This is Part 5 in our six-part series on creating a strategy map for security leaders. Be sure to read Part 1, Part 2, Part 3 and Part 4 for the full story.

The fourth row and foundation for our strategy map for security leaders consists of the people, processes and technologies that the information security team needs to excel at their most critical operational capabilities. These three elements allow them to be perceived as subject matter experts and trusted advisers by the key stakeholders in the organization, which in turn helps them to deliver against their strategic objectives of managing security-related risks.

Diving Into the Strategy Map for Security Leaders

As discussed previously, the four rows in a strategy map are meant to describe the cause-and-effect relationships that represent the hypothesis for a given strategy. While strategies are typically described from the top down, they are always executed from the bottom up.

At this foundational, hands-on-keyboards, eyes-on-screens level, the specific people, processes and systems needed to execute an information security strategy are unique to each organization. In other words, it’s unrealistic to prescribe one definitive mix of technical, administrative and physical controls for use by all organizations because each organization has its own unique context of networks, systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.

In the lowest level of the strategy map, one size does not fit all.

Even so, there are a handful of specific areas that can be personalized for inclusion in virtually every security leader’s strategy map.

Security Management and Security Governance

As discussed previously in this series, the next generation of security leaders is striving for a more exclusive focus on information security governance while simultaneously shifting the hands-on, operational aspects of information security management to the IT organization or third-party specialists. For this reason, our generalized strategy map depicts these areas with a dotted outline.

Different organizations may be at different stages of separation between security governance and security management, which can be distinguished in part by the dimensions listed in the following table:

Third-Party Risks

In the typical enterprise value chain, an increased use of outsourcing, managed services, cloud service providers and other third-party relationships has rightly led to a stronger focus on managing third-party risk. Ideally, in their dual role as subject matter experts and trusted advisers, the information security team is actively involved in third-party relationships before, during and after the agreements are signed.

Before the Agreement

Leading up to a new third-party relationship, the most important objective is that security, privacy, compliance and risk are neither ignored nor left as fire drills for the final hours before signing. On the contrary, best practice is to establish a partnership between procurement, vendor risk management, IT, security and legal staff from the very beginning of each engagement.

During the Negotiations

Whether using the third party’s contractual agreement or the organization’s own master agreement, several topics deserve explicit focus and attention. These include: how data is handed off; where data is located; how and why data is retained; how data is destroyed; mechanisms for ongoing assessments; business continuity plans; and the means to gracefully end and transfer the process or service back to the organization or to another third party.

After the Agreement Is Signed

Experts agree that signing the agreement is not the end of managing third-party risk but the beginning. The third-party relationship should be reassessed on a regular basis, particularly whenever there is a change in the scope of the agreement, a material change in technology or after experiencing an incident.

A Security Control Framework

Given the many disruptive changes in information technology that organizations are struggling to keep pace with, along with the overwhelming abundance of choice for potential solutions in these areas, many security practitioners find it virtually impossible to evaluate options and make technical recommendations for the most appropriate mix of security controls.

To cut through what has been referred to as the fog of more, many organizations have turned to some kind of standardized security controls framework — such as the NIST Cybersecurity Framework, the Center for Internet Security’s Controls or the DHS’s Continuous Diagnostics and Mitigation — as a guide. These standards can help departments leverage the successful experiences of others and prevent them from unnecessarily reinventing the wheel.

The first step is to determine what framework your organization’s business leaders will view as a trusted and authoritative source. You can then apply your own intelligence and reason to it, based on your organization’s specific context. Unless it’s a compliance requirement, use the elements of the framework that help your organization and discard those that don’t. In other words, make sure the security control framework is working for you — not the other way around.

Hiring and Growth

Building and maintaining an effective information security team has several dimensions. Technical knowledge is necessary, but by itself it’s not sufficient for all roles. For a specific and immediate need, technical degrees and certifications are a helpful indicator for a new hire, but security leaders consistently say that they look for the right kind of attitude and cultural fit as well as specific aptitudes. Some people will be on the security team by nature, and others will be developed by nurture.

In a job market where people with strong technical skills — and, better yet, technical skills combined with effective communication skills and solid business acumen — are in extremely high demand, the security leader also needs to pay close attention to working environment, incentives and professional development. This ties in directly with one of the critical capabilities identified in the third row of our strategy map: security leaders need to develop strong skills as builders based on a strong sense of stewardship, a focus on growth of people and a commitment to growth of community.

Risk Management

It’s appropriate to round off our list of areas that should be included in every security leader’s strategy map with risk management. Managing security-related risks, both unrewarded and rewarded, is the answer to the existential question that every information security team has to answer: What value do you provide?

As we come to the end of our walk through the generalized strategy map for security leaders, it should go without saying that a high-value information security team must do much more than specify a mix of technical, administrative and physical security controls. Foundational to its central mission, the information security team needs to implement the people, processes and enabling technologies necessary to identify, assess and communicate effectively about security-related risks.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read