This is Part 5 in our six-part series on creating a strategy map for security leaders. Be sure to read Part 1, Part 2, Part 3 and Part 4 for the full story.

The fourth row and foundation for our strategy map for security leaders consists of the people, processes and technologies that the information security team needs to excel at their most critical operational capabilities. These three elements allow them to be perceived as subject matter experts and trusted advisers by the key stakeholders in the organization, which in turn helps them to deliver against their strategic objectives of managing security-related risks.

Diving Into the Strategy Map for Security Leaders

As discussed previously, the four rows in a strategy map are meant to describe the cause-and-effect relationships that represent the hypothesis for a given strategy. While strategies are typically described from the top down, they are always executed from the bottom up.

At this foundational, hands-on-keyboards, eyes-on-screens level, the specific people, processes and systems needed to execute an information security strategy are unique to each organization. In other words, it’s unrealistic to prescribe one definitive mix of technical, administrative and physical controls for use by all organizations because each organization has its own unique context of networks, systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.

In the lowest level of the strategy map, one size does not fit all.

Even so, there are a handful of specific areas that can be personalized for inclusion in virtually every security leader’s strategy map.

Security Management and Security Governance

As discussed previously in this series, the next generation of security leaders is striving for a more exclusive focus on information security governance while simultaneously shifting the hands-on, operational aspects of information security management to the IT organization or third-party specialists. For this reason, our generalized strategy map depicts these areas with a dotted outline.

Different organizations may be at different stages of separation between security governance and security management, which can be distinguished in part by the dimensions listed in the following table:

Third-Party Risks

In the typical enterprise value chain, an increased use of outsourcing, managed services, cloud service providers and other third-party relationships has rightly led to a stronger focus on managing third-party risk. Ideally, in their dual role as subject matter experts and trusted advisers, the information security team is actively involved in third-party relationships before, during and after the agreements are signed.

Before the Agreement

Leading up to a new third-party relationship, the most important objective is that security, privacy, compliance and risk are neither ignored nor left as fire drills for the final hours before signing. On the contrary, best practice is to establish a partnership between procurement, vendor risk management, IT, security and legal staff from the very beginning of each engagement.

During the Negotiations

Whether using the third party’s contractual agreement or the organization’s own master agreement, several topics deserve explicit focus and attention. These include: how data is handed off; where data is located; how and why data is retained; how data is destroyed; mechanisms for ongoing assessments; business continuity plans; and the means to gracefully end and transfer the process or service back to the organization or to another third party.

After the Agreement Is Signed

Experts agree that signing the agreement is not the end of managing third-party risk but the beginning. The third-party relationship should be reassessed on a regular basis, particularly whenever there is a change in the scope of the agreement, a material change in technology or after experiencing an incident.

A Security Control Framework

Given the many disruptive changes in information technology that organizations are struggling to keep pace with, along with the overwhelming abundance of choice for potential solutions in these areas, many security practitioners find it virtually impossible to evaluate options and make technical recommendations for the most appropriate mix of security controls.

To cut through what has been referred to as the fog of more, many organizations have turned to some kind of standardized security controls framework — such as the NIST Cybersecurity Framework, the Center for Internet Security’s Controls or the DHS’s Continuous Diagnostics and Mitigation — as a guide. These standards can help departments leverage the successful experiences of others and prevent them from unnecessarily reinventing the wheel.

The first step is to determine what framework your organization’s business leaders will view as a trusted and authoritative source. You can then apply your own intelligence and reason to it, based on your organization’s specific context. Unless it’s a compliance requirement, use the elements of the framework that help your organization and discard those that don’t. In other words, make sure the security control framework is working for you — not the other way around.

Hiring and Growth

Building and maintaining an effective information security team has several dimensions. Technical knowledge is necessary, but by itself it’s not sufficient for all roles. For a specific and immediate need, technical degrees and certifications are a helpful indicator for a new hire, but security leaders consistently say that they look for the right kind of attitude and cultural fit as well as specific aptitudes. Some people will be on the security team by nature, and others will be developed by nurture.

In a job market where people with strong technical skills — and, better yet, technical skills combined with effective communication skills and solid business acumen — are in extremely high demand, the security leader also needs to pay close attention to working environment, incentives and professional development. This ties in directly with one of the critical capabilities identified in the third row of our strategy map: security leaders need to develop strong skills as builders based on a strong sense of stewardship, a focus on growth of people and a commitment to growth of community.

Risk Management

It’s appropriate to round off our list of areas that should be included in every security leader’s strategy map with risk management. Managing security-related risks, both unrewarded and rewarded, is the answer to the existential question that every information security team has to answer: What value do you provide?

As we come to the end of our walk through the generalized strategy map for security leaders, it should go without saying that a high-value information security team must do much more than specify a mix of technical, administrative and physical security controls. Foundational to its central mission, the information security team needs to implement the people, processes and enabling technologies necessary to identify, assess and communicate effectively about security-related risks.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…