Build an Information Security Strategy
Tailor best practices to effectively manage information security.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
View Storyboard
Your Challenge
- Organizations are struggling to keep up with today’s evolving threat landscape.
- From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
- Every organization needs some kind of information security program to protect their systems and assets.
- Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Our Advice
Critical Insight
- Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how to assess it.
- Alignment can be a difficult area for security to get right when it’s trying to balance both regular IT and the business.
- Communication is needed between the business leaders, IT leaders, and the security team for an effective security strategy to be in place.
Impact and Result
- Info-Tech has analyzed and integrated regulatory and industry best practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and SANS to ensure an exhaustive approach to security.
- Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
- This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build an Information Security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Assess security requirements
Introduce security management and define the security scope while assessing the organizational risk profile.
2. Perform a gap analysis
Perform a gap analysis by assessing the current state and then determining the organizational target state.
3. Develop gap initiatives
Generate initiatives to reach the organizational target state.
4. Plan for the transition
Plan for the transition with a roadmap and deliverables to help augment the organizational program.
Guided Implementations
This guided implementation is a nine call advisory process.
Guided Implementation #1 - Assess security requirements
Call #1 - Review the scope of the security strategy plans
Call #2 - Define the organizational risk tolerance
Call #3 - Assess the security risk profile of the business
Guided Implementation #2 - Perform a gap analysis
Call #1 - Perform a current state assessment of the security controls
Call #2 - Determine the future target state of the security controls
Guided Implementation #3 - Develop gap initiatives
Call #1 - Identify existing gaps and create gap initiatives to close the gaps
Call #2 - Determine the benefit, cost, and resources needed for each initiative
Guided Implementation #4 - Plan for the transition
Call #1 - Build a roadmap based on the security initiatives
Call #2 - Optimize your strategy
Info-Tech Academy
Get Info-Tech Certified
Train your staff and develop a world-class IT team.
New to Info-Tech Academy? Learn more here
Security Strategy Course
Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.
Course information:
- Title: Security Strategy Course
- Number of Course Modules: 5
- Estimated Time to Complete: 2-2.5 hours
- Featured:
- James McCloskey, Sr. Research Director, Security Practice
- Gord Harrison, SVP of Research and Advisory
- Now Playing: Executive Brief
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Security Requirements
The Purpose
- Introduce security management.
- Analyze the business and IT strategy and plans.
- Define the organization's risk tolerance levels.
- Assess the security risk profile.
Key Benefits Achieved
- Security obligations statement
- Security scope and boundaries statement
- Defined risk tolerance level
- Security pressure posture
Activities
Outputs
Introduce security management.
Understand business and IT strategy and plans.
Define the security obligations, scope, and boundaries.
- Security obligations statement
- Security scope and boundaries statement
Define risk tolerance levels.
- Defined risk tolerance level
Assess the security pressure posture.
- Defined security pressure posture.
Module 2: Perform a Gap Analysis
The Purpose
- Define the current security capabilities and maturity.
- Develop a security target state based on the organization’s security risk profile, and conduct a gap analysis.
Key Benefits Achieved
- Visualization of the organization’s current security capabilities and maturity level
- Foundation built to determine your security target state by understanding the organization’s security needs and scope
Activities
Outputs
Assess current security capabilities and performance.
- Current security maturity levels
Review pen test results.
Define security target state.
- Security target state
Module 3: Develop Gap Initiatives
The Purpose
- Develop gap initiatives to reach your security target state.
- Assess the organization’s readiness to implement the gap initiatives and scale the initiatives to develop a feasible implementation plan.
Key Benefits Achieved
- Identified gap initiatives to augment the security program
- Understanding of the resources needed to implement all the initiatives
Activities
Outputs
Identify security gaps.
- Future state – current state gap analysis
Build initiatives to bridge the gap.
- Initiatives to address the gap
Estimate the resources needed.
- Estimate of required effort
Prioritize gap initiatives.
- Budget and resource readiness analysis
Determine start time and accountability.
Module 4: Plan for the Transition
The Purpose
- Finalize the roadmap and action plan for the information security plan.
- Create a security charter, organizational structure, change and communication plan, and/or security services catalog.
- Develop a metrics program to measure your progress.
Key Benefits Achieved
- Finalized information security roadmap and action plan for the organization
- Key deliverables to kick-start the security program
- Measurement program to monitor and improve upon the existing program
Activities
Outputs
Finalize security roadmap and action plan.
- Security roadmap and action plan
Build a security charter.
- Security charter
Build the security program organizational structure.
- Security organizational structure
Create a change and communication plan.
- Change and communication plan
Develop a metrics program.
- Metrics program
Develop a security services catalog.
- Security services catalog
