Security Acumen: Business First
By Gideon T. Rasmussen, CISSP, CISA, CISM, MVP
The line between business and information security professionals is blurring. Government regulations have mandated security practices over the past decade. The resulting changes are evident. Security professionals are being given seats at the executive table and within lines of business. Business acumen is quickly becoming the eleventh domain of information security. To adapt, security professionals must align with business management and develop depth and breadth within business.
Developing business acumen skills is a journey of discovery. In simplistic terms, business acumen means understanding how your company makes money. Security professionals need to become familiar with business processes in order to apply the appropriate safeguards and work effectively with business management.
Identify business acumen as a professional development need with your manager. Ask to be introduced to a business professional to act as a guide or mentor. Then, request to be involved in a business project, even if only to take meeting minutes or to help create a slide presentation.
Next, request a meeting with a trusted contact to discuss how their team conducts business. Ask for a high-level overview to include strategic goals, teams, business objectives, critical factors to achieve them, associated risks, how they have been mitigated and how the companyís line of business makes money in general. Do not be afraid to admit that you are out of your element and ask fundamental questions. Finally, request introductions to team contacts and mention that you will be sending an e-mail to forward on to them.
Send a follow-up e-mail message thanking your contact for providing background information. Reiterate that you are trying to develop an understanding of their team from a business perspective and that you could use their help in making the proper connections. Include a framework of the areas you would like to explore. This message makes it easy for your contact to conduct introductions and provides a representation of your interests.
Prepare for each conversation with your business partners. Ask questions tailored to each personís team and mission. If you run out of time, ask if you can follow-up with questions via e-mail. Thank each person for meeting with you and offer to be a resource for that person in the future. Finally, send each one a thank-you e-mail message with a copy to his or her supervisor.
Save new connections under a separate group in your address book. Make a point of keeping in touch with them.
Internal Business Partnerships
Partnering is a key component of business relationships. Give selflessly to your business partners and find ways to add value to their team. Work with them to document shared processes and how your respective teams interact. If there has been friction between teams, documenting shared processes can provide relief. Keep an open mind, ask questions, and work toward process improvement.
Speak in terms that motivate and inspire business management. For example, what would you do if you stepped into an elevator and a senior manager asked, "So why do you think all these security initiatives are necessary?" It is important to have a one-minute elevator pitch and not to miss that opportunity.
Include "risk" in your communications with business professionals. Risk is the Rosetta Stone between security professionals and business management. Business people think and speak in terms of it. Business risk categories include reputation risk, operational risk, compliance risk, and strategic risk.
Provide your business partners with the information they need to make informed decisions. Use metrics to quantify risk for them (e.g. a score based upon risk ranking). Develop the ability to give presentations that "tell the story." Use compelling proofs of concept to sell your ideas (e.g. a sample web site).
Developing business acumen skills may represent a cultural change for you. If you align and contribute to business initiatives in some manner, it becomes easier to incorporate security into that same culture.
As you acclimate to your business partners and their mission, they will adapt to yours. Their increased awareness will be reflected in support for security during meetings. A few of your business counterparts may also become security advocates, supporting security initiatives in your absence. Business partners will also be much more likely to invite you to participate at the beginning of a project rather than at the end if a culture of security exists.
Chief Security Officer
Want to sit in the CSO chair? Solid business acumen skills are an absolute requirement. At a minimum, you will need to know how to write business cases, manage a budget, and think in terms of the bottom line. Consider pursuing an MBA degree to develop core business skills. The challenges of business management can be attractive. You may like it.
Synergies exist between business and security; one cannot exist without the other. The road to developing business acumen skills can be arduous. However, the advantages are well worth the effort. An information security professional aligns with business management and considers how security initiatives can reduce risk and promote competitive advantage. Step outside of your comfort zone.
Gideon T. Rasmussen is a Charlotte-based information security professional with a background in Fortune 50 and military organizations. His website is
Originally published in Microsoft TechNet as "Security MVP Article of the Month" (May 9, 2007)