{"id":5628,"date":"2025-11-03T07:00:00","date_gmt":"2025-11-03T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5628"},"modified":"2025-11-03T07:00:00","modified_gmt":"2025-11-03T07:00:00","slug":"what-does-aligning-security-to-the-business-really-mean","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5628","title":{"rendered":"What does aligning security to the business really mean?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

As part of his company\u2019s AI center of excellence, Tim Sattler<\/a> works to identify where and how the technology can provide measurable benefits.<\/p>\n

\u201cWe\u2019re discussing opportunities,\u201d he says.<\/p>\n

That Jungheinrich AG\u2019s AI team is doing so is hardly remarkable. What\u2019s notable is that Sattler, CISO for the German manufacturer of warehouse equipment and tech solutions, is part of the team.<\/p>\n

It\u2019s a role security chiefs don\u2019t typically play.<\/p>\n

Sattler sees his membership in the AI center of excellence as evidence that he and his security team are in lockstep with the business and its strategic vision.<\/p>\n

\u201cI see my role as not only seeing all the risks but also all the opportunities that AI presents. So I get out of the risk corner and really see the big picture,\u201d he explains.<\/p>\n

He took the same approach when ChatGPT arrived, at which time he and his team did a deep dive into large language models \u201cto figure out how the technology worked, to understand the risks, and the new business opportunities it would create so we could say, \u2018Here are the rules; here\u2019s how you can try it out and play around with it.\u2019\u201d<\/p>\n

And he\u2019s doing much the same with quantum computing, explaining that board members have sought out his and his security staffers\u2019 opinions on the technology and its potential, not just its cybersecurity implications<\/a>.<\/p>\n

\u201cThey knew we were the right people to talk to first about quantum because we have proven that we see ourselves in this advisory role,\u201d Sattler says. \u201cVery often the business [unit leader] only sees opportunities, and external advisers may be very sales-driven, so both may not be very objective. But we [in security] have a neutral position, seeing the risks and rewards. This is now the role of the CISO and the security organization.\u201d<\/p>\n

Sattler says serving in such a capacity demonstrates that security and the business are aligned.<\/p>\n

\u201cAlignment to me means that information security supports the strategy of the organization,\u201d says Sattler, who also serves as a board director with the governance association ISACA. \u201cThat means we know what the goals of the organization are, what the company wants to achieve, we understand the business environment, what the competition is doing, what the trends are in the industry. Those are all things security needs to know to support innovation and growth and to support the organization in achieving its goals. And that means security can\u2019t just focus on risk. We also need to see the opportunities.\u201d<\/p>\n

Alignment: A security department imperative<\/h2>\n

The idea of alignment is big in security today. A single internet search proves as much, producing countless results that contain some variation of \u201csecurity-business alignment.\u201d<\/p>\n

Yet research shows that many CISOs aren\u2019t in sync with the rest of the organization.<\/p>\n

The 2025 EY Global Cybersecurity Leadership Insights Study<\/a>, for example, shows that only 13% of CISOs \u201cwere consulted early when urgent strategic decisions were being made\u201d and \u201c58% of CISOs and cybersecurity executives say it is difficult to articulate their value beyond risk mitigation.\u201d<\/p>\n

Meanwhile, the Splunk 2025 CISO Report<\/a> found gaps between how CISOs and boards perceive priorities. For example, the report found that 52% of surveyed board members think CISOs spend most of their time on business enablement but only 34% of CISOs agreed that that was the case. And 55% of board members said business acumen was a highly valuable skill for CISOs, but only 40% of CISOs ranked it as a skill they should develop.<\/p>\n

Given such disconnects, it\u2019s worth asking: What does aligning security to the business really mean? Why is it important? And what are strategies that CISOs can use to achieve it.<\/p>\n

If CISOs want to successfully align security with their business, they need to make alignment more than a mantra, says Katell Thielemann<\/a>, distinguished vice president analyst at research firm Gartner.<\/p>\n

\u201cIt\u2019s not enough to say it; you actually have to do it,\u201d she explains. \u201cThere is a contingent of cybersecurity that sees itself as an island, implementing defense in depth in every corner of the organization, adopting all these frameworks and standards, but there is diminishing returns in doing that. So instead of saying, \u2018This is our cybersecurity discipline and we\u2019re doing all these things because the benchmarks tell us to,\u2019 CISOs have to align their efforts to their organization\u2019s business model.\u201d<\/p>\n

Indicators of alignment<\/h2>\n

One barometer of security-business alignment in action, Thielemann says, is when security teams engage with the business and use business metrics to determine security\u2019s effectiveness<\/a>.<\/p>\n

As an example, she points to the partnership between security and engineering at a manufacturing plant that had devices using software no longer supported by the vendor. The two teams worked together to implement needed security measures, such as segmentation, that wouldn\u2019t interfere with operations but added the necessary security. Knowing to schedule security work during plant downtime further demonstrated the alignment.<\/p>\n

\u201cThat\u2019s showing security knows the business and is not just doing cybersecurity as a discipline,\u201d Thielemann says.<\/p>\n

To align, she says, security leaders must \u201cknow the objectives the business has and use those to shape strategy, whether it\u2019s cost containment, going into new markets, adopting cloud. The playbook starts from understanding the organizational priorities and then layering in what threat actors are doing in that industry and what could go wrong, what is the risk we can live with, and understanding and articulating the business impact of security incidents.\u201d<\/p>\n

Ayan Roy<\/a>, <\/strong>Americas cybersecurity competency leader at professional services firm EY, cites another example of alignment involving one company acquiring another as part of a strategy to enter new markets. The company\u2019s CISO, knowing that building trust with customers was critical to growth post-merger, devised a strategy to strengthen the acquired company\u2019s security to the levels necessary to ensure successful integration, corporate expansion, and growth.<\/p>\n

Robert T. Lee<\/a>, chief AI officer and chief of research at security training and certification firm SANS, says alignment can also be seen in other ways, such as when and how security works with the business. For example, CISOs who recognize the need to boost security while reducing friction often have their security departments work with business units at the earliest stages of initiatives. Security teams integrated into R&D units so \u201cthey\u2019re able to deploy things with much more or a trust model\u201d is another sign of alignment, Lee says.<\/p>\n

\u201cAlignment in all of information security really focuses on the idea of supporting operations. It\u2019s about risk management with an emphasis on enabling operations,\u201d says Dr. James Jaurez<\/a>, National University\u2019s department chair of cybersecurity and technology.<\/em><\/p>\n

And there is value in security-business alignment. According to the 2025 EY Global Cybersecurity Leadership Insights Study, \u201ccybersecurity contributes 11% to 20%, or a median of US$36M, in value to each enterprise-wide strategic initiative it is involved in.\u201d<\/p>\n

Lack of alignment persists for many<\/h2>\n

But, as the EY study found, alignment exists in a fraction of organizations. And as Jaurez says, just as there are indicators of security-business alignment, there are signs when it\u2019s absent.<\/p>\n

One indicator, he says, is being \u201cover secure,\u201d where the costs of the security measures and the friction they introduce into the organization\u2019s work processes and operations exceed the value they provide. Another is when security leaders don\u2019t know or can\u2019t articulate the organization\u2019s vision or strategic goals, he says.<\/p>\n

Others point to security feeling left out or brought into initiatives after they\u2019re under way as indicators that alignment is missing.<\/p>\n

\u201cWhen security is not aligned, security is reacting to changes rather than shaping changes,\u201d says Matt Gorham<\/a>, leader of PwC\u2019s Cyber and Risk Innovation Institute. \u201cBut when security isn\u2019t chasing the business it\u2019s because it\u2019s at the table from the beginning and is saying, \u2018Here\u2019s how I can help the business grow and grow securely.\u2019\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

As part of his company\u2019s AI center of excellence, Tim Sattler works to identify where and how the technology can provide measurable benefits. \u201cWe\u2019re discussing opportunities,\u201d he says. That Jungheinrich AG\u2019s AI team is doing so is hardly remarkable. What\u2019s notable is that Sattler, CISO for the German manufacturer of warehouse equipment and tech solutions, […]<\/p>\n","protected":false},"author":0,"featured_media":5629,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5628","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5628"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5628"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5628\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5629"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}