Skip Ribbon Commands
Skip to main content

The Fine Art of Aligning Business Strategy and Information Security Strategy

By Lars Hviid, Senior IT Security Architect at NNIT

If I were to ask you about your company’s information security strategy, would you know what to answer?

Chances are that you would not. Unfortunately many companies lack a well-defined, fully business aligned information security strategy.

Business vision, mission, and strategy are used to set the direction and achieve company goals. Similarly, the information security strategy is a proven way of setting direction and achieving security goals.

This begs the answer as to why so many companies lack a clear and mature information security strategy.

Lack of control

Gaining and maintaining control are imperative to the survival of any company. Lack of control is underlined daily by security incidents filling the news stream. However, many companies struggle to maintain control as the security organization is crippled, absent, or misplaced in the IT department. While the importance of IT security is indisputable it is merely a part of Information Security, which in turn is primarily concerned with information use and access. It follows that the IT department therefore should be seen first and foremost as a service provider of use and access.

Nevertheless, the prevailing mind-set among decision-makers and employees alike is that the IT department is responsible for all security, both in the service and in the systems. This misalignment with the IT security maintains the holes in the information security strategy.

The organization is not up-to-date

About a decade ago security typically resided under the CFO and was primarily limited to insurance, safety, and physical security. Due to the escalating use of Information Technology (IT) in virtually all business processes and workflows, information security is nowadays often articulated as IT security and resides under the IT manager. The priorities of the IT manager have historically been systems availability, keeping the engines going. This explains why IT security primarily focuses on availability (up-time) of systems while confidentiality and integrity requirements are often neglected. This bias is often upheld by low or no prioritization of confidentiality/integrity requirements from the asset owners in the business.

By assigning the responsibility for information security to the IT manager while demanding yearly cost reductions from IT, security controls are a likely to be eroded or insufficiently prioritized, to save costs. This significantly increases the risk of failure for the information security program. The reason is that security spend, IT and otherwise, have to be justified as risk mitigation. It must not be left to cost cutting considerations driven by non-risk priorities. Instead, the primary business stakeholders responsible for the information assets must step up to embrace their appointed responsibilities, which include mitigating risks for their assets, and act accordingly.

Security is, besides technology, a mind-set which all employees must share. The organization must deal with security as it deals with other corporate aims such as quality and CSR, and it must be clearly endorsed and supported by senior management. The persons responsible for Information Security governance systems must answer directly to the CEO or to the Board of Directors to ensure their independence of line of business concerns. A breach in one area of the business is likely to affect the whole.

Assess and adapt

There is a way out, for companies that are stuck or struggle due a straggling security organisation. The way forward is to assess the setup and adapt the organization.

As a first step, commence with an assessment of the maturity of your information security setup. This can be measured using the Capability Maturity Model (CMM) , which is a general model for evaluating business driven processes in government offices, commerce, industry and IT organizations worldwide.  The term "maturity" relates to the degree of formality and optimization of the processes.

The outcome of an assessment is often displayed in a chart, as seen in figure 1, indicating focus areas, priorities, and recommendations.

Then establish an information security organization independent of the IT department, reporting to the CEO. The information security organization must govern the information security management system, while implementing the recommendations identified in the security assessment.

Thereafter, align the information security strategy with the business strategy by involving primary stakeholders and opinion leaders in the business.

Finally, identify all the requirements and create/update the security strategy.

The outcome is a firm course for a security program fully aligned with the business strategy. A major benefit will be a broader understanding and acceptance of information security across the organization, which will assist in embedding security as a corporate value.

So if I were to ask you again about your company’s information security strategy, would you know what to answer?


About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at if you want to know more about how NNIT can help your business increase its information security level.




Helge Skov Djernes+45 3075 8868 hfsd@nnit.comInformation Security Management Consultant Skov Djernes



NNIT Security Insights Security Insights
Risky Business? Business?
​Ransomware 101​Ransomware 101
Cybersecurity Awareness – The First Line of Defense​ Awareness – The First Line of Defense​
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy
​Privacy – why it is worth fighting for​Privacy – why it is worth fighting for
​The C.I.A. of application security!​The C.I.A. of application security!
Migrate to Cloud Services without Jeopardizing Security and Compliance to Cloud Services without Jeopardizing Security and Compliance
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime? to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?