Missions and Goals

            Every  organization  is  different.  The  most  obvious  in
            organizations is the difference between a commercial enterprise
            and  the  military  or  a  government  agency.  The  military  is
            interested in accomplishing a mission, a business enterprise in
            generating  profit,  and  the  government  in  providing  service.
            Regardless of the type of enterprise, each kind needs security, and
            the role of the security professional must be to develop a security
            program. This program is tailored to that organization's priorities,
            culture,  mission,  and  regulatory  environment.  The  meaning  of
            security for a commercial organization is tempered with the need
            to conduct careful cost/benefit analysis and to balance risk with
            opportunity. This becomes especially important as we examine
            risk and risk appetite later in this book.



            Enterprise-wide Security

            Most organizations are built in silos. They have separate
            departments - Finance, Human Resources, Sales,
            Manufacturing, etc. Each department is a separate entity - with
            its own leader, budget, staff, and business processes. IT and IT
            security are similar in that they are often independent and
            different from the rest of the organization.

            In many cases today, we see that IT is even outsourced and
            provided by a separate company or agency (often as a service
            called "the cloud"). The "silo" mentality of business
            organization can lead to problems. However, an organization is
            made up of many pieces, but each of those pieces needs to work
            together effectively. A problem in one area is sure to have an
            effect on other areas.