The need for an organization’s information security program to be business-aligned cannot be overstated. The lack of business alignment could be considered a program’s greatest failing if not corrected.
For the most part.
It is critical for an information security program to be aligned in terms of support of the organization’s overall goals, and to utilize existing mechanisms such as corporate governance and policy enforcement. However, if and where there is dysfunction in the organization in terms of culture (for instance, a casual attitude or checkbox approach towards security or privacy), the program may position itself deliberately out of phase with the organization to alter the culture and bring it to a better place. In another example, rather than be satisfied with what may be low organizational maturity, security program leaders may influence process maturity by example through the enactment of higher maturity processes and procedures.
As change agents, security leaders need to thoughtfully understand where alignment is beneficial and where influence is essential.
— excerpt from an upcoming book on information security management