Build an Information Security Strategy

Tailor best practices to effectively manage information security.

Do not fill in this field

Enter no text in this field

Get Instant Access to this Blueprint

Full Name

Company

Phone

Job Title

Unlock This Blueprint

View Storyboard

Contributors

Peter Clay, Zeneth Tech Partners, Principal
Ken Towne, Zeneth Tech Partners, Security Architect
Luciano Siqueria, Road Track, IT Security Manager
Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
Joan Middleton, Villiage of Mount Prospect, IT Director
David Rahbany, The Hain Celestial Group, Director IT Infrastructure
Rick Vadgama, Cimpress, Head of Information Privacy and Security
Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
Trevor Butler, City of Lethbridge, Information Technology General Manager
Shane Callahan, Tractor Supply, Director of Information Security
Jeff Zalusky, Chrysalis, President/CEO
Dan Humbert, YMCA of Central Florida, Director of Information Technology
Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
Ryan Breed, Hudson’s Bay, Information Security Analyst
James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Your Challenge

Complexity of technology environments is increasing, making it difficult to stay on top of their security risk exposure.
Malware and hacking techniques are more sophisticated than ever, and organizations face serious adversarial threats.
Organizations have steadily increasing security obligations from business owners, customers, and regulatory/legal agencies, requiring an all-inclusive strategy.
Stakeholder buy-in is difficult to gain – interested parties need to understand how security initiatives align with broader business priorities.

Our Advice

Critical Insight

Just because you haven’t identified a breach doesn’t mean you’re secure.
A good security program is proactive about closing security gaps because ignorance is never blissful.
Compliance and organizational reputation create an intertwined relationship between the business and your security strategy.
Security programs must be regularly assessed and continuously maintained to ensure security controls align with organizational objectives.
Optimize the basics and then continually improve.
Consistently, the top security threats are not advanced new techniques – they are traditional, old-school attacks. There is a reason for this: they still work! This means that simply mastering the fundamentals will provide meaningful protection and can be the foundation on which a fully optimized security program is built.

Impact and Result

Info-Tech has analyzed and integrated regulatory and industry best-practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and CIS to ensure an exhaustive approach to security.
Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Build an Information Security Strategy – Executive Brief

1. Assess security requirements

Define the business, customer, and compliance alignment for the security program, and determine the organization’s security pressure risk tolerance.

2. Build a gap initiative strategy

Use our best-of-breed security framework to perform a gap analysis between current and target states, and define security goals and duties.

3. Prioritize initiatives and create roadmap

Synthesize the gap analysis into a list of actionable security initiatives, and prioritize these based on cost, effort, security benefit, and alignment with business demands.

4. Execute and maintain

Learn to use Info-Tech’s methodology to manage security projects on the go, and identify resources that will help execute the strategy successfully.

Guided Implementations

This guided implementation is a ten call advisory process.

Guided Implementation #1 - Assess requirements

Call #1 - Assess and discuss the security pressure

Call #2 - Document business, customer, and compliance obligations

Call #3 - Define the organizational risk tolerance

Guided Implementation #2 - Assess gaps

Call #1 - Begin the gap analysis (current state, target state, gap initiatives)

Call #2 - Continue the gap analysis (as many calls as needed)

Call #3 - Review completed analysis

Guided Implementation #3 - Build the roadmap

Call #1 - Estimate the benefit, cost, and alignment of security initiatives

Call #2 - Create the roadmap based on estimations

Guided Implementation #4 - Execute and maintain

Call #1 - Finalize roadmap and build communication deck

Call #2 - Identify opportunities to kick-off execution of the strategy

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

An active membership is required to access Info-Tech Academy

New to Info-Tech Academy? Learn more here

Security Strategy

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Course information:

Title: Security Strategy
Number of Course Modules: 5
Estimated Time to Complete: 2-2.5 hours
Featured Analysts:
Cameron Smith, Senior Consulting Analyst, Security Practice
James McCloskey, Sr. Research Director, Security Practice
Now Playing: Academy: Security Strategy | Executive Brief

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

Determine the business, customer, compliance goals and obligations that the security strategy must support.
Define organizational security pressure and risk tolerance.

Key Benefits Achieved

Clear understanding of how to align the security strategy with the business.
Formalized and documented security pressure and risk tolerance information.

Activities

Outputs

1.1

Discuss business and IT strategy and plans.

1.2

Determine organizational security pressure.

Information security pressure analysis

1.3

Define business, customer, and compliance goals and obligations. Define security program scope and boundaries.

Information security alignment and obligations statement
Information security scope and boundaries statement

1.4

Define information security risk tolerance.

Information Security Requirements Gathering Tool

Module 2: Perform a Gap Analysis

The Purpose

Identify current and target security capabilities, and what would be required to achieve the target state.

Key Benefits Achieved

Comprehensive list of all initiatives that could be undertaken to achieve security targets in every area.

Activities

Outputs

2.1

Review penetration test results (optional).

2.2

Assess current and target security capabilities.

Current vs. target state gap analysis

2.3

Define gap initiatives to achieve target state.

Actionable initiatives to resolve security gaps

Module 3: Prioritize Initiatives and Create Roadmap

The Purpose

Prioritize the order of execution for security initiatives based on meaningful variables for the organization: cost / effort / security benefit / business alignment.

Key Benefits Achieved

Prioritized roadmap of security initiatives and persuasive rationale for stakeholders.

Activities

Outputs

3.1

Define standard prioritization variables.

3.2

Estimate resources needed per initiative.

3.3

Build effort map and prioritize gap initiatives based on cost / effort / benefit / alignment.

Security strategy roadmap and action plan

3.4

Build roadmap for execution order for gap initiatives.

Module 4: Communicate and Implement

The Purpose

Assemble all information generated during the workshop into a concise and compelling communication deck and action plan.
Understand how to use Info-Tech’s methodology to continually manage security initiatives.
Produce final deliverables.

Key Benefits Achieved

All inputs from the workshop are pulled together into meaningful and usable deliverables.

Activities

Outputs

4.1

Finalize deliverables.

Security strategy and roadmap deck/document
Detailed cost and effort estimates
Mapping of Info-Tech resources against individual initiatives

4.2

Support communication efforts.

4.3

Identify resources in support of high-priority initiatives.

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

Noramco

Workshop

10/10

$10,000

Aclara

Workshop

9/10

$33,091

Best - Coming out with a roadmap that aligns with business goals allows us to better interface with management about Cyber Security. Worst - We still have organizational questions. Are we correctly staffed. Do we have people or knowledge gaps? How do we align the roadmap with skills and headcount?

Montana Department of Transportation

Workshop

8/10

$13,236

Best was the gap analysis results. Worst was not knowing exactly who from our organization to schedule at what times for the content in the gap analysis spreadsheet.

St. Lawrence County

Guided Implementation

10/10

$13,236

See my last comments about Rita. She's great!

St. Lawrence County

Guided Implementation

9/10

$13,236

All good except all the work!! Rita is a slave driver! ;-) Seriously, she was great and we got an actionable document as a result.

Witt Kieffer

Guided Implementation

10/10

N/A

We traversed the project relatively quickly based on what I heard from Rita. We needed to complete this project to build the road map for our security directions. For us it was hard at the beginning as it is easy to get overwhelmed with the 240 some questions that need to be answered. As we went through the process it was obvious that we needed to answer all of the questions. It was good to feel that we addressed all of the major components and are not missing something major.

Klein Independant School District

Guided Implementation

10/10

$2,647

Goal was to use the phone call to keep us on track on working through the strategy initiative. Call and materials served the purpose well and allowed us to get the initial infosec charter done very efficiently.

Cengage Learning

Guided Implementation

9/10

N/A

The collaborative and open approach was helpful, as well as giving a wide view of what InfoTech has seen. I did not note any negative aspects to the call.

City of Orlando

Guided Implementation

10/10

N/A

120

Knowledgeable insight into the process and value.

Fernco Inc

Workshop

9/10

$66,183

Best: Able to leverage the experience of Sumit and previous workshop outputs to generate security workshop deliverable Worst: Discussing the 200+ security control protocols. Due to the nature of the security topic it is necessary to discover gaps and threats to current business operations.

Alabama Department of Corrections

Guided Implementation

10/10

$6,618

Tracy-Lynn was able to decipher our issue, and offer us some tools that will accelerate developing a final solution. In addition, she sent me a detailed email which lays out the steps I need to take and the links to the tools.

Town of Okotoks

Workshop

9/10

$25,000

Was overall a very good experience and Filipe was a great facilitator.

Fletcher Building Limited

Guided Implementation

10/10

$22,341

Kevin did an excellent job in providing advice - always highly professional and very accomodating to our needs. There were a few challenges related to time zones and the general distance between offices - this is something that the new AU office will likely solve.

Michigan Supreme Court

Guided Implementation

9/10

N/A

Ecore International

Guided Implementation

10/10

N/A

British Columbia Securities Commission

Guided Implementation

7/10

N/A

Ian was very knowledgeable and well spoken. Still trying to figure out if this framework has coverage related to items the internal auditors will care about. However, I have a way forward with this.

Hamilton Public Library

Guided Implementation

10/10

N/A

Rita was organized and guided through the whole security program. Thanks

American National Insurance Company Inc

Guided Implementation

10/10

$66,183

Yaj was incredibly helpful and patient with me during the call. His background and experience has helped me get a handle on how to advance my agenda here. I appreciate him taking time for me this afternoon.

Birch Hill Equity

Workshop

10/10

$14,500

College of Westchester

Guided Implementation

9/10

N/A

Ipsen Pharma SAS

Guided Implementation

8/10

$15,222

Good: good understanding and good answer: Bad: the communication via Webex + phone

Western Canada Lottery Corporation

Workshop

9/10

N/A

Pegasus Business Intelligence, LP d/b/a Onyx CenterSource

Guided Implementation

9/10

N/A

Best: The templates and blueprints created and the guidance from the advisor. The valuable feedback and business knowledge on the various topics discussed as a part of the blue print. Worst: My own challenge to set aside enough time to complete my tasks.

CIEE, Org.

Guided Implementation

9/10

N/A

Academic Partnerships

Guided Implementation

8/10

$13,236

Rita has been very helpful in providing updates. Blueprint, and tools are excellent resources for us. Can't think of worst parts of our experience. All is very helpful.

BTG International

Guided Implementation

9/10

N/A

Braun Intertec Corporation

Guided Implementation

6/10

N/A

Olmsted Medical Center

Workshop

10/10

N/A

Capital Regional District

Guided Implementation

10/10

$5,000

Kevin was awesome, really knowledgeable in the area and obviously has a wealth of experience with developing a security strategy. He provided clear direction and answered all of the questions that I had. It is great to have his feedback on the security strategy and his assistance in creating it. Overall the guided implementation was very worthwhile as it provided me with much more clarity and overall vision of the process than just reading the research and documentation and filling out the spreadsheets alone. I would definitely reach out to Info-Tech in the future for further guided implementations in other areas while developing and rolling out the projects and initiatives related to our security program.

Pharmascience

Guided Implementation

9/10

N/A