The primary reason of existence of any business is to make money. The reason of existence of information security team in an organization is to effectively manage the business risk. Any great CISO must understand how the organization’s business works.
Note that I am using “business” as a loose term. In case of government organizations, your business may be providing certain services to your constituents. The key thing is that every organization has a purpose and the information security has to support that purpose. The only exception is vendors of information security products and services where information security itself is the primary business. So unless you are working for an information security company, the primary purpose of your organization is something other than information security.
Learning business boils down to only two things:
- How your organization earns money?
- Where the money is spent?
The corporate strategy and organizational structure controls these two major objectives. As an information security professional, the more you understand company’s business, the more effective you will be to put information security in the context.
Suggested Actions
Following is a list of basic information that you should know about the business of your organization.
- Organizational Structure – Review organizational charts, find who is who in your organization. You must know the key people who you are going to interact with.
- Lines of Business – Find if there are multiple lines of business and their share in overall business revenue and profit.
- Products and Services – Get to know Products and Services offered by your organization and their respective revenue. Find any future products and services that are in the pipeline.
- Major Business Partners – Find who are major business partners?
- Budget Cycle – When budget process starts and how projects are approved?
- Important Customers – Who are the largest customers?
- Role of Technology – How important role technology plays in the business? What major technologies are in currently being used?
- Geography – Is your organization engaged in international business? How many people it employs and where?
- Major Competitors – Find who are major competitors of your organization.
- Stock Information – If you are part of a publically traded company, find its stock and quarterly reports. How your stock has been fluctuating in past 12 months and why.
Following is a sample mind map. You can draw your own or expand on it. This will create a picture of the business in your mind and make it easy for you understand corporate dynamics.
The post CISO Strategy: Learn Your Organization’s Business appeared first on CISO Leadership, Strategy, and Research.