Build an Information Security Strategy
Tailor best practices to effectively manage information security.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
View Storyboard
Contributors
- Peter Clay, Zeneth Tech Partners, Principal
- Ken Towne, Zeneth Tech Partners, Security Architect
- Luciano Siqueria, Road Track, IT Security Manager
- Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
- Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
- Joan Middleton, Villiage of Mount Prospect, IT Director
- David Rahbany, The Hain Celestial Group, Director IT Infrastructure
- Rick Vadgama, Cimpress, Head of Information Privacy and Security
- Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
- Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
- Trevor Butler, City of Lethbridge, Information Technology General Manager
- Shane Callahan, Tractor Supply, Director of Information Security
- Jeff Zalusky, Chrysalis, President/CEO
- Dan Humbert, YMCA of Central Florida, Director of Information Technology
- Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
- Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
- Ryan Breed, Hudson’s Bay, Information Security Analyst
- James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems
Your Challenge
- Complexity of technology environments is increasing, making it difficult to stay on top of their security risk exposure.
- Malware and hacking techniques are more sophisticated than ever, and organizations face serious adversarial threats.
- Organizations have steadily increasing security obligations from business owners, customers, and regulatory/legal agencies, requiring an all-inclusive strategy.
- Stakeholder buy-in is difficult to gain – interested parties need to understand how security initiatives align with broader business priorities.
Our Advice
Critical Insight
- Just because you haven’t identified a breach doesn’t mean you’re secure.
A good security program is proactive about closing security gaps because ignorance is never blissful. - Compliance and organizational reputation create an intertwined relationship between the business and your security strategy.
Security programs must be regularly assessed and continuously maintained to ensure security controls align with organizational objectives. - Optimize the basics and then continually improve.
Consistently, the top security threats are not advanced new techniques – they are traditional, old-school attacks. There is a reason for this: they still work! This means that simply mastering the fundamentals will provide meaningful protection and can be the foundation on which a fully optimized security program is built.
Impact and Result
- Info-Tech has analyzed and integrated regulatory and industry best-practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and CIS to ensure an exhaustive approach to security.
- Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
- This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Assess security requirements
Define the business, customer, and compliance alignment for the security program, and determine the organization’s security pressure risk tolerance.
2. Build a gap initiative strategy
Use our best-of-breed security framework to perform a gap analysis between current and target states, and define security goals and duties.
3. Prioritize initiatives and create roadmap
Synthesize the gap analysis into a list of actionable security initiatives, and prioritize these based on cost, effort, security benefit, and alignment with business demands.
4. Execute and maintain
Learn to use Info-Tech’s methodology to manage security projects on the go, and identify resources that will help execute the strategy successfully.
Guided Implementations
This guided implementation is a ten call advisory process.
Guided Implementation #1 - Assess requirements
Call #1 - Assess and discuss the security pressure
Call #2 - Document business, customer, and compliance obligations
Call #3 - Define the organizational risk tolerance
Guided Implementation #2 - Assess gaps
Call #1 - Begin the gap analysis (current state, target state, gap initiatives)
Call #2 - Continue the gap analysis (as many calls as needed)
Call #3 - Review completed analysis
Guided Implementation #3 - Build the roadmap
Call #1 - Estimate the benefit, cost, and alignment of security initiatives
Call #2 - Create the roadmap based on estimations
Guided Implementation #4 - Execute and maintain
Call #1 - Finalize roadmap and build communication deck
Call #2 - Identify opportunities to kick-off execution of the strategy
Info-Tech Academy
Get Info-Tech Certified
Train your staff and develop a world-class IT team.
New to Info-Tech Academy? Learn more here
Security Strategy Course
Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.
Course information:
- Title: Security Strategy Course
- Number of Course Modules: 5
- Estimated Time to Complete: 2-2.5 hours
- Featured Analysts:
- Cameron Smith, Senior Consulting Analyst, Security Practice
- James McCloskey, Sr. Research Director, Security Practice
- Now Playing: Executive Brief
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Security Requirements
The Purpose
- Determine the business, customer, compliance goals and obligations that the security strategy must support.
- Define organizational security pressure and risk tolerance.
Key Benefits Achieved
- Clear understanding of how to align the security strategy with the business.
- Formalized and documented security pressure and risk tolerance information.
Activities
Outputs
Discuss business and IT strategy and plans.
Determine organizational security pressure.
- Information security pressure analysis
Define business, customer, and compliance goals and obligations. Define security program scope and boundaries.
- Information security alignment and obligations statement
- Information security scope and boundaries statement
Define information security risk tolerance.
- Information Security Requirements Gathering Tool
Module 2: Perform a Gap Analysis
The Purpose
- Identify current and target security capabilities, and what would be required to achieve the target state.
Key Benefits Achieved
- Comprehensive list of all initiatives that could be undertaken to achieve security targets in every area.
Activities
Outputs
Review penetration test results (optional).
Assess current and target security capabilities.
- Current vs. target state gap analysis
Define gap initiatives to achieve target state.
- Actionable initiatives to resolve security gaps
Module 3: Prioritize Initiatives and Create Roadmap
The Purpose
- Prioritize the order of execution for security initiatives based on meaningful variables for the organization: cost / effort / security benefit / business alignment.
Key Benefits Achieved
- Prioritized roadmap of security initiatives and persuasive rationale for stakeholders.
Activities
Outputs
Define standard prioritization variables.
Estimate resources needed per initiative.
Build effort map and prioritize gap initiatives based on cost / effort / benefit / alignment.
- Security strategy roadmap and action plan
Build roadmap for execution order for gap initiatives.
Module 4: Communicate and Implement
The Purpose
- Assemble all information generated during the workshop into a concise and compelling communication deck and action plan.
- Understand how to use Info-Tech’s methodology to continually manage security initiatives.
- Produce final deliverables.
Key Benefits Achieved
- All inputs from the workshop are pulled together into meaningful and usable deliverables.
Activities
Outputs
Finalize deliverables.
- Security strategy and roadmap deck/document
- Detailed cost and effort estimates
- Mapping of Info-Tech resources against individual initiatives
Support communication efforts.
Identify resources in support of high-priority initiatives.
