Business Model Canvas
The business model canvas is a clear, concise framework for aligning a cyber security program to a business
One of the best business books I’ve read is Business Model Generation.
Here’s how we work with CTOs to apply it to a new security program:
It’s mostly pictures, built around a one-page chart that represents a business model.
We use it to distill and communicate an existing business model.
When we start building a security program with a new company, it’s a process we use to:
- understand how they work
- where they are going
- what’s important
You can quickly capture the key aspects of how a business works and sketch out the impact of strategy changes, such as:
- new service offerings
- M&A activity
- partnerships
From there, we can map high-level business risks, which we then connect with the more technical security assessment activities.
It’s pretty telling to watch a management team define its business model.
It quickly gives you a sense of:
- the culture of the team
- areas where there are misalignments (or even disagreements)
- how well they can communicate the big picture of the company
Sometimes the CEO nails all the areas in a quick, precise manner.
Other times the team debates and negotiates how different components work.
However you get there, it’s a great way to achieve consensus (and occasionally reconfirm) the overall business strategy. I don’t think you can build a proper security program without having a strong understanding of the business model.
Here’s the business model for my company, IOmergent: