Learn Organization’s Business

The primary reason of existence of any business is to make money. The reason for existence of information security team in an organization is to effectively manage the business risk related to information security. Any great CISO (or a person in a leadership position) must understand how the organization’s business works. Note that I am using “business” as a loose term. In case of government organizations, the business may be providing certain services to your constituents. The key thing to understand is that every organization has a purpose and the information security has to support that purpose. The only exceptions to this are the vendors of information security products and services where information security itself is the primary business. So unless you are working for an information security company, the primary business of your organization is something other than information security and you must understand it thoroughly.

Learning business boils down to only two things:

• How your organization earns money?
• Where the money is spent?

The corporate strategy and organizational structure controls these two major objectives. As an information security professional, the more you understand company’s business, the more effective you will be to put information security in the context.

Suggested Actions

Following is a list of basic information that you should know about the business of your organization.

• Organizational Structure – Review organizational charts, find who is who in your organization. You must know the key people in the organization who you are going to interact with.
• Lines of Business – Find if there are multiple lines of business and their share in overall business revenue and profit.
• Products and Services – Get to know Products and Services offered by your organization and their respective revenue. Find any future products and services that are in the pipeline.
• Major Business Partners – Find who are major business partners?
• Budget Cycle – When budget process starts and how projects are approved?
• Important Customers – Who are the largest customers?
• Role of Technology – How important role technology plays in the business? What major technologies are in currently being used?
• Geography – Is your organization engaged in international business? How many people it employs and where?
• Major Competitors – Find who are major competitors of your organization.
• Stock Information – If you are part of a publically traded company, find its stock and quarterly reports. How your stock has been fluctuating in past 12 months and why.

Following is a sample mind map. You can draw your own or expand on it. This will create a picture of the business in your mind and make it easy for you understand corporate dynamics.