Let us face it: In addition to strategy, everyone needs goals and objective to get things done and to measure progress/performance. In a typical organization, the CEO has a list of goals and objectives that trickle down through chain of leadership. Objective for IT leaders are usually derived from CEO objectives. Understanding the organizational objectives as well as the personalities of your CEO and CIO helps in creating and aligning the information security strategy.
Most of the business objectives fall into one of the following areas:
- Business goals (e.g. increase revenue by X percent, open 20 new retail locations, mobile workforce)
- Industry drivers (e.g. use of mobile apps, enable video, be compliant with a new standard)
- Internal issues and improvements (e.g. improve response time of banking application)
Success of information security program is to manage risk while supporting the corporate goals and objectives. Understanding corporate objectives is the first step towards achieving this success.
Suggested Actions
- Goal Alignment – Find annual goals and objectives of your CEO and CIO. Make sure your strategy and projects are tied to one or more of these objectives.
- Personality Understanding – Understand CIO and CEO personalities, their approach towards IT and information security, do they like to build internal resources or rely more on vendors, etc. Take notes of important personality traits.
- Periodic Review – There may be a periodic review of corporate goals and objectives. Be part of this review and demonstrate how information security is helping in achieving corporate objectives. Risk management and information security budget management can be easily tied to organizational objectives. Schedule a quarterly review meeting for information security strategy.
- Mutual Cooperation – It is much easy to bundle security objectives with corporate goals. For example, if there is a planned redesign of an ecommerce application, you may be able to implement/enhance identity management as part of it.
You can use a mind map like the following to list corporate objectives and tie information security objectives with corporate objectives.
Remember it does not need to be a fancy mind map. Many times you can draw this type of maps on your white board simply by using dry erase markers.