It is relatively easy for those in information security to spend their entire careers without a solid understanding of how the organizations they work for make money. This is true whether they work in a for-profit or nonprofit organization. This kind of insulation from the rigors of a profit-and-loss sheet does not enrich the security professional’s capabilities. In fact, it very often increases stress as a misalignment of priorities engenders cognitive dissonance.
On one hand, the security professional is tasked with protecting an enterprise from bad things and, on the other hand, the organization wants to pursue riskier actions that encourage these same bad things to happen, directly countering IT’s corporate charge to protect. How can an enterprise be serious about protecting its digital assets yet still want to do things that put those assets at risk? This dilemma is not new; indeed, it is as old as information security and the reason security teams have earned the “department of no” tagline.
Business acumen helps add another dimension to the view of security control functions. Having a full appreciation of the trade-offs that need to happen to sell products and services in a competitive marketplace (or to fundraise) will undoubtedly make you a better information security professional. In fact, this skill is the number-1 thing that you need to be successful in information risk analysis.
Far too often, risk analysts are brimming with knowledge of controls and threats but have little understanding of how an organization makes money. This means they are innately unable to complete a risk assessment as they are missing information to appropriately assess business impact. It is a fundamental part of the job of every risk analyst to understand their organizational objectives and know how to connect IT risk to those objectives. IT risk is business risk, and there is no better way to appreciate the connection than understanding the marketplace in which your organization operates. This includes not only understanding how your organization makes money, but also how your suppliers and customers make money. Here is a short list of things to learn about at your organization to improve your understanding of where potential loss could occur:
- Business strategy, goals and objectives
- Financial results
- Business market for your organization
- Customer segments in that market
- Your organization’s unique profile in the market
- How your organization sells its products and services (sales channels including web, mobile, retail, etc.)
Having a working knowledge of these areas of the enterprise enables a risk analyst to better assess loss magnitude forms such as productivity, competitive advantage, fines and judgements, and reputation damage. In a true contradiction of terms, all security professionals need to invest in their soft skills, as they are some of the hardest skill sets to acquire. Upgrading your business acumen will improve your ability to assess business loss and by extension risk.
Jack Freund, Ph.D., CISA, CRISC, CISM, is director of risk science for RiskLens, member of ISACA’s Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.