Mission and business needs
by John Bandler
Mission and business needs are the top priority for every organization. Mission is one of the Five Components for Policy Work, so let's put it in context of policies, procedures, law, cybersecurity, privacy, and management.
Every organization exists for a reason -- that's their mission. It might be called goals, objectives or something else, and along with it comes business needs.
Occasionally some see a conflict between mission, revenue, compliance, and security. But good planning and management principles help organizations make good decisions about risks to both fulfill all of those important areas, to achieve the mission, protect the organization, protect consumer privacy, and comply with applicable legal requirements.
I write this in the context of information security and internal rules. We can create rules and practices that protect the organization, comply with legal requirements, and help the organization better achieve its mission.
What is the mission and what are the business needs?
Organization mission may include:
- Do good and help individuals and society, provide a necessary service or product
- Earn revenue and business (which pays employee salaries, rewards business owners and shareholders, etc.)
- Obtain donations or grants
- Survive, thrive, and grow.
Different people have different responsibilities and motives
Within the organization, there may be competing interests. In a small startup, a few people wear multiple hats, balancing building business, cybersecurity, privacy, legal compliance, and more. For progressively larger organizations, each role may be filled by a different person or even an entire department.
While the organization is ostensibly working towards a unified goal, sometimes individual components are not working efficiently together, or might even be working to achieve separate outcomes.
Consider these areas:
- Increasing revenue and customer base
- Marketing and putting the most positive light on the company's goods or services
- Managing information assets and information technology, and meeting the requests and demands of employees and management
- Securing information assets from crime or disaster
- Complying with legal requirements
- Creating proper documentation regarding the organization's rules, future plans, and present and past activities
The Five Components for Policy Work: Three became four and then five
My Five Components for Policy Work includes:
- Mission and business needs
- External rules: Laws and regulations
- Internal rules: Policies, procedures, and more
- Practice or action: what is actually done
- External guidance.
I started with Three Platforms to Connect for compliance to visualize how legal requirements, internal policy, and organization practice should align.
Then I introduced mission and business needs as the Fourth Platform.
This brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.
Finally I added the concept of "External Guidance" as a bubbly cloud.
I switched to a top view to show all five components. With these five components, organization can consider all areas needed to manage themselves and create or update their internal rules.
Security and compliance help accomplish the mission
Cybersecurity, privacy, and legal compliance should not be thought of as disciplines that compete with or hinder the organization's pursuit of business goals and mission.
Rather, a comprehensive management philosophy recognizes organizations need to plan, prepare, protect, and comply with legal requirements. Thus, information assets are an important part of an organization's assets and abilities, and good management and planning helps maximize efficiency and protect the organization.
Foremost, good management and protection of information assets helps the organization accomplish it's mission. Secondly, failing to protect information assets can result in a devastating cybercrime that is costly. Thirdly, failure to comply with legal requirements can be costly and damaging to reputation.
Laying out principles
Here is how I see all of this fitting in:
- Organization mission comes first
- Organizations that plan and that manage themselves well can better accomplish the mission.
- To do the mission well, the organization must properly manage information assets.
- Properly managing information assets include security, efficiency, cost reduction, maximizing resources.
- To do the mission well, the organization must properly secure information assets with good cybersecurity.
- To do the mission, the organization must comply with applicable laws and legal requirements.
- Legal requirements include cybersecurity and privacy, negligence law principles, contract, and more.
- Failure to comply with legal requirements (including regarding cybersecurity or privacy) means increased risk of legal action.
- Good business practices mean having good cybersecurity and privacy practices.
- Failure to have good cybersecurity or privacy practices means increased risk of cybercrime and cyber incidents. Data breach, ransomware, theft, etc. Such incidents are costly, hamper the mission, damage the business and reputation.
- Management is key with cybersecurity and all other things
- A well managed business plans ahead and makes solid decisions after weighing options. This planning is both short term and long term (tactical and strategic).
- A well managed business considers mission, revenue, compliance, security, privacy, protecting itself, employees, and customers
- A poorly managed business does not do the above and may lurch from crisis to crisis, without good planning and without efficiency
- Good management principles help with management of cybersecurity, privacy, managing information assets, and for all other areas too.
- Good management principles include having good policies and procedures (internal rules).
- Good internal rules help fulfill the mission, comply with legal requirements, and let employees know what to do.
Mission comes first. Policies, procedures, cybersecurity, and good management of information assets all help fulfil that mission. Achieving the mission means securing and protecting the organization adequately and complying with legal requirements.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.
- Five Components for Policy Work
- External Rules (laws, regulations, contracts, etc.)
- Internal Rules for organizations
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policy and Procedure Research
- Policies and Procedures (and other governance documents)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Internal Rules Building
- Policy Project Planning and Execution
- External Guidance
- Business needs and mission (this article)
- Practice and action
- John's forthcoming work at the Infosec Institute on Corporate Security Policies (coming soon). Link to my author page at Infosec.
This article is hosted at https://johnbandler.com/business-needs-and-mission, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/business-needs-and-mission-ee228fe4e6e6 (though not kept as up to date).
Originally posted 7/28/2022, updated 01/03/2023.