A Simple Tool for CISOs to Understand The Business -
Among challenges faced by information security teams, one of the most common is how best to align the security strategy and programme with the wider business.
Since all security programs depend upon business owners for resources, cooperation, and support, it's in every CISOs best interests to be able to translate the benefits of security into the language of the business and its strategy.
There is one simple tool that enables you to capture the entire business service….
The Business Model Canvas (BMC) - is a visual method to understand the business and therefore enable any information security to align to it.
Developed by Alexandar Osterwalder and available under a Creative Commons license, BMC puts the entire business model on one page. It explores partners, resources, customers, costs, and revenues, BMC forces you to think about initiatives in business terms.
There are two ways you can complete the canvas :
1) As the business as a whole
2) As the Information Security function, as an internal service provider
Completing a canvas can be undertaken individually or through a workshop. It encourages information security teams to think about what the business or the team does like a product or service they are building and selling to customers both inside and outside the enterprise.
This customer-centric brainstorming reveals insights about where security succeeds, struggles, or fails in the organisation. Discussing security in terms of value propositions, customers, and channels help prepare members for talking to business stakeholders. Even unfamiliar concepts, like revenue, often have security parallels (chargebacks, budget increases, or money saved on incident response).
Download a free template here.