Skip to content ↓ | Skip to navigation ↓

I’ve had a lot of interest around my recent posts on how to communicate the value of information security to the business.  With that in mind, I wanted to share a method used by one of the enterprises I’ve been working with.

Security & the Business: The “Mars and Venus” problem

In this enterprise’s past, they have had a lot of historical challenges in helping the business “get” the value of their security work – especially when dealing with non-technical functions.  Their answer has been to create a “Business Alignment” function in their organization.  This organization sits between the techies in the Information Security team and other parts of the business.

  • The people in the Business Alignment group spend time with project stakeholders and initiative owners around the business, so they have a good understanding of the goals, priorities, and business-level requirements for all of the major projects in the business.
  • They also have an understanding of information security, and spend time working with the infosec team to understand the issues, priorities, and risks that need to be managed.

As projects and daily activities unfold, the Business Alignment team helps keep the business and the security professionals in sync, and helps explain the “what and why” in terms that are appropriate for the audience.


The people I’m working with say things have improved greatly since this function was implemented, and this group has also added a lot of value in terms of creating reports and indicators that work for both groups.  Pretty cool.

Want to be on my list?

If you’ve been following along on my quest to help crack the code for how information security can communicate value to the business, and you’d like to be more involved, please send me an email through this link and I’ll add you to my list.  As the project continues, I’d like to use you as a source of input with things like surveys, and sending out scenarios / suggestions to get your help on validating and refining what I’m learning.  Also, if you are interested in sharing your stories on the topic of conveying security value to the enterprise, please let me know – specifically, I’d like to hear your challenges in this area, what has worked, what hasn’t, etc.