Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Build an Information Security Strategy

Tailor best practices to effectively manage information security.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail


  • Peter Clay, Zeneth Tech Partners, Principal
  • Ken Towne, Zeneth Tech Partners, Security Architect
  • Luciano Siqueria, Road Track, IT Security Manager
  • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
  • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
  • Joan Middleton, Villiage of Mount Prospect, IT Director
  • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
  • Rick Vadgama, Cimpress, Head of Information Privacy and Security
  • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
  • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
  • Trevor Butler, City of Lethbridge, Information Technology General Manager
  • Shane Callahan, Tractor Supply, Director of Information Security
  • Jeff Zalusky, Chrysalis, President/CEO
  • Dan Humbert, YMCA of Central Florida, Director of Information Technology
  • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
  • Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
  • Ryan Breed, Hudson’s Bay, Information Security Analyst
  • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Your Challenge

  • Complexity of technology environments is increasing, making it difficult to stay on top of their security risk exposure.
  • Malware and hacking techniques are more sophisticated than ever, and organizations face serious adversarial threats.
  • Organizations have steadily increasing security obligations from business owners, customers, and regulatory/legal agencies, requiring an all-inclusive strategy.
  • Stakeholder buy-in is difficult to gain – interested parties need to understand how security initiatives align with broader business priorities.

Our Advice

Critical Insight

  • Just because you haven’t identified a breach doesn’t mean you’re secure.
    A good security program is proactive about closing security gaps because ignorance is never blissful.
  • Compliance and organizational reputation create an intertwined relationship between the business and your security strategy.
    Security programs must be regularly assessed and continuously maintained to ensure security controls align with organizational objectives.
  • Optimize the basics and then continually improve.
    Consistently, the top security threats are not advanced new techniques – they are traditional, old-school attacks. There is a reason for this: they still work! This means that simply mastering the fundamentals will provide meaningful protection and can be the foundation on which a fully optimized security program is built.

Impact and Result

  • Info-Tech has analyzed and integrated regulatory and industry best-practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and CIS to ensure an exhaustive approach to security.
  • Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
  • This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Assess security requirements

Define the business, customer, and compliance alignment for the security program, and determine the organization’s security pressure risk tolerance.

2. Build a gap initiative strategy

Use our best-of-breed security framework to perform a gap analysis between current and target states, and define security goals and duties.

3. Prioritize initiatives and create roadmap

Synthesize the gap analysis into a list of actionable security initiatives, and prioritize these based on cost, effort, security benefit, and alignment with business demands.

4. Execute and maintain

Learn to use Info-Tech’s methodology to manage security projects on the go, and identify resources that will help execute the strategy successfully.

Guided Implementations

This guided implementation is a ten call advisory process.

Guided Implementation #1 - Assess requirements

Call #1 - Assess and discuss the security pressure
Call #2 - Document business, customer, and compliance obligations
Call #3 - Define the organizational risk tolerance

Guided Implementation #2 - Assess gaps

Call #1 - Begin the gap analysis (current state, target state, gap initiatives)
Call #2 - Continue the gap analysis (as many calls as needed)
Call #3 - Review completed analysis

Guided Implementation #3 - Build the roadmap

Call #1 - Estimate the benefit, cost, and alignment of security initiatives
Call #2 - Create the roadmap based on estimations

Guided Implementation #4 - Execute and maintain

Call #1 - Finalize roadmap and build communication deck
Call #2 - Identify opportunities to kick-off execution of the strategy

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

An active membership is required to access Info-Tech Academy

New to Info-Tech Academy? Learn more here

Security Strategy Course

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Course information:

  • Title: Security Strategy Course
  • Number of Course Modules: 5
  • Estimated Time to Complete: 2-2.5 hours
  • Featured Analysts:
  • Cameron Smith, Senior Consulting Analyst, Security Practice
  • James McCloskey, Sr. Research Director, Security Practice
  • Now Playing: Academy: Security Strategy | Executive Brief

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

  • Determine the business, customer, compliance goals and obligations that the security strategy must support.
  • Define organizational security pressure and risk tolerance.

Key Benefits Achieved

  • Clear understanding of how to align the security strategy with the business.
  • Formalized and documented security pressure and risk tolerance information.




Discuss business and IT strategy and plans.


Determine organizational security pressure.

  • Information security pressure analysis

Define business, customer, and compliance goals and obligations. Define security program scope and boundaries.

  • Information security alignment and obligations statement
  • Information security scope and boundaries statement

Define information security risk tolerance.

  • Information Security Requirements Gathering Tool

Module 2: Perform a Gap Analysis

The Purpose

  • Identify current and target security capabilities, and what would be required to achieve the target state.

Key Benefits Achieved

  • Comprehensive list of all initiatives that could be undertaken to achieve security targets in every area.




Review penetration test results (optional).


Assess current and target security capabilities.

  • Current vs. target state gap analysis

Define gap initiatives to achieve target state.

  • Actionable initiatives to resolve security gaps

Module 3: Prioritize Initiatives and Create Roadmap

The Purpose

  • Prioritize the order of execution for security initiatives based on meaningful variables for the organization: cost / effort / security benefit / business alignment.

Key Benefits Achieved

  • Prioritized roadmap of security initiatives and persuasive rationale for stakeholders.




Define standard prioritization variables.


Estimate resources needed per initiative.


Build effort map and prioritize gap initiatives based on cost / effort / benefit / alignment.

  • Security strategy roadmap and action plan

Build roadmap for execution order for gap initiatives.

Module 4: Communicate and Implement

The Purpose

  • Assemble all information generated during the workshop into a concise and compelling communication deck and action plan.
  • Understand how to use Info-Tech’s methodology to continually manage security initiatives.
  • Produce final deliverables.

Key Benefits Achieved

  • All inputs from the workshop are pulled together into meaningful and usable deliverables.




Finalize deliverables.

  • Security strategy and roadmap deck/document
  • Detailed cost and effort estimates
  • Mapping of Info-Tech resources against individual initiatives

Support communication efforts.


Identify resources in support of high-priority initiatives.