Contributors
- Peter Clay, Zeneth Tech Partners, Principal
- Ken Towne, Zeneth Tech Partners, Security Architect
- Luciano Siqueria, Road Track, IT Security Manager
- Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
- Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
- Joan Middleton, Villiage of Mount Prospect, IT Director
- David Rahbany, The Hain Celestial Group, Director IT Infrastructure
- Rick Vadgama, Cimpress, Head of Information Privacy and Security
- Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
- Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
- Trevor Butler, City of Lethbridge, Information Technology General Manager
- Shane Callahan, Tractor Supply, Director of Information Security
- Jeff Zalusky, Chrysalis, President/CEO
- Dan Humbert, YMCA of Central Florida, Director of Information Technology
- Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
- Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
- Ryan Breed, Hudson’s Bay, Information Security Analyst
- James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems
- Many security leaders struggle to decide how to best to prioritize their scarce information security resources
- The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.
Our Advice
Critical Insight
The most successful information security strategies are:
- Holistic – They consider the full spectrum of information security, including people, processes, and technology.
- Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
- Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.
Impact and Result
- Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
- This approach includes tools for:
- Ensuring alignment with business objectives.
- Assessing organizational risk and stakeholder expectations.
- Enabling a comprehensive current state assessment.
- Prioritizing initiatives and building out a security roadmap.
Guided Implementations
This guided implementation is an eight call advisory process.
Guided Implementation #1 - Assess security requirements
Call #1 - Introduce project and complete pressure analysis.
Guided Implementation #2 - Build a gap initiative strategy
Call #1 - Introduce the maturity assessment.
Call #2 - Perform gap analysis and translate into initiatives.
Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.
Guided Implementation #3 - Prioritize initiatives and build roadmap
Call #1 - Review cost/benefit analysis and build an effort map.
Call #2 - Build implementation waves and introduce Gantt chart.
Guided Implementation #4 - Execute and maintain
Call #1 - Review Gantt chart and ensure budget/buy-in support.
Call #2 - Three-month check-in: Execute and maintain.

Info-Tech Academy
Get Info-Tech Certified
Train your staff and develop a world-class IT team.
An active membership is required to access Info-Tech AcademyNew to Info-Tech Academy? Learn more here
Security Strategy
Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.
Course information:
- Title: Security Strategy
- Number of Course Modules: 5
- Estimated Time to Complete: 2-2.5 hours
- Featured Analysts:
- Kevin Peuhkurinen, Research Director, Security & Risk
- Gord Harrison, Senior Vice President, Research
- Now Playing: Academy: Security Strategy | Executive Brief
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Security Requirements
The Purpose
Understand business and IT strategy and plans.
Key Benefits Achieved
Defined security obligations, scope, and boundaries.
Activities
Outputs
Define business and compliance.
- Security obligations statement
Establish security program scope.
- Security scope and boundaries statement
Analyze the organization’s risk and stakeholder pressures.
- Defined risk tolerance level
Identify the organizational risk tolerance level.
- Risk assessment and pressure analysis
Module 2: Perform a Gap Analysis
The Purpose
Define the information security target state.
Key Benefits Achieved
Set goals and Initiatives for the security strategy in line with the business objectives.
Activities
Outputs
Assess current security capabilities.
- Information security target state
Identify security gaps.
- Security current state assessment
Build initiatives to bridge the gaps.
- Initiatives to address gaps
Module 3: Complete the Gap Analysis
The Purpose
Continue assessing current security capabilities.
Key Benefits Achieved
Identification of security gaps and initiatives to bridge them according to the business goals.
Activities
Outputs
Identify security gaps.
- Completed security current state assessment
Build initiatives to bridge the maturity gaps.
- Task list to address gaps
Identify initiative list and task list.
- Initiative list to address gaps
Define criteria to be used to prioritize initiatives.
- Prioritize criteria
Module 4: Develop the Roadmap
The Purpose
Create a plan for your security strategy going forward.
Key Benefits Achieved
Set path forward to achieving the target state for the business through goal cascade and gap initiatives.
Activities
Outputs
Conduct cost/benefit analysis on initiatives.
- Information security roadmap
Prioritize gap initiatives based on cost and alignment with business.
- Draft communication deck
Build an effort list.
Determine state times and accountability.
Finalize security roadmap and action plan.
Create communication plan.
Module 5: Communicate and Implement
The Purpose
Finalize deliverables.
Key Benefits Achieved
Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.
Activities
Outputs
Support communication efforts.
- Security strategy roadmap documentation
Identify resources in support of priority initiatives.
- Detailed cost and effort estimates
- Mapping of Info-Tech resources against individual initiatives
After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.
Client
Experience
Impact
$ Saved
Days Saved
NEPC, LLC
Guided Implementation
8/10
N/A
N/A
Tennessee Supreme Court/Administrative Office of the Courts
Guided Implementation
10/10
$50,000
50
City Of Salem
Workshop
10/10
$31,405
65
Cross Insurance
Workshop
10/10
$100K
20
Digital Armour Corporation
Guided Implementation
10/10
$8,793
4
Victoriaville & co.
Guided Implementation
10/10
N/A
5
Town of Taber
Guided Implementation
10/10
$25,000
20
Ecore International
Guided Implementation
10/10
$50,248
10
City of Birmingham
Workshop
10/10
$121K
100
Massey University
Workshop
9/10
$63,880
20
Barry-Wehmiller
Workshop
10/10
$35,134
20
Scott County Iowa
Guided Implementation
10/10
$119K
50
College of the Ozarks
Guided Implementation
10/10
$25,000
32
California Department of Human Resources
Guided Implementation
10/10
$12,562
120
Elementis Specialties
Guided Implementation
10/10
N/A
10
National Christian Foundation
Guided Implementation
10/10
N/A
50
El Paso Water
Workshop
10/10
$31,405
55
Clackamas Community College
Guided Implementation
10/10
$12,562
23
Jet Support Services, Inc.
Workshop
10/10
N/A
N/A
Palmer College of Chiropractic
Guided Implementation
10/10
$12,562
35
CS DISCO
Guided Implementation
9/10
$25,000
20
West Virginia Department of Environmental Protection
Guided Implementation
10/10
$9,000
5
The Lansing Board of Water and Light
Workshop
10/10
N/A
5
Aquatera Utilities Inc
Guided Implementation
10/10
$25,000
20
HEART Trust/NTA
Guided Implementation
5/10
$1,401
3
Real Estate Council of Ontario 1
Guided Implementation
8/10
$10,000
5
America-Mideast Educational and Training Services, Inc.
Guided Implementation
10/10
N/A
120
NeuStar, Inc.
Guided Implementation
6/10
N/A
N/A
Town of Taber
Guided Implementation
10/10
N/A
20
Cross Country Mortgage, Inc.
Guided Implementation
10/10
$31,405
20