Some sort of business model is needed to make rational business decisions about information protection. If the enterprise is to achieve a substantial maturity level, then it must build a business model or use an existing one.
Existing business models will be leveraged for information protection use.
While many enterprises model themselves in different ways, most such models are not suitable or available for information protection related modeling. But if they are, there is no reason to waste resources redoing what has already been done.
An implicit model will be used.
Even if no explicit model is used, individuals within the enterprise use their knowledge and a variety of tools, databases, personal knowledge, and other related things to model the business.
The notion of how the business works is fundamental to making decisions about information protection, because the information protection function supports the business by defining the utility of content and the needs and rationale for that utility. At a detailed level, this may be codified in terms of process diagrams and associated details such as timeliness requirements, business consequences of information and information technology failures of different sorts, internal and external interdependencies, and so forth. At a higher level it is divided into different common functions, such as sales, marketing, and brand, resources that get transformed and produce value, and so forth. These comprise the basic functions of the organization and the foundation for analysis of the value and import of its function or utility.