Build an Information Security Strategy

Tailor best practices to effectively manage information security.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Organizations are struggling to keep up with today’s evolving threat landscape.
  • From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
  • Every organization needs some kind of information security program to protect their systems and assets.
  • Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.

Our Advice

Critical Insight

  • Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how to assess it.
  • Alignment can be a difficult area for security to get right when it’s trying to balance both regular IT and the business.
  • Communication is needed between the business leaders, IT leaders, and the security team for an effective security strategy to be in place.

Impact and Result

  • Info-Tech has analyzed and integrated regulatory and industry best practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and SANS to ensure an exhaustive approach to security.
  • Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
  • This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an Information Security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

  1. Assess security requirements

    Introduce security management and define the security scope while assessing the organizational risk profile.

  2. Perform a gap analysis

    Perform a gap analysis by assessing the current state and then determining the organizational target state.

  3. Develop gap initiatives

    Generate initiatives to reach the organizational target state.

  4. Plan for the transition

    Plan for the transition with a roadmap and deliverables to help augment the organizational program.

Guided Implementation icon Guided Implementation

This guided implementation is a nine call advisory process.

    Guided Implementation #1 - Assess security requirements

  • Call #1: Review the scope of the security strategy plans

  • Call #2: Define the organizational risk tolerance

  • Call #3: Assess the security risk profile of the business

  • Guided Implementation #2 - Perform a gap analysis

  • Call #1: Perform a current state assessment of the security controls

  • Call #2: Determine the future target state of the security controls

  • Guided Implementation #3 - Develop gap initiatives

  • Call #1: Identify existing gaps and create gap initiatives to close the gaps

  • Call #2: Determine the benefit, cost, and resources needed for each initiative

  • Guided Implementation #4 - Plan for the transition

  • Call #1: Build a roadmap based on the security initiatives

  • Call #2: Optimize your strategy

Onsite Workshop

Module 1: Assess Security Requirements

The Purpose

  • Introduce security management.
  • Analyze the business and IT strategy and plans.
  • Define the organization's risk tolerance levels.
  • Assess the security risk profile.

Key Benefits Achieved

  • Security obligations statement
  • Security scope and boundaries statement
  • Defined risk tolerance level
  • Security pressure posture

Activities: Outputs:
1.1 Introduce security management.
1.2 Understand business and IT strategy and plans.
1.3 Define the security obligations, scope, and boundaries.
  • Security obligations statement
  • Security scope and boundaries statement
1.4 Define risk tolerance levels.
  • Defined risk tolerance level
1.5 Assess the security pressure posture.
  • Defined security pressure posture.

Module 2: Perform a Gap Analysis

The Purpose

  • Define the current security capabilities and maturity.
  • Develop a security target state based on the organization’s security risk profile, and conduct a gap analysis. 

Key Benefits Achieved

  • Visualization of the organization’s current security capabilities and maturity level
  • Foundation built to determine your security target state by understanding the organization’s security needs and scope

Activities: Outputs:
2.1 Assess current security capabilities and performance.
  • Current security maturity levels
2.2 Review pen test results.
2.3 Define security target state.
  • Security target state

Module 3: Develop Gap Initiatives

The Purpose

  • Develop gap initiatives to reach your security target state.
  • Assess the organization’s readiness to implement the gap initiatives and scale the initiatives to develop a feasible implementation plan.

Key Benefits Achieved

  • Identified gap initiatives to augment the security program
  • Understanding of the resources needed to implement all the initiatives

Activities: Outputs:
3.1 Identify security gaps.
  • Future state – current state gap analysis
3.2 Build initiatives to bridge the gap.
  • Initiatives to address the gap
3.3 Estimate the resources needed.
  • Estimate of required effort
3.4 Prioritize gap initiatives.
  • Budget and resource readiness analysis
3.5 Determine start time and accountability.

Module 4: Plan for the Transition

The Purpose

  • Finalize the roadmap and action plan for the information security plan.
  • Create a security charter, organizational structure, change and communication plan, and/or security services catalog.
  • Develop a metrics program to measure your progress.

Key Benefits Achieved

  • Finalized information security roadmap and action plan for the organization
  • Key deliverables to kick-start the security program
  • Measurement program to monitor and improve upon the existing program

Activities: Outputs:
4.1 Finalize security roadmap and action plan.
  • Security roadmap and action plan
4.2 Build a security charter.
  • Security charter
4.3 Build the security program organizational structure.
  • Security organizational structure
4.4 Create a change and communication plan.
  • Change and communication plan
4.5 Develop a metrics program.
  • Metrics program
4.6 Develop a security services catalog.
  • Security services catalog

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now

Hide Details

Search Code: 74131
Published: February 4, 2014
Last Revised: September 21, 2015

GET HELP Contact Us
VL Methodology