February 10, 2016 By Derek Brink 4 min read

This is Part 5 in our six-part series on creating a strategy map for security leaders. Be sure to read Part 1, Part 2, Part 3 and Part 4 for the full story.

The fourth row and foundation for our strategy map for security leaders consists of the people, processes and technologies that the information security team needs to excel at their most critical operational capabilities. These three elements allow them to be perceived as subject matter experts and trusted advisers by the key stakeholders in the organization, which in turn helps them to deliver against their strategic objectives of managing security-related risks.

Diving Into the Strategy Map for Security Leaders

As discussed previously, the four rows in a strategy map are meant to describe the cause-and-effect relationships that represent the hypothesis for a given strategy. While strategies are typically described from the top down, they are always executed from the bottom up.

At this foundational, hands-on-keyboards, eyes-on-screens level, the specific people, processes and systems needed to execute an information security strategy are unique to each organization. In other words, it’s unrealistic to prescribe one definitive mix of technical, administrative and physical controls for use by all organizations because each organization has its own unique context of networks, systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.

In the lowest level of the strategy map, one size does not fit all.

Even so, there are a handful of specific areas that can be personalized for inclusion in virtually every security leader’s strategy map.

Security Management and Security Governance

As discussed previously in this series, the next generation of security leaders is striving for a more exclusive focus on information security governance while simultaneously shifting the hands-on, operational aspects of information security management to the IT organization or third-party specialists. For this reason, our generalized strategy map depicts these areas with a dotted outline.

Different organizations may be at different stages of separation between security governance and security management, which can be distinguished in part by the dimensions listed in the following table:

Third-Party Risks

In the typical enterprise value chain, an increased use of outsourcing, managed services, cloud service providers and other third-party relationships has rightly led to a stronger focus on managing third-party risk. Ideally, in their dual role as subject matter experts and trusted advisers, the information security team is actively involved in third-party relationships before, during and after the agreements are signed.

Before the Agreement

Leading up to a new third-party relationship, the most important objective is that security, privacy, compliance and risk are neither ignored nor left as fire drills for the final hours before signing. On the contrary, best practice is to establish a partnership between procurement, vendor risk management, IT, security and legal staff from the very beginning of each engagement.

During the Negotiations

Whether using the third party’s contractual agreement or the organization’s own master agreement, several topics deserve explicit focus and attention. These include: how data is handed off; where data is located; how and why data is retained; how data is destroyed; mechanisms for ongoing assessments; business continuity plans; and the means to gracefully end and transfer the process or service back to the organization or to another third party.

After the Agreement Is Signed

Experts agree that signing the agreement is not the end of managing third-party risk but the beginning. The third-party relationship should be reassessed on a regular basis, particularly whenever there is a change in the scope of the agreement, a material change in technology or after experiencing an incident.

A Security Control Framework

Given the many disruptive changes in information technology that organizations are struggling to keep pace with, along with the overwhelming abundance of choice for potential solutions in these areas, many security practitioners find it virtually impossible to evaluate options and make technical recommendations for the most appropriate mix of security controls.

To cut through what has been referred to as the fog of more, many organizations have turned to some kind of standardized security controls framework — such as the NIST Cybersecurity Framework, the Center for Internet Security’s Controls or the DHS’s Continuous Diagnostics and Mitigation — as a guide. These standards can help departments leverage the successful experiences of others and prevent them from unnecessarily reinventing the wheel.

The first step is to determine what framework your organization’s business leaders will view as a trusted and authoritative source. You can then apply your own intelligence and reason to it, based on your organization’s specific context. Unless it’s a compliance requirement, use the elements of the framework that help your organization and discard those that don’t. In other words, make sure the security control framework is working for you — not the other way around.

Hiring and Growth

Building and maintaining an effective information security team has several dimensions. Technical knowledge is necessary, but by itself it’s not sufficient for all roles. For a specific and immediate need, technical degrees and certifications are a helpful indicator for a new hire, but security leaders consistently say that they look for the right kind of attitude and cultural fit as well as specific aptitudes. Some people will be on the security team by nature, and others will be developed by nurture.

In a job market where people with strong technical skills — and, better yet, technical skills combined with effective communication skills and solid business acumen — are in extremely high demand, the security leader also needs to pay close attention to working environment, incentives and professional development. This ties in directly with one of the critical capabilities identified in the third row of our strategy map: security leaders need to develop strong skills as builders based on a strong sense of stewardship, a focus on growth of people and a commitment to growth of community.

Risk Management

It’s appropriate to round off our list of areas that should be included in every security leader’s strategy map with risk management. Managing security-related risks, both unrewarded and rewarded, is the answer to the existential question that every information security team has to answer: What value do you provide?

As we come to the end of our walk through the generalized strategy map for security leaders, it should go without saying that a high-value information security team must do much more than specify a mix of technical, administrative and physical security controls. Foundational to its central mission, the information security team needs to implement the people, processes and enabling technologies necessary to identify, assess and communicate effectively about security-related risks.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today