Top 10 Ways to Build & Align Security with your Business

February 14, 2017

IT security really is BS. Before we get too far, I really need to explain what I mean by this.

In nearly every environment I walk into, I see the same thing.  The information technology department is struggling to figure out how to “appropriately” secure their environment, and of course, how much to spend doing so.  Most often, they are looking for some silver bullet of technology or assessment to fix or point this out to them.

What I find with most of these customers is that they have no, or very few, policies and standards related to security or protecting information.  People tend think about policies and standards as the paper in the corner that does not really do anything to protect the company.  Some even think of them as the “rules” or “traps” used to punish employees.  Most often, the IT team is also responsible for creating these policies, and therefore it is usually done in a vacuum.  This is a huge missed opportunity.  The creation of a comprehensive security program, including policies and standards, should be about aligning the business needs for securing customer, employee, and company information with organizations technical, physical, and operational controls.  These controls are the guides and roadmap needed to help ensure the business stays secure and compliant.  Staying secure and compliant should be part of every senior leadership’s business continuation plan.  We have seen that without it, the business may not exist.  This is why I say IT Security really is BS (Business Security).

Security is not about some technical nerd in the back room trying to patch systems and defending the network from attacks, while everyone else goes about their daily activities.  Effective security comes from every employee working off the same playbook to help secure the organization.  Everyone in the company plays a critical part in securing company, employee, and customer information and systems.  Your security program should be that playbook, which the business helps create, implement, and monitor.  If you do not have a security program today, here is my formula for building and aligning security with your business:

  1. Establish a security governance committee comprised of key business leaders.  These people with help steer and approve your program.  Without this, your program is far less likely to succeed.  This is usually much easier in smaller organizations, but applies to organizations of any size.

  2. Identify your compliance requirements, both regulatory and contractual.

  3. Select a best practices security framework based on your compliance requirements.  This will help ensure your policies and standards will align with your business needs.  Additionally, frameworks help to ensure your program does not have any “blind spots”.

  4. Identify subject matter experts inside your organization responsible for the selected frameworks key control areas.

  5. Create policy and standard templates to be used, and have them approved by your governance committee.  These templates should minimally identify scope, purpose, objectives, and requirements.  The more you explain why a policy or standard is important, the more likely people are to follow it.

  6. Using the templates created; start to document what you are doing today to comply with the framework recommended practices.  Also, keep track of where you have gaps.  That list will become part of your security plan later.

  7. Have the subject matter experts review the documents created for accuracy.

  8. Have the governance committee approve the documents and publish them for all to access.


  10. Improve your controls using the gaps you identified in step 6 above, starting with the items that you expect will have the greatest impact on reducing risk.

If you need help with any or all of these steps, Heartland Business Systems has a team of highly qualified and experienced professionals who have created many effective programs for our customers.  Most of our customers have used this mechanism to start, and bring their business along, the security journey.  True security really is a journey, not a sprint.


Andy Hull
About the Author

Andy Hull
Information Security Officer

Andrew has over 25 years of information technology and security experience. While he has specialized in the, Financial, Healthcare, and CPG verticals, he has both the breadth and depth of experience needed to provide end-to-end security solutions to nearly any size company in any industry.  He is a strong leader who has led, developed, and managed technology and security teams, strategy, planning, and testing for several organizations.  Andrew has helped many companies design and implement the necessary security controls, policies and governance structures, as well as tactically manage threats, vulnerabilities, and incidents.


Title Text

Subtitle Text