The Security Program Why: Fundamentals for Enabling Success
Why do security programs exist within organizations? The answer seems intuitively obvious, until you really attempt to articulate it at some level of detail. Its core purpose is complex to articulate concisely. In this light, the why is often overlooked or taken for granted. It’s often relegated to the background as an assumed requirement rather than a strategic imperative. Even many security professionals are so focused on the trees that it’s easy to forget the shape of the forest and why it was planted. This purpose should remain a north star to continually navigate by.
This post delves into the why of security programs within businesses, moving beyond the technical details to examine their fundamental role: to enable organizations to achieve their objectives while simultaneously managing risk exposure. We will explore how this dual mandate shapes security's relationship with the business, the principles that guide effective security programs, and some practical strategies that manifest these concepts. Ultimately, this aims to highlight security's true value proposition, not just as a defensive shield, but as a critical driver of organizational resilience and success.
Defining Security
In conceptual terms, security is protection against undesired outcomes. For organizations, security is realized through security programs that work to protect the organization from threats and risks that create those undesired outcomes. Security programs are a collection of people, processes, and technologies that work together to provide controls so that the organization can continue to survive and accomplish its mission. Security programs can be everything from large and highly structured programs with dedicated staff, to the collective security effort provided by anyone in the workforce. In today’s environment, organizations of a certain size, complexity, and reliance on digital technologies without a material security program (i.e. a focused and resourced security effort specifically designed to protect an organization's most critical assets) will likely only survive on luck. Therefore, security is an essential aspect of businesses.
The Security and Business Relationship
%%{init: {'theme': 'neutral'}}%%
graph TD
A(Organization's Mission) -- Achieve --> B(Success)
C(Security) -- Enable --> A
C -- Manage Risk --> D(Operational Resilience)
D -- Support --> B
C -- Avoid --> E(Excessive Friction)
E -- Hampers --> B
Here is a simple statement that represents the fundamental relationship between security and the organization it supports. Security exists to (1) enable the organization to achieve its objectives, and (2) manage risk exposure to achieve operational resilience. While managing risk (#2) directly contributes to the organization's ability to achieve its objectives (#1), these aspects are distinct and warrant separate consideration.
#1 represents the alignment and prioritization of security efforts to target and secure specific business initiatives. This ensures that business-critical elements are always considered from a security perspective and, ideally, secured through robust and layered defenses to achieve a strong security posture and resilience.
#2 represents universal security work to broadly implement security best practices, common security controls, and foundational security hygiene. This ensures that the whole organization (e.g. all business processes, systems, information types, etc.) is covered by a minimum baseline of security measures and risk is reduced broadly, particularly those related to commodity attacks and targets of opportunity. Additionally, this also often satisfies compliance frameworks and requirements.
It is obvious that security can be insufficient such that it does not adequately protect a business. Conversely, it is important to note that security can be too heavy in ways that constrict, slow down, and hamper a business. This prevents innovation and agility, which are needed for any organization’s short-term and long-term success. In this context, security must be created and maintained in balance. This balance is a key piece of what it means for a security program to be effective.
A simple way to create a security team's mission statement is to take the organization's overall mission and prepend it with, “To provide effective security so that we are able to…”. This reflects the fundamental dynamic between security and the overall organization. This is the why behind security for organizations. In other words, security exists to enable its organization to do what it wants to do and create the conditions such that it can continue to do those things in the face of threats, while avoiding excessive friction.
Security Equations
Let’s say that the security team’s mission is x, the organization's mission is y, and the overall organizational outcome is o. How would we reflect their relationships as an equation? I’ll offer two different equations to express the relationship between security and the organization it supports, where each offers a unique angle.
(1) o = y - r(x) This equation represents the impact of security on the overall mission. y is the intended mission (outcome), and r(x) is the risk ® reduced by the security team's efforts (x). If the security program is perfectly effective, then r(x) will equal zero and therefore, nothing will hinder, or take away from the organization achieving its mission. This implies that a stronger security program reduces risk and brings the realized overall outcome closer to the intended outcome..
(2) o = f(x, y) This equation shows that both x and y need to be balanced for optimal organizational success. f is a function that considers both the security mission (x) and the overall mission (y). This suggests that there's an optimal balance between security and other mission objectives and they must work in concert. Too much security might hinder progress, while too little could expose the organization to unacceptable risks. While helpful, these examples are of course limited. Real-world complexities are difficult to encapsulate. Many organizational aspects are qualitative (e.g., reputation, trust), so quantifying them into formulas won’t yield practical tools. The relationship between x and y varies greatly between organizations and these things are not static. Next, we will examine security first principles as another way to gain perspective and understanding.
Principles
While mathematical relationships may help understand security's role at an abstract level, we can make these concepts more actionable by examining the fundamental principles that guide effective security programs. These principles translate the theoretical relationship between security and business objectives into practical strategies. Just as the equations show that security's value comes from both risk reduction and mission enablement, the first principles of security focus on measurably reducing adverse impacts while supporting business operations. This approach helps bridge the gap between theoretical understanding and practical implementation, which provides a framework for making strategic decisions about where and how to focus efforts.
First Principles to Strategy
Rick Howard provides a helpful way to describe this in his book, Cybersecurity First Principles. To paraphrase his work, the key first principle is to reduce the probability of material impact to an organization from a cyber event over a finite period of time. This principle focuses on:
- Probability: Understanding and measuring the likelihood of a successful attack.
- Material impact: Prioritizing the protection of assets that truly matter to the business. Materiality is so important in security because all data, systems, etc. are not equally important. Focusing on protecting what is "material" to the business, meaning those assets that have significant financial, operational, legal, or reputational impact allows you to prioritize your resources effectively.
- Cyber event: Disrupts the normal operation of digital systems or compromises the security of digital information.
- Finite period of time: Concentrating on immediate and more tangible and predictable near-term threats, projecting out one to three years.
Rick goes on to offer a few key strategies for achieving this first principle that I think are worth highlighting.
- Zero Trust: Eliminating implicit trust and verifying every access request.
- Intrusion Kill Chain Prevention: Building defenses that disrupt an adversary's typical attack sequence.
- Resilience: Developing the ability to withstand and recover quickly from attacks and other harmful events.
- Automation: Making security processes consistent, scalable, and fast.
- Risk Forecasting: Estimating the likelihood and impact of future threat events and scenarios and planning accordingly.
These strategies are all tools and methods that support both business enablement and reduce risk exposure. However, most organizations are effectively resource constrained and all are bound by limited time, so all of these strategies must be targeted to that which is most material. This means that they are, or should be, primarily implemented in direct support of #1, enabling organizations to achieve their most important objectives.
Security Enables Success
Security's fundamental purpose, to enable business objectives while managing risk exposure, shapes how security programs should be designed, implemented, and measured. The mathematical relationships and principles discussed here provide mechanisms for understanding this dual function. While the specific implementation varies by organization, the core of it remains consistent. Effective security is not just about preventing bad outcomes, but about creating the conditions that allow organizations to confidently pursue their objectives.
Security leaders must balance theoretical understanding with practical implementation, focusing their limited resources on what is truly material to their organization's success. This means building programs that are both strategically aligned with business goals and tactically effective at reducing risk. Lastly, it is key to remember that security is not an end in itself, but rather a critical enabler of organizational resilience and success.