- The rate of technological change is accelerating. Organizations continue to invest in technology to run the business, layering more systems to support remote work, enhance customer experience, and generate value.
- Meanwhile, security threats are growing. Disruptive cyberattacks are more prevalent, sophisticated, and impactful than ever, targeting organizations of all industries and sizes.
- Security leaders need to adopt a proactive approach to secure the organization now and prioritize funding to high-risk areas.
Our Advice
Critical Insight
- Technological change is increasing both the protect surface and the variety of tools available to secure it.
- Security frameworks are helpful, but they don’t describe how to gather business requirements, identify organizational risks, or set an appropriate target state for the program, or which controls to select to conduct an accurate gap analysis for the security program.
- The better security leaders can balance a budget that funds cyber resiliency and drives revenue, the more likely they are to progress in their career.
Impact and Result
Build a business-aligned, risk-aware, holistic security strategy:
- Gather business requirements to prioritize improvements.
- Assess risks, stakeholder expectations, and risk appetite to set meaningful targets.
- Do a comprehensive gap analysis to identify improvements.
- Build a flexible roadmap to set the program on the right footing.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.7/10
Overall Impact
$46,903
Average $ Saved
36
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Wiss, Janney, Elstner Associates, Inc.
Guided Implementation
10/10
$68,500
120
I recently participated in an online workshop led by Petar, and it was an outstanding experience. Petar brings an incredible wealth of knowledge an... Read More
California Department of Health Care Services
Guided Implementation
10/10
N/A
50
Viktor was very helpful, knowledgeable and easy to work with, thanks!
Abbott Laboratories
Guided Implementation
10/10
$30,140
5
Mike was extremely helpful and supportive throughout the process, we were able to complete the activity and received much needed assistance.
State of New Mexico - New Mexico Department of Public Safety
Guided Implementation
10/10
$41,100
120
It is difficult to quantify both the time saved and the value impact of my engagement with Jon. The blueprint itself is helpful but having Jon and ... Read More
Kinark Child And Family Services
Guided Implementation
8/10
N/A
18
The experience working with Petar was great. He was very thorough in helping us achieve our goals. We will work with him again if and when given th... Read More
National Cooperative Bank NA
Workshop
8/10
$13,712
10
Overall, the experience was positive. This workshop marked the third occurrence in the past decade. With the implementation of an independent thre... Read More
Oak Valley Health
Guided Implementation
10/10
$25,000
9
State of New Mexico Early Childhood & Care Department
Guided Implementation
10/10
N/A
120
Donor Network West
Guided Implementation
10/10
$13,700
5
Very good advice on what to focus on and how to approach regulators. worst part was realizing all the work that I still had to do.
A. Farber Associates
Workshop
10/10
$100K
120
The best parts of my experience were the exceptional expertise of Dave Kernohan, the comprehensive and well-structured workshop content, the benefi... Read More
CNY Centro, Inc.
Guided Implementation
10/10
N/A
N/A
Jon was awesome to work with and had a wealth of knowledge. He was patient with us when were having problems understanding certain topics, and took... Read More
El Dorado Irrigation District
Guided Implementation
10/10
$2,740
5
GSW Manufacturing
Guided Implementation
9/10
$9,590
5
The level of detail in the review of our system was impressive. It does help to focus our efforts on research from InfoTech that will make the mos... Read More
Town Of Whitby
Workshop
10/10
$55,000
23
great facilitation and knowledge from Sumit. Lots of knowledge and it will be good to have time to reflect and review. Thank you for the 4 days it ... Read More
iFIT
Workshop
10/10
$68,500
60
The best part of this experience was having Dave Kernohan lead our workshop. He was able to quickly build rapport virtually with the security team... Read More
Firstmac Limited
Guided Implementation
10/10
$22,750
20
The ranking above is for the overall experience. The end result is a solid gap analysis and plan for cyber security moving forward. having independ... Read More
City of Williamsburg, VA
Guided Implementation
10/10
$34,250
110
Petar led me through the entire process flawlessly. He kept me on-track and took the time to explain everything while offering his thoughts and ex... Read More
Cidel Bank & Trust
Guided Implementation
9/10
N/A
20
Facilitator was very knowledgeable of the subject area and was able to provide valuable insight. Also, the excel tools made the process easy to get... Read More
Carver County, MN
Guided Implementation
10/10
$13,700
10
Our analyst was great to work with and very knowledgeable.
Capital Regional District
Guided Implementation
10/10
$50,000
50
Jon and Manoj were the best part - They were so good at listening to my specific needs and concerns and explaining how to approach resolving them. ... Read More
Westoba Credit Union Limited
Guided Implementation
10/10
$10,000
14
Matches well with our current initiatives and helps build the business case for doing certain work and requesting additional resources.
County of Chesterfield, Virginia
Guided Implementation
10/10
$32,195
20
Efficient use of time with targeted focus on right tools and approach based on our current state.
CICSA CO OP Credit Union
Guided Implementation
10/10
$68,562
50
For me this is easily a $50k value add. EY, PWC etc. will charge $25k for a Cybersecurity Strategy and it will only entail a fraction of what Jo... Read More
City of Winter Park
Guided Implementation
10/10
$13,700
5
SaskEnergy
Workshop
10/10
$50,000
10
Sumit is a great facilitator. Best part was producing a much needed output in a prescribed period of time. Would have taken us much much longer i... Read More
California Department of Corrections & Rehabilitation
Guided Implementation
9/10
N/A
N/A
Erik is an experienced and well-informed expert. His experience provide value when it comes to developing successful strategies for our organiztio... Read More
City of Palm Beach Gardens
Guided Implementation
10/10
$13,700
100
Blandin Foundation
Guided Implementation
10/10
$13,712
20
Oregon Public Utility Commission
Guided Implementation
10/10
N/A
1
Advisors Excel, LLC
Workshop
10/10
$68,500
10
Michel Hebert was a great instructor and really made the workshop a great experience for me and my team. His approach and attitude towards everyon... Read More
Security Strategy
Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.
- Course Modules: 5
- Estimated Completion Time: 1 hour
- Featured Analysts:
- Michel Hébert, Principal Research Director
Workshop: Build an Information Security Strategy
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Business Requirements
The Purpose
- Assess business requirements.
Key Benefits Achieved
- Identify security program alignment criteria.
Activities
Outputs
Understand business and IT strategy and plans.
- Goals cascade for the security program
Define business and compliance requirements.
- Goals cascade for the security program
Establish the security program scope.
- Security scope and boundaries statement
Analyze the organization’s risks and stakeholder pressures.
- Risk assessment and pressure analysis
Assess organizational risk appetite.
- Organizational risk appetite
Module 2: Perform a Gap Analysis
The Purpose
- Perform a gap analysis.
Key Benefits Achieved
- Define the program's target state.
- Assess the organization's current state.
Activities
Outputs
Define program target state.
- Information security target state
Assess current security capabilities.
- Security current-state assessment
Identify security gaps.
- Initiatives to address gaps
Build initiatives to bridge the gaps.
- Initiatives to address gaps
Module 3: Complete the Gap Analysis
The Purpose
- Complete the gap analysis.
Key Benefits Achieved
- Security program improvement tasks and initiatives
Activities
Outputs
Continue assessing security capabilities.
- Completed current-state assessment
Identify security gaps.
- Completed current-state assessment
Build task list.
- Task list to address gaps
Build initiatives list.
- Initiatives list to address gaps.
Module 4: Develop the Roadmap
The Purpose
- Develop the roadmap.
Key Benefits Achieved
- Security program roadmap
- Communication resources
Activities
Outputs
Conduct cost-benefit analysis.
- Information security roadmap
Prioritize initiatives.
- Information security roadmap
Discuss resourcing and accountability.
- Information security roadmap
Finalize security roadmap.
- Information security roadmap
Create communication plan.
- Draft communication deck
Module 5: Communicate and Implement
The Purpose
Finalize deliverables.
Key Benefits Achieved
Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.
Activities
Outputs
Support communication efforts.
- Security strategy roadmap documentation
Identify resources in support of priority initiatives.
- Detailed cost and effort estimates
- Mapping of Info-Tech resources against individual initiatives
Build an Information Security Strategy
Align the information security strategy to organizational goals and risks to create value.
EXECUTIVE BRIEF
Analyst Perspective
Align initiatives to the goals of your organization and the risks it faces.
The rapid pace of technological change is a call to action to information security leaders. Too often, security leaders find their programs stuck in reactive mode, as years of mounting security technical debt take their toll on the organization. Shifting from a reactive to proactive approach has never been more urgent, yet it remains a daunting task. As we make security plans, we need to do more than blindly follow best practice frameworks. Only a proactive information security strategy, one that is holistic, risk-aware, and aligned to business needs, can help us navigate the changes ahead. Kate Wood |
Executive Summary
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
---|---|---|
|
|
Build a business-aligned, risk-aware, holistic security strategy:
|
Info-Tech Insight
The most successful information security strategies are:
- Holistic. They consider the full spectrum of information security including people, processes, and technologies.
- Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
- Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.
Your challenge
The stakes for information security programs have never been greater.
- The rate of technological change is accelerating. Organizations continue to invest in technology to run the business, layering more systems to support remote work, enhance customer experience, and generate value.
- Meanwhile, security threats are growing. Disruptive cyberattacks are more prevalent, sophisticated, and impactful than ever, targeting organizations of all industries and sizes.
- Information security incidents were ranked as the most important business risk worldwide for the second year in a row according to the Allianz Risk Barometer 2023.
- According to Cybersecurity Ventures, the cost of cybercrimes worldwide will grow by 15% year over year for the next five years, reaching US$10.5 trillion annually by 2025, up from US$3 trillion in 2015.
- Security leaders need to adopt a proactive approach to secure the organization now and prioritize funding to high-risk areas.
Your challenge
The average cost of security incidents is reaching an all-time high.
83% percent of organizations that have had more than one breach in 2022.
US$4.45 million Average cost of a data breach in 2023.
US$5.13 million Average cost of a ransomware attack, not including the cost of the ransom.
Source: IBM, 2022, 2023.
Your challenge
Common attacks persist, which suggests that most are still not getting security fundamentals right.
66% Organizations hit by ransomware in 2021 and 2022.1
35% Organizations who conducted phishing simulations in 2022.2
84% Organizations who experienced phishing attacks with direct financial loss in 2022.2
Sources: 1 Sophos, 2022, 2023;
2 Ponemon, 2023.
Common obstacles
Reactive security strategies can’t keep up.
Info-Tech’s approach
Build a proactive security strategy.
Use a best-of-breed model based on leading frameworks
Info-Tech’s methodology for building an information security strategy
1. Assess Business Requirements |
2. Conduct a Gap Analysis |
3. Build a Roadmap of Prioritized Initiatives |
4. Execute and Maintain the Strategy |
|
---|---|---|---|---|
Phase Steps |
1.1 Define goals & scope 1.2 Assess risks 1.3 Determine pressures 1.4 Determine risk appetite 1.5 Establish target state |
2.1 Review security framework 2.2 Assess your current state 2.3 Identify gap closure actions |
3.1 Define tasks & initiatives 3.2 Perform cost-benefit analysis 3.3 Prioritize initiatives 3.4 Build roadmap |
4.1 Build communication deck 4.2 Develop a security charter 4.3 Execute on your roadmap |
Phase Outcomes |
|
|
|
|
Tools |
Information Security Requirements Gathering Tool; Information Security Pressure Analysis Tool |
Information Security Program Gap Analysis Tool |
Information Security Program Gap Analysis Tool |
Information Security Strategy Communication Deck |
Insight summary
Your security strategy is a business strategy first. |
|
Assess business requirements |
Seek agreement on the program target state |
Prioritize initiatives and roadmap |
Execute and maintain strategy |
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Information Security Requirements Gathering Tool
Define the business, customer, and compliance alignment for your security program.
Information Security Pressure Analysis Tool
Determine your organization’s security pressures and ability to tolerate risk.
Information Security Program Gap Analysis Tool
Use our best-of-breed security framework to perform a gap analysis between your current and target states.
Information Security Charter
Ensure the development and management of your security policies meet the broader program vision.
Key deliverable:
Information Security Strategy Communication Deck
Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.
This blueprint is ideal for program updates
1. Program Update “I am happy with the fundamentals of my security program. I need to assess and improve our security posture.” Use this blueprint to:
|
This project is part of a broader program to improve your information security posture. 1. Lay Program Foundations 2. Define Security Governance 3. Build Security Strategy 4. Build Security Catalog 5. Define Security Architecture 6. Design Security Services 7. Operate, Measure, and Improve |
2. Program Renewal “I am worried the security program is getting stale. I need to understand what makes my organization unique to prioritize core security capabilities.” Complete the first two phases of Design and Implement a Business-Aligned Security Program. We will learn how to use the output from the security program design tool to inform your security strategy in Phase 2 of this project. |
Info-Tech’s approach will accelerate your progress
Estimates reflect advisory and workshop client experiences.
With Blueprint |
Without Blueprint |
||
---|---|---|---|
Phase 1: Assess Business Requirements |
1 to 5 people |
0.5 to 2 days |
1-2 weeks |
Phase 2: Conduct a Gap Analysis |
1 to 5 people |
2 to 3 days |
4-8 weeks |
Phase 3: Build a Roadmap of Prioritized Initiatives |
1 to 2 people |
1 day |
1-2 weeks |
Phase 4: Execute & Maintain the Strategy |
1 to 5 people |
1-2 days |
1-2 weeks |
Time Saved: 7-14 weeks
Benefits are iterative
Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve, but with less associated effort, time, and costs.
Run Info-Tech diagnostics to measure the success of your strategy
Audience: Security Manager |
Governance & Management Maturity Scorecard Understand the maturity of your security program across eight domains.
|
Audience: Business Leaders |
Security Business Satisfaction and Alignment Report Assess the organization’s satisfaction with the security program. |
- Info-Tech diagnostics are standardized surveys that accelerate the process of gathering and analyzing pain point data.
- Diagnostics also produce historical and industry trends against which to benchmark your organization.
- Reach out to your account manager or follow the links to deploy some or all these diagnostics to validate your assumptions. Diagnostics are included in your membership.
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
---|---|---|---|
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical Guided Implementation on this topic look like?
Assess Business Requirements |
Conduct a Gap Analysis |
Prioritize Initiatives and Roadmap |
Execute and Maintain the Strategy |
---|---|---|---|
Call #1: Introduce project and complete business requirements gathering. Call #2: Introduce pressure analysis. |
Call #3: Introduce the maturity assessment. Call #4: Perform gap analysis and translate into initiatives. |
Call #5: Consolidate related gap initiatives and define cost, effort, alignment, and security benefits. Call #6: Review cost-benefit analysis and build an effort map. Call #7: Build implementation waves and introduce Gantt chart. |
Call #8: Review Gantt chart and ensure budget/buy-in support. Call #9: Three-month check-in: Execute and maintain the strategy. |
A Guided Implementation is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical Guided Implementation takes place in 2 to 12 calls scheduled over the course of 4 to 6 months.
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Assess Business Requirements |
Perform a Gap Analysis |
Complete the Gap Analysis |
Develop Roadmap |
Communicate and Implement |
|
Activities |
1.1 Understand business and IT strategy and plans 1.2 Define business and compliance requirements 1.3 Establish the security program scope 1.4 Analyze the organization’s risks and stakeholder pressures 1.5 Assess organizational risk appetite |
2.1 Define the information security target state 2.2 Assess current security capabilities 2.3 Identify security gaps 2.4 Build initiatives to bridge the gaps |
3.1 Continue assessing current security capabilities 3.2 Identify security gaps 3.3 Build initiatives to bridge the maturity gaps 3.4 Identify initiative list and task list 3.5 Define criteria to be used to prioritize initiatives |
4.1 Conduct cost-benefit analysis on initiatives 4.2 Prioritize gap initiatives based on cost, time, and alignment with the business 4.3 Build effort map 4.4 Determine start times and accountability 4.5 Finalize security roadmap and action plan 4.6 Create communication plan |
5.1 Finalize deliverables 5.2 Support communication efforts 5.3 Identify resources in support of priority initiatives |
Deliverables |
|
|
|
|
|
Executive Brief Case Study
INDUSTRY: Financial Services
SOURCE: Info-Tech Research Group
Credit Service Company
Founded over 100 years ago, Credit Service Company (CSC)* services over 50,000 US clients in 40 branches across four states.
Situation
Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.
Solution
During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.
Results
Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.