yvette Mihelic, Director Customer Experience, John Holland Rail and Transport

The Ever-Evolving Landscape Of Customer Experience Management

Gonzalo Carpintero Navarro, Senior Vice President Operations & Head of Business Transformation Office (BTO), Radisson Hotel Group