Build an Information Security Strategy

Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

Many security leaders struggle to decide how to best to prioritize their scarce information security resources
The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

Our Advice

Critical Insight

The most successful information security strategies are:

Holistic – They consider the full spectrum of information security, including people, processes, and technology.
Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

Impact and Result

Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
This approach includes tools for:
- Ensuring alignment with business objectives.
- Assessing organizational risk and stakeholder expectations.
- Enabling a comprehensive current state assessment.
- Prioritizing initiatives and building out a security roadmap.

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Build an Information Security Strategy – Executive Brief

1. Assess security requirements

Define the business and security goals of your security program and determine the organization’s security pressure risk overview.

2. Build a gap initiative strategy

Use our best-of-breed security framework to perform a gap analysis between current and target states, and define security goals and duties.

3. Prioritize initiatives and build roadmap

Synthesize the gap analysis into a list of actionable security initiatives, and prioritize these based on cost, effort, security benefit, and alignment with business demands.

4. Execute and maintain

Learn to use Info-Tech’s methodology to manage security projects on the go and identify resources that will help execute the strategy successfully.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.4/10

Overall Impact

$33,625

Average $ Saved

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

Psac

Workshop

10/10

$25,000

Goodwill Industries of South Florida

Guided Implementation

10/10

$12,395

Center For Elders Independence

Guided Implementation

9/10

$61,979

best part is verifying the level of risk I've assumed is on target.

Forsyth Technical Community College

Guided Implementation

9/10

$12,395

Having Kevin guide us through the process and provide a deeper context for each component was extremely helpful. He was able to provide us with the extra bit of information we needed to make the right decisions and produce a product that we could share ...

Northwinds Technology Solutions

Guided Implementation

9/10

$6,197

College of New Caledonia

Guided Implementation

9/10

$50,000

The toolkits were excellent and Shastri did a great job in coaching us through the guided implementation.

Municipality of Chatham-Kent

Guided Implementation

8/10

$10,000

Engaging on regularly scheduled checkpoints to discuss progress and solicit advice. I wish the Security Strategy blueprint offered some additional tools and controls in the gap analysis. Some of the controls seemed vague or could have benefited from s...

SIS Holdings Group

Guided Implementation

9/10

$12,395

LSU Health Sciences Center

Guided Implementation

10/10

$3,718

Excellent support, patient, knowledgeable, subject matter expert and good communicator.

STgenetics

Guided Implementation

10/10

$123K

Spark Therapeutics, Inc.

Workshop

10/10

$12,063

Dave was a fantastic facilitator for this workshop.

Parkland College

Workshop

10/10

$30,989

Capital Credit Union

Guided Implementation

9/10

$30,989

Interdigital Communications

Guided Implementation

10/10

$25,411

Albaugh, LLC

Guided Implementation

9/10

$61,979

NEPC, LLC

Guided Implementation

8/10

N/A

Tennessee Supreme Court/Administrative Office of the Courts

Guided Implementation

10/10

$50,000

The communication with Cameron has been great. The only issues we run into is on our internal side, just being new to this type of framework.

City Of Salem

Workshop

10/10

$30,989

Long days on 2 and 3, with insufficient time on day 4. The tool and discussion were the best parts of the workshop.

Cross Insurance

Workshop

10/10

$100K

Time Savings!

Digital Armour Corporation

Guided Implementation

10/10

$8,444

Ian

Victoriaville & co.

Guided Implementation

10/10

N/A

Town of Taber

Guided Implementation

10/10

$25,000

Ecore International

Guided Implementation

10/10

$49,583

Ian has been fantastic, patient, and aside from doing the work for us, exceptional. It's been unfortunate that our emergency issues have prevented us from focusing on this until 2021. The delay has entirely been on Ecore's side.

City of Birmingham

Workshop

10/10

$117K

100

There were no bad parts to it. We were excited to have someone to help know the things we didnt know we didnt know. It was invaluable.

Massey University

Workshop

9/10

$61,979

This was an excellent workshop. I am hopeful that the planning done through this work will prevent wasted effort and resources over the medium to long term, as the team (and its leadership) now have clear and agreed to objectives.

Barry-Wehmiller

Workshop

10/10

$34,088

Very logical and disciplined approach. Was great to get our business leaders together to talk about risk and determine our company's risk tolerance level -- Felipe did a great job in steering that meeting. Worst part was, of course, going through 199 s...

Scott County Iowa

Guided Implementation

10/10

$117K

Kevin was exceptional in guiding us through the workshop to transform a security assessment completed in 2018 into actionable projects and tasks!

College of the Ozarks

Guided Implementation

10/10

$25,000

Christine Coz is the best. She has went above and beyond on every request. I have not had a bad experience.

California Department of Human Resources

Guided Implementation

10/10

$12,395

120

I will start with the best part which was the valuable advice and guidance provided by Kevin Peuhkurinen! Combined with the tools provided made the experience seamless. I can honestly say I didn't have any bad experiences at at all! It was an over...

Elementis Specialties

Guided Implementation

10/10

N/A

Load More Testimonials

Security Strategy

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Now Playing: Academy: Security Strategy | Executive Brief

An active membership is required to access Info-Tech Academy

Course Modules: 5
Estimated Completion Time: 2-2.5 hours

Featured Analysts:
Kevin Peuhkurinen, Research Director, Security & Risk
Gord Harrison, Senior Vice President, Research

Onsite Workshop: Build an Information Security Strategy

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

Understand business and IT strategy and plans.

Key Benefits Achieved

Defined security obligations, scope, and boundaries.

Activities

Outputs

1.1

Define business and compliance.

Security obligations statement

1.2

Establish security program scope.

Security scope and boundaries statement

1.3

Analyze the organization’s risk and stakeholder pressures.

Defined risk tolerance level

1.4

Identify the organizational risk tolerance level.

Risk assessment and pressure analysis

Module 2: Perform a Gap Analysis

The Purpose

Define the information security target state.

Key Benefits Achieved

Set goals and Initiatives for the security strategy in line with the business objectives.

Activities

Outputs

2.1

Assess current security capabilities.

Information security target state

2.2

Identify security gaps.

Security current state assessment

2.3

Build initiatives to bridge the gaps.

Initiatives to address gaps

Module 3: Complete the Gap Analysis

The Purpose

Continue assessing current security capabilities.

Key Benefits Achieved

Identification of security gaps and initiatives to bridge them according to the business goals.

Activities

Outputs

3.1

Identify security gaps.

Completed security current state assessment

3.2

Build initiatives to bridge the maturity gaps.

Task list to address gaps

3.3

Identify initiative list and task list.

Initiative list to address gaps

3.4

Define criteria to be used to prioritize initiatives.

Prioritize criteria

Module 4: Develop the Roadmap

The Purpose

Create a plan for your security strategy going forward.

Key Benefits Achieved

Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

Activities

Outputs

4.1

Conduct cost/benefit analysis on initiatives.

Information security roadmap

4.2

Prioritize gap initiatives based on cost and alignment with business.

Draft communication deck

4.3

Build an effort list.

4.4

Determine state times and accountability.

4.5

Finalize security roadmap and action plan.

4.6

Create communication plan.

Module 5: Communicate and Implement

The Purpose

Finalize deliverables.

Key Benefits Achieved

Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

Activities

Outputs

5.1

Support communication efforts.

Security strategy roadmap documentation

5.2

Identify resources in support of priority initiatives.

Detailed cost and effort estimates
Mapping of Info-Tech resources against individual initiatives

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

9.4/10
Overall Impact

$33,625
Average $ Saved

28
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Assess security requirements

Call #1 - Introduce project and complete pressure analysis.

Guided Implementation #2 - Build a gap initiative strategy

Call #1 - Introduce the maturity assessment.
Call #2 - Perform gap analysis and translate into initiatives.
Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.

Guided Implementation #3 - Prioritize initiatives and build roadmap

Call #1 - Review cost/benefit analysis and build an effort map.
Call #2 - Build implementation waves and introduce Gantt chart.

Guided Implementation #4 - Execute and maintain

Call #1 - Review Gantt chart and ensure budget/buy-in support.
Call #2 - Three-month check-in: Execute and maintain.

Author(s)

Isaac Kinsella

Contributors

Peter Clay, Zeneth Tech Partners, Principal
Ken Towne, Zeneth Tech Partners, Security Architect
Luciano Siqueria, Road Track, IT Security Manager
Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
Joan Middleton, Villiage of Mount Prospect, IT Director
David Rahbany, The Hain Celestial Group, Director IT Infrastructure
Rick Vadgama, Cimpress, Head of Information Privacy and Security
Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
Trevor Butler, City of Lethbridge, Information Technology General Manager
Shane Callahan, Tractor Supply, Director of Information Security
Jeff Zalusky, Chrysalis, President/CEO
Dan Humbert, YMCA of Central Florida, Director of Information Technology
Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
Ryan Breed, Hudson’s Bay, Information Security Analyst
James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Search Code: 74131
Published: February 4, 2014
Last Revised: September 9, 2020

Build an Information Security Strategy

Create value by aligning your strategy to business goals and business risks.

Our Advice

Critical Insight

Impact and Result