The GOAL of Security

by Ron Woerner

Do you know THE Goal of your organization?  Why does it exist? What’s its purpose?

Even if you work for a “security company,” its main goal is not security (or at least it shouldn’t be).  I know that this sounds like sacrilege, but its not.   The main goal of most private sector companies is to make money.  In most companies, providing security doesn’t make money.  It’s an operational expense or an investment.

I’m currently reading The Goal, A Process of Ongoing Improvement by Eliyahu M. Goldratt.  It has reminded me of the importance of knowing the goals of your company.  All activities of the company should be moving it toward its goals of being profitable.  “If the company doesn’t make money by producing and selling products (or services), or by maintenance contracts, or by selling some of its assets, or by some other means … the company is finished… an action that moves us (the company) toward making money is productive.  And an action that takes away from making money is non-productive.”

My impression is that many security professionals lose sight of their company’s goals.  It’s happened to me. I’ve gone through the motions of securing stuff without realizing how it moves the company toward making money.  In my enthusiasm for security, I’ve been guilty of non-productive activities that could harm my company.

Security professionals live in a world of paradox.  Too much protection and our people can’t be productive.  Not enough and the business takes too much risk, which can also cause non-productivity.  With the right balance, we can move the company toward profitability.  The challenge is determining that balance.

Here are three tips for maintaining a balanced security program that will meet your organization’s goals:

1. Know your organization’s goals.  You need to collaborate and ask questions to determine what makes your organization tick.  Understand how it makes money.  For public or non-profit organizations, find out the reason for its being.  If you don’t understand your organization, then how can you properly secure it?
2. Know your organization’s risk appetite.  This next step is to understand the amount of risk your organization is willing to take.  This is a business decision, not a security decision, and should be based on the organization’s goals.  If your organization is in the manufacturing sector, they very well may be willing to take many more risks.  On the other hand, financial sector businesses with an Internet presence may have a very low tolerance for risks.   The only way to determine this is to ask
3. Create a security program based on the organization’s goals and risk appetite.  Your security program should move the organization toward productivity and making money, not away from it.  The protections you recommend, implement, and maintain should always be driving the organization toward its goals.  They should also be in-line with their risk appetite.

In everything you do, ask yourself, “Is this moving us toward or away from our goals?”  If it’s away, then reconsider your actions. The security protections you have may be appropriate in your mind, but are they really right for the organization?  This can be a humbling experience, but it can also win you a lot of respect when you’re willing to compromise.

If you remember The Goal, your security program will go far.

And remember, “By working together, we all become stronger.”