skip to main content


Strong governance, incorporating risk and compliance management, must drive security protection directly, ensuring that it meets and supports organizations' business objectives, and is managed appropriately to counter the risks that arise internally and externally.


  • Risk is the critical link between business and security concerns, providing a quantitative basis for the automation of security operations. This is increasingly essential to cater for ever-tougher performance-, capacity-, and complexity-related demands.

Features and Benefits

  • Recommends how enterprises should make progress toward achieving business-driven security.
  • Identifies what is needed from vendors to support enterprises looking to achieve business-driven security.

Key questions answered

  • Is my organization alone in not knowing whether our security architecture and solutions fit business needs optimally?
  • What benefits can my organization consider to support a business case for better capabilities?
  • What capabilities should my organization focus on in order to optimize the link between business and security?

Table of contents


  • Catalyst
  • Ovum view
  • Key messages


  • Recommendations for enterprises
  • Recommendations for vendors

For many organizations, security has not been developed in line with business needs

  • Multiple, high-priority operational issues result in growing pressure
  • A legacy of addressing problems individually has led to self-defeating complexity
  • Operational and strategic security issues should be addressed collectively

Growing and diverse compliance obligations necessitate security’s integration with governance

  • Compliance obligations are becoming more complex and require risk-focused capabilities
  • Enterprises must be able to integrate governance of broader, more diverse compliance requirements

Business-driven security enables risk to inform security-related decisions and outcomes

  • Risk should underpin business cases for security
  • The language and culture of risk enable cross-disciplinary collaboration on security decisions

Organizations should align their capabilities as a foundation for business-driven security

  • GRC solutions address threats to organizational objectives
  • Identity underpins all business relationships and the delivery and protection of services on all types of platform
  • Cybersecurity applies intelligence to counter unforeseen threats that can develop rapidly


  • Methodology
  • Further reading
  • Author