Aligning cybersecurity with business needs and requirements

“Security is our top priority” is one of those things that is like the true name of a daemon in Warhammer — if everyone in the organization knew and understood what it was, then you could actually have effective cybersecurity.

Tortured references aside, the point I am trying to make here is that aligning cybersecurity with business needs is probably the top requirement of effective cybersecurity that we often fail to deliver. This is something that most practitioners are intimately familiar with — and spend a fair amount of time ranting about online. Common examples:

• Execs who do not want MFA turned on for them, and sometimes their teams
• “Won’t use an authenticator app on my personal phone”
  • Fair enough, here is a YubiKey
    • I don’t want to use this USB drive, I was not trained to use MFA, turn it off!

I could go on. Of course, we security folks are also guilty of making things too complex for everyone to understand. Security teams (or the one admin wearing the security hat this morning!) often focus too narrowly on "complete protection" as they define it, causing friction with both the business and other IT teams.

Companies exist to do business. Security that slows down the business of making money is going to get slowly shifted to the wayside. This could happen in several quiet but effective ways:

• Cutting the budget, making some security impossible to deploy
• Reducing the scope of the security teams by moving some responsibilities into other business areas
• Increasing the focus on compliance, leading to checkbox security

All of these business shifts result in a security posture that doesn’t always protect the company.

How to avoid common mistakes and stay aligned

Aligning cybersecurity with business objectives is critical. Security has every right to be to provide of guardrails that protect a business — but it must avoid becoming a gatekeeper or speed bump that slows down the pursuit of business growth. In large organizations, success in security deployments often hinges on building consensus and establishing clear policies before rolling out tests and gathering feedback. It’s a lesson we’ve heard repeatedly over the past decade — and it still holds true: Security should never become a drag on business velocity. That means working collaboratively with reluctant development teams and other stakeholders to align on goals before enforcing controls on potentially risky practices.

Once you have security deployed, the ability to break down its impact in business terms is a critical capability. Whether it is the CFO asking about RoI or a line-of-business leader trying to redirect your license budget toward their preferred tool, being able to quantify the value of your deployed solution in dollar terms makes it hard to challenge.

Publishing a regular value report — monthly or quarterly — based on logs and ticket data can help translate technical wins into business impact. For example, blocking phishing emails can be framed as “hours of employee productivity saved.”

Yes, it takes effort, and it may not feel like direct security work—but it’s essential for demonstrating your value to the business. Metrics like reduced downtime, prevented breaches, and protection of brand trust make leadership look good during quarterly business reviews (QBRs)—and they elevate your role in the long run.

Cybersecurity is vital to business survival. It’s not just a once-a-year compliance checkbox. When security teams prove their return on investment (ROI), they earn influence—and continued investment.