Adopt the best practices for establishing and improving your security program using effective strategy planning.
Adopt the best practices for establishing and improving your security program using effective strategy planning.
If you want strategic money, you need to solve a strategic problem. In the context of cybersecurity, that means changing how you talk about it away from tactically defending against threats toward enabling key business outcomes. This research shows how to:
Too many information security (IS) teams buy technology without defining accountability and objectives. For better impact, build a complete IS program designed to address the risks of digital business.
Effective cybersecurity, also referred to here as information security, requires a complete and defensible security program that ensures a balance between protecting and running the business. It includes five key components:
An enterprise information security charter: Executive mandate
This is a short document written in plain language that establishes clear owner accountability for protecting information resources, and provides a mandate for the CISO to establish and maintain the security program.
This charter document must be read, understood, signed off, visibly endorsed and annually reaffirmed by the CEO and board of the organization.
Terms of reference: Reference model
A key element of a defensible program is the ability to demonstrate that the organization is in line with accepted practices and standards. With respect to the security program, this means using one or more taxonomical reference models, based on accepted industry standards (such as the NIST cybersecurity framework [CSF], ISO/IEC 27001/2 or CIS Controls [formerly known as Critical Security Controls]) to guide strategic and tactical decisions.
Governance structures: Accountability
Many regulations require organizations to have a CISO with appropriate independence from information resource and control owners. A virtual CISO can be an acceptable compromise in some situations. The CISO function ideally reports outside the office of the CIO to avoid certain conflicts of interest.
As for decision making, an enterprise security steering committee can be an effective forum for discussing security challenges, proposed policies and investment plans. This forum should include representatives from information-owning business units and staff functions (IT, legal, HR and privacy office). Executive reporting frameworks and processes should also be defined.
Strategy: Vision, mission and roadmap
Getting business support for the security program requires a clear vision that explains its components and objectives and how they relate to business goals. The vision should align with proven practices and standards, and be grounded in current state assessments for the organization, as well as peer benchmarks on level of spend, number of staff, program maturity or levels of compliance with generally accepted standards. See the vision, current state and prioritization tabs for more details.
Security processes: Execution
The security program must be geared toward anticipating and reacting to frequent, unexpected changes in the business, technology and operating environments. It should also drive continuous improvement in the effectiveness and efficiency of security controls.
The ability to continuously improve while simultaneously reacting to change requires the information security program to agree on a set of principles that guide security implementation and operations on a day-to-day basis, such as:
Making control decisions based on specific risk and risk appetite rather than on check-box compliance
Supporting business outcomes rather than solely protecting the infrastructure
Always considering the human element when designing and managing security controls
An information security strategy sets out the medium- to long-term direction of the cybersecurity program. It outlines how the security organization will support and enable the corporate strategy and digital trajectory. It also helps the organization budget and document the rationale behind strategic decisions and resource allocation.
Cybersecurity leaders are often so occupied by tactical challenges that they don’t take the time to engage in effective strategic planning. Yet, strategy is a key component of an effective information security program. The basic elements are similar to any other strategic planning process, including best practices specific to the security discipline to:
Articulate the strategic vision and business drivers.
Define the current state of information security in the organization using maturity assessments, vulnerability assessments, risk assessments, audit findings and penetration tests to provide different perspectives.
Provide a prioritized roadmap that clearly links projects and corrective actions to the gaps, risks or vulnerabilities identified in the assessments and to the relevant business, technology and environmental drivers.
Once security leaders have documented the strategy, including policies and standards of practice, they must socialize it with the business leaders that will be expected to adhere to them.
As noted, the information security vision, mission and roadmap explains the objectives of the program and its component parts in terms that business executives can understand and support. The strategic vision articulates the desired state that the information security strategy aims to achieve during the planning period.
As mentioned, most organizations will base their vision on international standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) or ISO 27001. You should not stop with the standard elements, however. Instead, incorporate relevant business, technology and environmental drivers specific to your organization to align your vision with the businesses goals and objectives. Example drivers include:
Business drivers:
Technology drivers:
Environmental drivers:
Include the specific information security objectives you want to achieve during the planning period as part of the vision. These objectives should include:
An overall maturity level for the program and target maturity levels for specific processes and functions
A level of accepted risk exposure within an agreed risk appetite set by the executive leadership (include the defined risk appetite in the vision documentation)
New capabilities and architectures to address emerging threats or disruptive technologies
Support for the enterprise growth strategy — for example, an information security framework for integrating acquired organizations into the corporate security program
These objectives should be socialized and agreed on by key stakeholders, typically at the initiation of the strategy planning process and during the approval of the proposed roadmap to execute the strategy. Leverage the enterprise security steering committee for this step.
You may also want to include a set of guiding principles as part of the cybersecurity strategy vision to provide guardrails during the planning process. Examples of such principles include:
Accountability for protecting information and information resources belongs to the information owners. In cases of shared information and resources, the CIO is the proxy owner.
The enterprise risk appetite informs all security decisions, and all security controls will be commensurate with the related risk.
Information security policies, standards, guidelines and procedures are developed to communicate security requirements and guide the selection and implementation of security control measures.
Once you have defined the vision for the IS program, assess the current state of the program and identify gaps that must be closed in order to realize the vision.
Use a combination of different assessment types to capture the current state. Examples include:
Vulnerability assessments and penetration tests to assess the technical infrastructure
Risk assessments to balance the investment in controls that are appropriate to the actual risks
Recent audit findings
Control effectiveness assessments to determine the maturity of control implementation, benchmarked to similar peers and aligned to industry standards
Summarize the assessment results in a “current state” document that is attached to the strategic planning materials.
Map the current state against the vision statement, objectives and key drivers to identify gaps between the current and desired states. Some gaps clearly indicate specific actions — for example, the need to develop cybersecurity policies specific to public cloud computing. The right response is not always obvious for gaps that have multiple factors and dependencies — such as, how to mature the security governance function from Level 2.5 to Level 3.5 over a two-year period.
The gap analysis should result in a list of potential actions and projects, as well as cybersecurity policies to initiate. However, only a few organizations have the resources required to execute on all of the identified activities. Set priorities using the following criteria:
Prioritize a mix of longer and shorter time-to-value projects within the planning period. This enables the security program to demonstrate meaningful progress in quarterly increments, which makes it easier to maintain long-term executive support for the security program.
Be sure to maintain links among the projects and activities, and the current-state realities, objectives and drivers as outlined in the vision statement. That provides a line of sight between objectives, realities and proposed actions, and supports effective executive communication during the approval stage.
That communication will typically include a written report and an executive presentation, which describe the current and desired states and how the priorities will help bridge the gaps between them. Focus the presentation on how the projects will contribute to the business value. Explicitly highlight how the information security strategy aligns with the business strategy in the executive communications materials.
Even after you gain approval for the strategy, it is key to establish a quarterly cadence of reporting and communication on progress and challenges. Be clear about:
Institute quarterly reviews and scenario-planning workshops to identify what — if any — drivers have changed to trigger adjustments to the current strategy. This review process should also identify any key leading indicators of large-impact external trends or events that will necessitate major security strategy and roadmap changes.
Join your peers for the unveiling of the latest insights at Gartner conferences.