Check out the first installment on building an information security strategy to learn why it’s important to conduct a security gap or risk assessment when establishing such a plan.

When building an information security strategic plan, it’s critical to understand the business and IT strategies. If a well-articulated business and IT strategy is available, it can be another starting point for creating the strategy. If one isn’t available, however, consider interviewing key senior executives for some forward-thinking insight. The objective is to understand the direction of the business as it relates to IT and determine what kind of security strategy could support the needs of both.

These data points serve as the foundation upon which the plan can be developed into a narrative document that defines and prioritizes broad strategic security initiatives and corresponding tasks into a multiyear road map. Initiatives capture the essence of these various tasks and provide context to their objectives and goals. The road map ultimately becomes a prioritized project plan to guide the execution and implementation of the tasks.

Security Strategy Starts With the CISO

To achieve the desired information security program, organizations should coordinate all security-related functions under the direction of a chief information security officer (CISO). The CISO should be strategically placed within the organization to ensure proper visibility of security issues and manage risk in a way that aligns with business objectives.

The CISO should serve as the focal point for information security matters and, in conjunction with an information security committee, ensure that line-of-business (LOB) security objectives are achieved. They also provide overall leadership to the information security program, coordinate with complimentary programs and integrate closely with LOB executives.

By coordinating all information security activities under the guidance and leadership of a CISO, an organization can significantly improve its security posture and reduce risk. CISOs hold responsibility for the information security program and provide the focus and strategic presence necessary for it to achieve its vision and mission.

Aligning IT Initiatives With Business Goals

Hiring a CISO is one of the most important tasks in this plan. To achieve the information security program vision and mission, the CISO should champion security initiatives throughout the organization. This requires a CISO with strong leadership skills, executive presence, security knowledge and effective placement within the organization.

• Leadership: The CISO should provide executive leadership in developing, planning, coordinating, administering, managing, staffing and supervising all information security-related operations and activities.
• Executive presence: A security leader should serve as a spokesperson for the information security program, deliver presentations to the board of directors and address concerns expressed by auditors, vendors and clients. The CISO should also have the executive presence to effectively represent the organization’s IT position and influence other members of the C-suite, which requires effective communication skills.
• Security knowledge: CISOs draw from a solid basis of IT knowledge to determine the organization’s stance on security issues. This requires at least 10 years of experience in the field. The CISO should also possess strong analytical and diagnostic abilities to understand and apply theoretical concepts to practical problems.
• Organizational placement: Organizational placement of the security leader may vary by organization. However, the information security program should be treated as an enterprisewide responsibility addressing people, process and technology issues. The CISO needs senior executive sponsorship and support.

It should take organizations roughly three calendar months to define the CISO’s expanded role, socialize with impacted parties and transform the position. It might take an additional two to three months to identify and interview candidates before ultimately hiring a CISO.

Building an Information Security Strategic Plan

Strategic initiatives like this example, when completed as prioritized within the plan, can significantly enhance and extend any organization’s information security program. Such a plan can help improve the efficiency and effectiveness of security decision-making, better align the program with IT and business strategies and enhance the organization’s ability to assess and validate compliance with ever-changing regulatory requirements. An effective information security strategic plan defines a general path for achieving initiatives and tasks, while also providing focus for those responsible for getting the job done.

Delivering an information security strategic plan is a complex process involving a wide variety of evolving technologies, processes and people. It requires an investment of time, effort and money. An effective plan helps executive management appropriately manage risk, visualize where the plan leads, understand its purpose, and prioritize and execute critical tasks.