As part of his company’s AI center of excellence, Tim Sattler works to identify where and how the technology can provide measurable benefits.
“We’re discussing opportunities,” he says.
That Jungheinrich AG’s AI team is doing so is hardly remarkable. What’s notable is that Sattler, CISO for the German manufacturer of warehouse equipment and tech solutions, is part of the team.
It’s a role security chiefs don’t typically play.
Sattler sees his membership in the AI center of excellence as evidence that he and his security team are in lockstep with the business and its strategic vision.
“I see my role as not only seeing all the risks but also all the opportunities that AI presents. So I get out of the risk corner and really see the big picture,” he explains.
He took the same approach when ChatGPT arrived, at which time he and his team did a deep dive into large language models “to figure out how the technology worked, to understand the risks, and the new business opportunities it would create so we could say, ‘Here are the rules; here’s how you can try it out and play around with it.’”
And he’s doing much the same with quantum computing, explaining that board members have sought out his and his security staffers’ opinions on the technology and its potential, not just its cybersecurity implications.
“They knew we were the right people to talk to first about quantum because we have proven that we see ourselves in this advisory role,” Sattler says. “Very often the business [unit leader] only sees opportunities, and external advisers may be very sales-driven, so both may not be very objective. But we [in security] have a neutral position, seeing the risks and rewards. This is now the role of the CISO and the security organization.”
Sattler says serving in such a capacity demonstrates that security and the business are aligned.
“Alignment to me means that information security supports the strategy of the organization,” says Sattler, who also serves as a board director with the governance association ISACA. “That means we know what the goals of the organization are, what the company wants to achieve, we understand the business environment, what the competition is doing, what the trends are in the industry. Those are all things security needs to know to support innovation and growth and to support the organization in achieving its goals. And that means security can’t just focus on risk. We also need to see the opportunities.”
Alignment: A security department imperative
The idea of alignment is big in security today. A single internet search proves as much, producing countless results that contain some variation of “security-business alignment.”
Yet research shows that many CISOs aren’t in sync with the rest of the organization.
The 2025 EY Global Cybersecurity Leadership Insights Study, for example, shows that only 13% of CISOs “were consulted early when urgent strategic decisions were being made” and “58% of CISOs and cybersecurity executives say it is difficult to articulate their value beyond risk mitigation.”
Meanwhile, the Splunk 2025 CISO Report found gaps between how CISOs and boards perceive priorities. For example, the report found that 52% of surveyed board members think CISOs spend most of their time on business enablement but only 34% of CISOs agreed that that was the case. And 55% of board members said business acumen was a highly valuable skill for CISOs, but only 40% of CISOs ranked it as a skill they should develop.
Given such disconnects, it’s worth asking: What does aligning security to the business really mean? Why is it important? And what are strategies that CISOs can use to achieve it.
If CISOs want to successfully align security with their business, they need to make alignment more than a mantra, says Katell Thielemann, distinguished vice president analyst at research firm Gartner.
“It’s not enough to say it; you actually have to do it,” she explains. “There is a contingent of cybersecurity that sees itself as an island, implementing defense in depth in every corner of the organization, adopting all these frameworks and standards, but there is diminishing returns in doing that. So instead of saying, ‘This is our cybersecurity discipline and we’re doing all these things because the benchmarks tell us to,’ CISOs have to align their efforts to their organization’s business model.”
Indicators of alignment
One barometer of security-business alignment in action, Thielemann says, is when security teams engage with the business and use business metrics to determine security’s effectiveness.
As an example, she points to the partnership between security and engineering at a manufacturing plant that had devices using software no longer supported by the vendor. The two teams worked together to implement needed security measures, such as segmentation, that wouldn’t interfere with operations but added the necessary security. Knowing to schedule security work during plant downtime further demonstrated the alignment.
“That’s showing security knows the business and is not just doing cybersecurity as a discipline,” Thielemann says.
To align, she says, security leaders must “know the objectives the business has and use those to shape strategy, whether it’s cost containment, going into new markets, adopting cloud. The playbook starts from understanding the organizational priorities and then layering in what threat actors are doing in that industry and what could go wrong, what is the risk we can live with, and understanding and articulating the business impact of security incidents.”
Ayan Roy, Americas cybersecurity competency leader at professional services firm EY, cites another example of alignment involving one company acquiring another as part of a strategy to enter new markets. The company’s CISO, knowing that building trust with customers was critical to growth post-merger, devised a strategy to strengthen the acquired company’s security to the levels necessary to ensure successful integration, corporate expansion, and growth.
Robert T. Lee, chief AI officer and chief of research at security training and certification firm SANS, says alignment can also be seen in other ways, such as when and how security works with the business. For example, CISOs who recognize the need to boost security while reducing friction often have their security departments work with business units at the earliest stages of initiatives. Security teams integrated into R&D units so “they’re able to deploy things with much more or a trust model” is another sign of alignment, Lee says.
“Alignment in all of information security really focuses on the idea of supporting operations. It’s about risk management with an emphasis on enabling operations,” says Dr. James Jaurez, National University’s department chair of cybersecurity and technology.
And there is value in security-business alignment. According to the 2025 EY Global Cybersecurity Leadership Insights Study, “cybersecurity contributes 11% to 20%, or a median of US$36M, in value to each enterprise-wide strategic initiative it is involved in.”
Lack of alignment persists for many
But, as the EY study found, alignment exists in a fraction of organizations. And as Jaurez says, just as there are indicators of security-business alignment, there are signs when it’s absent.
One indicator, he says, is being “over secure,” where the costs of the security measures and the friction they introduce into the organization’s work processes and operations exceed the value they provide. Another is when security leaders don’t know or can’t articulate the organization’s vision or strategic goals, he says.
Others point to security feeling left out or brought into initiatives after they’re under way as indicators that alignment is missing.
“When security is not aligned, security is reacting to changes rather than shaping changes,” says Matt Gorham, leader of PwC’s Cyber and Risk Innovation Institute. “But when security isn’t chasing the business it’s because it’s at the table from the beginning and is saying, ‘Here’s how I can help the business grow and grow securely.’”
No Responses