Small Enterprise Resources icon

Build an Information Security Strategy for Small Enterprises

Large threats target small enterprises. Protect and defend your organization against the inevitability of cyberattack.

Get Instant Access to this Blueprint

View Storyboard

Solution Set Storyboard Thumbnail


  • Peter Clay, Zeneth Tech Partners, Principal
  • Ken Towne, Zeneth Tech Partners, Security Architect
  • Luciano Siqueria, Road Track, IT Security Manager
  • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
  • Rick Vadgama, Cimpress, Head of Information Privacy and Security
  • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
  • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
  • Trevor Butler, City of Lethbridge, Information Technology General Manager
  • Shane Callahan, Tractor Supply, Director of Information Security
  • Jeff Zalusky, Chrysalis, President/CEO
  • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
  • Dan Humbert, YMCA of Central Florida, Director of Information Technology
  • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
  • Jason Bevis, FireEye, Senior Director Orchestration Product Management – Office of the CTO
  • Joan Middleton, Village of Mount Prospect, IT Director
  • Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
  • Ryan Breed, Hudson’s Bay, Information Security Analyst
  • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Your Challenge

  • Ironically, the misconception that small enterprises are less targeted due to having less-valuable assets has led to increases in breaches as these organizations have failed to strengthen their defense against threat, which has increased their vulnerability in the wake of more advanced, automated, and indiscriminate cyberattacks.

Our Advice

Critical Insight

  • Just because you haven’t identified a breach doesn’t mean you’re secure. A good security program is proactive about closing security gaps because ignorance is never blissful.

Impact and Result

  • Security requirements gathering across the organization, key stakeholders, customers, regulators, and other parties ensures the security strategy is built in alignment with and supportive of strategies and plans.
  • Info-Tech’s small enterprise security framework ensures the appropriate areas of security are made the primary focus of your current/target state assessment and strategy.
  • Tested and proven rationalization and prioritization methodologies ensure the strategy you generate is not only the one the organization needs, but also the one the organization will support.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an information security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Assess security requirements

Define the business, customer, and compliance alignment for the security program and determine the organization’s security risk tolerance.

2. Build a gap initiative strategy

Use our small enterprise security framework to perform a gap analysis between current and target states and define security goals and duties.

3. Prioritize initiatives and build roadmap

Synthesize and prioritize the gap analysis into a list of actionable security initiatives.

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Assess security requirements

Call #1 - Introduce project and complete pressure analysis.
Call #2 - Define security obligations and organizational risk tolerance level.

Guided Implementation #2 - Build a gap initiative strategy

Call #1 - Introduce the maturity assessment.
Call #2 - Perform gap analysis and translate into initiatives (often several calls to work through the gap analysis).

Guided Implementation #3 - Prioritize initiatives and build roadmap

Call #1 - Consolidate related gap initiatives.
Call #2 - Review cost/benefit analysis and build an effort map.
Call #3 - Build implementation waves and introduce Gantt chart.

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

  • Determine the business, customer, and compliance goals and obligations that the security strategy must support.
  • Define organizational security risk tolerance.

Key Benefits Achieved

  • Clear understanding of how to align the security strategy with the business.
  • Formalized and documented security pressure and risk tolerance information.




Discuss business and IT strategy and plans.

  • Shared understanding of security strategy drivers

Define business, customer, and compliance goals and obligations.

  • Information security alignment and obligations statement

Define information security risk tolerance.

  • Defined information security risk tolerance

Module 2: Perform a Gap Analysis

The Purpose

  • Identify current and target security capabilities and what would be required to achieve the target state.

Key Benefits Achieved

  • Comprehensive list of all initiatives that could be undertaken to achieve security targets in every area.




Assess current and target security capabilities.

  • Current- vs. target-state gap analysis

Define gap initiatives to achieve target state.

  • Actionable initiatives to resolve security gaps

Module 3: Plan for the Transition

The Purpose

  • Prioritize the order of execution for security initiatives.

Key Benefits Achieved

  • Prioritized roadmap of security initiatives and persuasive rationale for stakeholders.




Build effort map and prioritize gap initiatives.


Build roadmap for execution order for gap initiatives.

  • Security strategy roadmap and action plan

Search Code: 91139
Published: February 6, 2020
Last Revised: February 6, 2020

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019