Build an Information Security Strategy for Small Enterprises
Large threats target small enterprises. Protect and defend your organization against the inevitability of cyberattack.
View Storyboard
Contributors
- Peter Clay, Zeneth Tech Partners, Principal
- Ken Towne, Zeneth Tech Partners, Security Architect
- Luciano Siqueria, Road Track, IT Security Manager
- David Rahbany, The Hain Celestial Group, Director IT Infrastructure
- Rick Vadgama, Cimpress, Head of Information Privacy and Security
- Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
- Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
- Trevor Butler, City of Lethbridge, Information Technology General Manager
- Shane Callahan, Tractor Supply, Director of Information Security
- Jeff Zalusky, Chrysalis, President/CEO
- Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
- Dan Humbert, YMCA of Central Florida, Director of Information Technology
- Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
- Jason Bevis, FireEye, Senior Director Orchestration Product Management – Office of the CTO
- Joan Middleton, Village of Mount Prospect, IT Director
- Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
- Ryan Breed, Hudson’s Bay, Information Security Analyst
- James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems
Your Challenge
- Ironically, the misconception that small enterprises are less targeted due to having less-valuable assets has led to increases in breaches as these organizations have failed to strengthen their defense against threat, which has increased their vulnerability in the wake of more advanced, automated, and indiscriminate cyberattacks.
Our Advice
Critical Insight
- Just because you haven’t identified a breach doesn’t mean you’re secure. A good security program is proactive about closing security gaps because ignorance is never blissful.
Impact and Result
- Security requirements gathering across the organization, key stakeholders, customers, regulators, and other parties ensures the security strategy is built in alignment with and supportive of strategies and plans.
- Info-Tech’s small enterprise security framework ensures the appropriate areas of security are made the primary focus of your current/target state assessment and strategy.
- Tested and proven rationalization and prioritization methodologies ensure the strategy you generate is not only the one the organization needs, but also the one the organization will support.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Assess security requirements
Define the business, customer, and compliance alignment for the security program and determine the organization’s security risk tolerance.
2. Build a gap initiative strategy
Use our small enterprise security framework to perform a gap analysis between current and target states and define security goals and duties.
3. Prioritize initiatives and build roadmap
Synthesize and prioritize the gap analysis into a list of actionable security initiatives.
Guided Implementations
This guided implementation is a seven call advisory process.
Guided Implementation #1 - Assess security requirements
Call #1 - Introduce project and complete pressure analysis.
Call #2 - Define security obligations and organizational risk tolerance level.
Guided Implementation #2 - Build a gap initiative strategy
Call #1 - Introduce the maturity assessment.
Call #2 - Perform gap analysis and translate into initiatives (often several calls to work through the gap analysis).
Guided Implementation #3 - Prioritize initiatives and build roadmap
Call #1 - Consolidate related gap initiatives.
Call #2 - Review cost/benefit analysis and build an effort map.
Call #3 - Build implementation waves and introduce Gantt chart.
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Security Requirements
The Purpose
- Determine the business, customer, and compliance goals and obligations that the security strategy must support.
- Define organizational security risk tolerance.
Key Benefits Achieved
- Clear understanding of how to align the security strategy with the business.
- Formalized and documented security pressure and risk tolerance information.
Activities
Outputs
Discuss business and IT strategy and plans.
- Shared understanding of security strategy drivers
Define business, customer, and compliance goals and obligations.
- Information security alignment and obligations statement
Define information security risk tolerance.
- Defined information security risk tolerance
Module 2: Perform a Gap Analysis
The Purpose
- Identify current and target security capabilities and what would be required to achieve the target state.
Key Benefits Achieved
- Comprehensive list of all initiatives that could be undertaken to achieve security targets in every area.
Activities
Outputs
Assess current and target security capabilities.
- Current- vs. target-state gap analysis
Define gap initiatives to achieve target state.
- Actionable initiatives to resolve security gaps
Module 3: Plan for the Transition
The Purpose
- Prioritize the order of execution for security initiatives.
Key Benefits Achieved
- Prioritized roadmap of security initiatives and persuasive rationale for stakeholders.
Activities
Outputs
Build effort map and prioritize gap initiatives.
Build roadmap for execution order for gap initiatives.
- Security strategy roadmap and action plan