Check out part two of this series to learn why the CISO should be the central figure responsible for defining an organization’s information security strategic plan and aligning it with business goals.

Some say that strategic planning is no longer practical or necessary in today’s rapidly changing technical environment, but strategy still remains an essential part of defining clear companywide goals and how to achieve them. Strategic planning is about setting long-term goals, establishing the directions and constraints that will guide the tactical achievement of these aims and identifying the assets and capabilities that the organization needs to execute the plan.

The same holds true for an information security strategic plan. A clear and concise security strategic plan allows executives, management and employees to see where they are expected to go, focus their efforts in the right direction and know when they have accomplished their goals. Unfortunately, plenty of organizations lack an information security strategic plan, or at least one that is up to date. Some even claim to have a strategy but really don’t. As a result, there’s a lack of focus and inconsistency in the actions taken across the enterprise, not to mention a greater likelihood of something bad happening. If organizations continue to view strategic planning as impractical or unnecessary, then they are less likely to effectively manage information risk.

What’s Included in an Information Security Strategic Plan?

An information security strategic plan can position an organization to mitigate, transfer, accept or avoid information risk related to people, processes and technologies. An established strategy also helps the organization adequately protect the confidentiality, integrity and availability of information. The business benefits of an effective information security strategic plan are significant and can offer a competitive advantage. These may include complying with industry standards, avoiding a damaging security incident, sustaining the reputation of the business and supporting commitment to shareholders, customers, partners and suppliers.

Drivers supporting an information security strategic plan include:

• Defining consistent and integrated methodologies for design, development and implementation;
• Detecting and resolving problems;
• Reducing time to delivery from solution concept through implementation;
• Provisioning flexible and adaptable architectures;
• Proactively making decisions to more efficiently deliver results;
• Eliminating redundancy to better support achievement of objectives;
• Planning and managing human resources, relying on external expertise when required to augment internal staff;
• Evolving into an organization where security is integrated as seamlessly as possible with applications, data, processes and workflows into a unified environment.

A gap assessment of an organization’s current state and existing efforts is an important first step in establishing a security strategic plan. A documented information security program assessment against a defined standard such as ISO/IEC 27002 — especially when that standard is a part of the strategy — enables more efficient planning. Additional steps to building a policy include defining the vision, mission, strategy, initiatives and tasks to be completed so they enhance the existing information security program. The plan should contain a list of deliverables or benchmarks for the initiatives, including the name of the person responsible for each.

Customizing a Plan to Fit Business Goals and Compliance Standards

These tasks serve to align the information security program with the organization’s IT and business strategies. It also provides the overall direction for the information security program and prioritizes the initiatives and corresponding tasks into a multiyear execution plan, all while promoting compliance with appropriate security-related regulatory requirements and prevailing practices.

These strategic missions, when completed as prioritized within the plan, can significantly improve the efficiency and effectiveness of security decision-making. This aligns the program with IT and business strategies and allows businesses to assess and validate compliance with ever-changing legal, regulatory, contractual or other applicable standards. Of course, a security strategy should be continually reviewed to assess its applicability and make appropriate adjustments in direction or focus.

An information security strategic plan can be more effective when a holistic approach is adopted. This method requires the integration of people, process and technology dimensions of information security while ensuring it is risk-balanced and business-based. It requires a clear alignment between business and IT strategies. The better the alignment and integration to strategic decision-making, the easier it is to meet expectations and get the right things done in a prioritized order.

Information security is a journey and not a destination. There are always new challenges to meet. Executing a security strategic plan is a critical success factor for organizations that truly want to maximize their ability to manage information risk. Committing to this process takes resources and time. To be fully effective, security leaders need to be viewed as adding value to the business and IT strategic planning processes, focusing on how their strategy can enhance the business and help it succeed.