Security icon

Build an Information Security Strategy

Create value by aligning your strategy to business goals and business risks.

Get Instant Access to this Blueprint

Contributors

  • Peter Clay, Zeneth Tech Partners, Principal
  • Ken Towne, Zeneth Tech Partners, Security Architect
  • Luciano Siqueria, Road Track, IT Security Manager
  • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
  • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
  • Joan Middleton, Villiage of Mount Prospect, IT Director
  • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
  • Rick Vadgama, Cimpress, Head of Information Privacy and Security
  • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
  • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
  • Trevor Butler, City of Lethbridge, Information Technology General Manager
  • Shane Callahan, Tractor Supply, Director of Information Security
  • Jeff Zalusky, Chrysalis, President/CEO
  • Dan Humbert, YMCA of Central Florida, Director of Information Technology
  • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
  • Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
  • Ryan Breed, Hudson’s Bay, Information Security Analyst
  • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Your Challenge

  • Many security leaders struggle to decide how to best to prioritize their scarce information security resources
  • The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

Our Advice

Critical Insight

The most successful information security strategies are:

  • Holistic – They consider the full spectrum of information security, including people, processes, and technology.
  • Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
  • Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

Impact and Result

  • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
  • This approach includes tools for:
    • Ensuring alignment with business objectives.
    • Assessing organizational risk and stakeholder expectations.
    • Enabling a comprehensive current state assessment.
    • Prioritizing initiatives and building out a security roadmap.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Assess security requirements

Define the business and security goals of your security program and determine the organization’s security pressure risk overview.

2. Build a gap initiative strategy

Use our best-of-breed security framework to perform a gap analysis between current and target states, and define security goals and duties.

3. Prioritize initiatives and build roadmap

Synthesize the gap analysis into a list of actionable security initiatives, and prioritize these based on cost, effort, security benefit, and alignment with business demands.

4. Execute and maintain

Learn to use Info-Tech’s methodology to manage security projects on the go and identify resources that will help execute the strategy successfully.

Guided Implementations

This guided implementation is an eight call advisory process.

Guided Implementation #1 - Assess security requirements

Call #1 - Introduce project and complete pressure analysis.

Guided Implementation #2 - Build a gap initiative strategy

Call #1 - Introduce the maturity assessment.
Call #2 - Perform gap analysis and translate into initiatives.
Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.

Guided Implementation #3 - Prioritize initiatives and build roadmap

Call #1 - Review cost/benefit analysis and build an effort map.
Call #2 - Build implementation waves and introduce Gantt chart.

Guided Implementation #4 - Execute and maintain

Call #1 - Review Gantt chart and ensure budget/buy-in support.
Call #2 - Three-month check-in: Execute and maintain.

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

An active membership is required to access Info-Tech Academy

New to Info-Tech Academy? Learn more here

Security Strategy

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Course information:

  • Title: Security Strategy
  • Number of Course Modules: 5
  • Estimated Time to Complete: 2-2.5 hours
  • Featured Analysts:
  • Kevin Peuhkurinen, Research Director, Security & Risk
  • Gord Harrison, Senior Vice President, Research
  • Now Playing: Academy: Security Strategy | Executive Brief

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

Understand business and IT strategy and plans.

Key Benefits Achieved

Defined security obligations, scope, and boundaries.

Activities

Outputs

1.1

Define business and compliance.

  • Security obligations statement
1.2

Establish security program scope.

  • Security scope and boundaries statement
1.3

Analyze the organization’s risk and stakeholder pressures.

  • Defined risk tolerance level
1.4

Identify the organizational risk tolerance level.

  • Risk assessment and pressure analysis

Module 2: Perform a Gap Analysis

The Purpose

Define the information security target state.

Key Benefits Achieved

Set goals and Initiatives for the security strategy in line with the business objectives.

Activities

Outputs

2.1

Assess current security capabilities.

  • Information security target state
2.2

Identify security gaps.

  • Security current state assessment
2.3

Build initiatives to bridge the gaps.

  • Initiatives to address gaps

Module 3: Complete the Gap Analysis

The Purpose

Continue assessing current security capabilities.

Key Benefits Achieved

Identification of security gaps and initiatives to bridge them according to the business goals.

Activities

Outputs

3.1

Identify security gaps.

  • Completed security current state assessment
3.2

Build initiatives to bridge the maturity gaps.

  • Task list to address gaps
3.3

Identify initiative list and task list.

  • Initiative list to address gaps
3.4

Define criteria to be used to prioritize initiatives.

  • Prioritize criteria

Module 4: Develop the Roadmap

The Purpose

Create a plan for your security strategy going forward.

Key Benefits Achieved

Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

Activities

Outputs

4.1

Conduct cost/benefit analysis on initiatives.

  • Information security roadmap
4.2

Prioritize gap initiatives based on cost and alignment with business.

  • Draft communication deck
4.3

Build an effort list.

4.4

Determine state times and accountability.

4.5

Finalize security roadmap and action plan.

4.6

Create communication plan.

Module 5: Communicate and Implement

The Purpose

Finalize deliverables.

Key Benefits Achieved

Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

Activities

Outputs

5.1

Support communication efforts.

  • Security strategy roadmap documentation
5.2

Identify resources in support of priority initiatives.

  • Detailed cost and effort estimates
  • Mapping of Info-Tech resources against individual initiatives

Member Testimonials

Unlock Sample Research

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Noramco

Workshop

10/10

$10,000

5

Aclara

Workshop

9/10

$33,091

20

Montana Department of Transportation

Workshop

8/10

$13,236

10

St. Lawrence County

Guided Implementation

10/10

$13,236

10

St. Lawrence County

Guided Implementation

9/10

$13,236

10

Witt Kieffer

Guided Implementation

10/10

N/A

10

Klein Independant School District

Guided Implementation

10/10

$2,647

2

Cengage Learning

Guided Implementation

9/10

N/A

5

City of Orlando

Guided Implementation

10/10

N/A

120

Fernco Inc

Workshop

9/10

$66,183

20

Alabama Department of Corrections

Guided Implementation

10/10

$6,618

5

Town of Okotoks

Workshop

9/10

$25,000

35

Fletcher Building Limited

Guided Implementation

10/10

$22,341

20

Michigan Supreme Court

Guided Implementation

9/10

N/A

N/A

Ecore International

Guided Implementation

10/10

N/A

N/A

British Columbia Securities Commission

Guided Implementation

7/10

N/A

3

Hamilton Public Library

Guided Implementation

10/10

N/A

N/A

American National Insurance Company Inc

Guided Implementation

10/10

$66,183

20

Birch Hill Equity

Workshop

10/10

$14,500

47

College of Westchester

Guided Implementation

9/10

N/A

N/A

Ipsen Pharma SAS

Guided Implementation

8/10

$15,222

10

Western Canada Lottery Corporation

Workshop

9/10

N/A

N/A

Pegasus Business Intelligence, LP d/b/a Onyx CenterSource

Guided Implementation

9/10

N/A

41

CIEE, Org.

Guided Implementation

9/10

N/A

N/A

Academic Partnerships

Guided Implementation

8/10

$13,236

20

BTG International

Guided Implementation

9/10

N/A

1

Braun Intertec Corporation

Guided Implementation

6/10

N/A

N/A

Olmsted Medical Center

Workshop

10/10

N/A

23

Capital Regional District

Guided Implementation

10/10

$5,000

10

Pharmascience

Guided Implementation

9/10

N/A

N/A

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019