Information Security Strategy Best Practices

Adopt the best practices for establishing and improving your security program using effective strategy planning.

Position cybersecurity as a key business enabler

CISOs: Download your copy now for tips on becoming a more effective executive communicator.

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Contact Information

All fields are required.

Back

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Company/Organization Information

All fields are required.

Optional

Back

By clicking the "Submit" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Pivot the cybersecurity narrative away from defense

If you want strategic money, you need to solve a strategic problem. In the context of cybersecurity, that means changing how you talk about it away from tactically defending against threats toward enabling key business outcomes. This research shows how to:

  • Talk about cyber effects in terms of threat outcomes.
  • Describe which business capabilities are critical, the possible cyber effects, and how you can arrange your resources to mitigate them.
  • Prioritize and fund investments.

For effective cybersecurity, build a complete, defensible program

Too many information security (IS) teams buy technology without defining accountability and objectives. For better impact, build a complete IS program designed to address the risks of digital business.
  • Strategy’s Role in IS
  • Why & How to Strategize
  • Set the Vision
  • Current State & Gaps
  • Prioritize & Communicate

The information security strategy is one component of a defensible program

Effective cybersecurity, also referred to here as information security, requires a complete and defensible security program that ensures a balance between protecting and running the business. It includes five key components:

  1. An enterprise information security charter: Executive mandate

    This is a short document written in plain language that establishes clear owner accountability for protecting information resources, and provides a mandate for the CISO to establish and maintain the security program.

    This charter document must be read, understood, signed off, visibly endorsed and annually reaffirmed by the CEO and board of the organization.

  2. Terms of reference: Reference model

    A key element of a defensible program is the ability to demonstrate that the organization is in line with accepted practices and standards. With respect to the security program, this means using one or more taxonomical reference models, based on accepted industry standards (such as the NIST cybersecurity framework [CSF], ISO/IEC 27001/2 or CIS Controls [formerly known as Critical Security Controls]) to guide strategic and tactical decisions.

  3. Governance structures: Accountability

    Many regulations require organizations to have a CISO with appropriate independence from information resource and control owners. A virtual CISO can be an acceptable compromise in some situations. The CISO function ideally reports outside the office of the CIO to avoid certain conflicts of interest.

    As for decision making, an enterprise security steering committee can be an effective forum for discussing security challenges, proposed policies and investment plans. This forum should include representatives from information-owning business units and staff functions (IT, legal, HR and privacy office). Executive reporting frameworks and processes should also be defined.

  4. Strategy: Vision, mission and roadmap

    Getting business support for the security program requires a clear vision that explains its components and objectives and how they relate to business goals. The vision should align with proven practices and standards, and be grounded in current state assessments for the organization, as well as peer benchmarks on level of spend, number of staff, program maturity or levels of compliance with generally accepted standards. See the vision, current state and prioritization tabs for more details.

  1. Security processes: Execution

    The security program must be geared toward anticipating and reacting to frequent, unexpected changes in the business, technology and operating environments. It should also drive continuous improvement in the effectiveness and efficiency of security controls.

    The ability to continuously improve while simultaneously reacting to change requires the information security program to agree on a set of principles that guide security implementation and operations on a day-to-day basis, such as:

    • Making control decisions based on specific risk and risk appetite rather than on check-box compliance

    • Supporting business outcomes rather than solely protecting the infrastructure

    • Always considering the human element when designing and managing security controls

The information security strategy defines the vision and how to achieve it

An information security strategy sets out the medium- to long-term direction of the cybersecurity program. It outlines how the security organization will support and enable the corporate strategy and digital trajectory. It also helps the organization budget and document the rationale behind strategic decisions and resource allocation.

Cybersecurity leaders are often so occupied by tactical challenges that they don’t take the time to engage in effective strategic planning. Yet, strategy is a key component of an effective information security program. The basic elements are similar to any other strategic planning process, including best practices specific to the security discipline to:

  • Articulate the strategic vision and business drivers.

  • Define the current state of information security in the organization using maturity assessments, vulnerability assessments, risk assessments, audit findings and penetration tests to provide different perspectives.

  • Provide a prioritized roadmap that clearly links projects and corrective actions to the gaps, risks or vulnerabilities identified in the assessments and to the relevant business, technology and environmental drivers.

Once security leaders have documented the strategy, including policies and standards of practice, they must socialize it with the business leaders that will be expected to adhere to them.

Finally, the enterprise security steering committee should review, discuss and approve security policy in a collaborative manner before formally documenting, disseminating and communicating it via the security awareness program, annual training sessions and attestation.

Define a strategic vision or desired state for the security program

As noted, the information security vision, mission and roadmap explains the objectives of the program and its component parts in terms that business executives can understand and support. The strategic vision articulates the desired state that the information security strategy aims to achieve during the planning period.

As mentioned, most organizations will base their vision on international standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) or ISO 27001. You should not stop with the standard elements, however. Instead, incorporate relevant business, technology and environmental drivers specific to your organization to align your vision with the businesses goals and objectives. Example drivers include:

Business drivers:

  • Cost-cutting programs
  • Product diversification
  • Geographical expansion
  • M&As or divestitures

Technology drivers:

  • Digitalization strategy
  • Data center consolidation
  • Cloud adoption

Environmental drivers:

  • Economic downturns and recessions or growth conditions
  • Sociopolitical unrest
  • Geopolitical tensions, including trade wars
  • Impending regulatory changes

Include the specific information security objectives you want to achieve during the planning period as part of the vision. These objectives should include:

  • An overall maturity level for the program and target maturity levels for specific processes and functions

  • A level of accepted risk exposure within an agreed risk appetite set by the executive leadership (include the defined risk appetite in the vision documentation)

  • New capabilities and architectures to address emerging threats or disruptive technologies

  • Support for the enterprise growth strategy — for example, an information security framework for integrating acquired organizations into the corporate security program

These objectives should be socialized and agreed on by key stakeholders, typically at the initiation of the strategy planning process and during the approval of the proposed roadmap to execute the strategy. Leverage the enterprise security steering committee for this step.

You may also want to include a set of guiding principles as part of the cybersecurity strategy vision to provide guardrails during the planning process. Examples of such principles include:

  • Accountability for protecting information and information resources belongs to the information owners. In cases of shared information and resources, the CIO is the proxy owner.

  • The enterprise risk appetite informs all security decisions, and all security controls will be commensurate with the related risk.

  • Information security policies, standards, guidelines and procedures are developed to communicate security requirements and guide the selection and implementation of security control measures.

Assess the current state of the IS program and identify capability gaps

Once you have defined the vision for the IS program, assess the current state of the program and identify gaps that must be closed in order to realize the vision.

Use a combination of different assessment types to capture the current state. Examples include:

  • Vulnerability assessments and penetration tests to assess the technical infrastructure

  • Risk assessments to balance the investment in controls that are appropriate to the actual risks

  • Recent audit findings

  • Control effectiveness assessments to determine the maturity of control implementation, benchmarked to similar peers and aligned to industry standards

  • Program management assessments to evaluate and benchmark the maturity of cybersecurity policies, processes and programs
  • Cybersecurity spending and staffing benchmarks to compare resourcing to similar peers

Summarize the assessment results in a “current state” document that is attached to the strategic planning materials.

Perform a gap analysis

Map the current state against the vision statement, objectives and key drivers to identify gaps between the current and desired states. Some gaps clearly indicate specific actions — for example, the need to develop cybersecurity policies specific to public cloud computing. The right response is not always obvious for gaps that have multiple factors and dependencies — such as, how to mature the security governance function from Level 2.5 to Level 3.5 over a two-year period.

Prioritize projects and share the strategy with executive leaders to get buy-in

The gap analysis should result in a list of potential actions and projects, as well as cybersecurity policies to initiate. However, only a few organizations have the resources required to execute on all of the identified activities. Set priorities using the following criteria:

  • The level of risk reduction potential of a given project or activity
  • The resources required, such as skills, staff and systems
  • The financial cost
  • The time to value

Prioritize a mix of longer and shorter time-to-value projects within the planning period. This enables the security program to demonstrate meaningful progress in quarterly increments, which makes it easier to maintain long-term executive support for the security program.

Be sure to maintain links among the projects and activities, and the current-state realities, objectives and drivers as outlined in the vision statement. That provides a line of sight between objectives, realities and proposed actions, and supports effective executive communication during the approval stage.

That communication will typically include a written report and an executive presentation, which describe the current and desired states and how the priorities will help bridge the gaps between them. Focus the presentation on how the projects will contribute to the business value. Explicitly highlight how the information security strategy aligns with the business strategy in the executive communications materials.

Even after you gain approval for the strategy, it is key to establish a quarterly cadence of reporting and communication on progress and challenges. Be clear about:

  • Expected benefits that were fully or partially realized and those that were not realized
  • Unexpected benefits and disadvantages that materialized
  • Projects that are inconclusive
  • Triggers to security responses or challenges that might require a change to the strategy or in cybersecurity policies

Institute quarterly reviews and scenario-planning workshops to identify what — if any — drivers have changed to trigger adjustments to the current strategy. This review process should also identify any key leading indicators of large-impact external trends or events that will necessitate major security strategy and roadmap changes.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

View Conferences

Drive stronger performance on your mission-critical priorities.