Thinking About the Security Program in Relation to Business and IT

nick

Thinking About the Security Program in Relation to Business and IT

Thinking About the Security Program in Relation to Business and IT

by

One thing I often miss in security is to see the relationship between the security program x business and the security program x IT. Currently, security is a separate function that has its own view, and its own isolated program.

Why do we need to fix that? Security isn’t something that you solve in isolation. It only functions properly if the business is involved (where relevant), and it only functions properly if IT is involved (where relevant).

For example, if the business acquires another business, it could have a significant affect on the security posture, or when dealing with vulnerabilities the security team requires IT cooperation, the same applies to hardening, pen testing, DLP, etc.

How do we fix that? Well to start with, we need to document how they relate to each other, and what the touch points are.

I’ve been experimenting with looking at the security program at different levels using threat modeling techniques:

  • Business View
  • IT Landscape (View)
  • Cyber Security View

The Business View

Include the key components that make up the business, examples include:

  • The business
    • Customers
    • Sub-countries (with different business, IT, operating procedures)
    • Subsidiaries
    • Employees
    • Leadership
    • Offices
    • Customer branches
    • IT Landscape
    • Regulators
    • Attackers

The IT Landscape View

Include the key components that make up the IT landscape, examples include:

  • Public cloud
    • Applications
    • Virtual Machines
    • Cloud databases
    • Cloud services
  • On-prem
    • Servers
    • On-prem databases
    • APIs and middleware
  • Data solutions
  • Central logging and security monitoring
  • IAM services
  • AI systems
  • VPNs and leased lines
  • Backup and recovery systems
  • File servers
  • Laptops and smartphones (endpoints)
  • Virtual Desktops
  • Email systems
  • Productivity software

The Cyber Security View

Of course the cyber security (program) view should be included. It should contain the major components of the program.

An example of a security program:

Govern: Security governance, Data governance, Security & privacy standards, Security budget & finance

Identify: Asset management, Risk assessments & threat modeling, Cyber security threat intelligence, Third Party Risk Management

Protect: Endpoint protection & MDM, Network security, Vulnerability Management, Hardening & secure configuration, Encryption & cryptography, Mobile security, Physical security, IAM, DLP, Security awareness, Brand protection, Secure development and deployment

Detect: Security logging, Security monitoring

Respond & Recover: SOC, Security incident management, BCM & DR

To take this a step further, the aspects of the security program that touch upon the business or IT require further views/diagramming to highlight how they interact with each other.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!