Light Dark
January 3, 2017 By Brian Evans 3 min read
CISO
Risk Management

Check out the first installment on building an information security strategy to learn why it’s important to conduct a security gap or risk assessment when establishing such a plan.

When building an information security strategic plan, it’s critical to understand the business and IT strategies. If a well-articulated business and IT strategy is available, it can be another starting point for creating the strategy. If one isn’t available, however, consider interviewing key senior executives for some forward-thinking insight. The objective is to understand the direction of the business as it relates to IT and determine what kind of security strategy could support the needs of both.

These data points serve as the foundation upon which the plan can be developed into a narrative document that defines and prioritizes broad strategic security initiatives and corresponding tasks into a multiyear road map. Initiatives capture the essence of these various tasks and provide context to their objectives and goals. The road map ultimately becomes a prioritized project plan to guide the execution and implementation of the tasks.

Security Strategy Starts With the CISO

To achieve the desired information security program, organizations should coordinate all security-related functions under the direction of a chief information security officer (CISO). The CISO should be strategically placed within the organization to ensure proper visibility of security issues and manage risk in a way that aligns with business objectives.

The CISO should serve as the focal point for information security matters and, in conjunction with an information security committee, ensure that line-of-business (LOB) security objectives are achieved. They also provide overall leadership to the information security program, coordinate with complimentary programs and integrate closely with LOB executives.

By coordinating all information security activities under the guidance and leadership of a CISO, an organization can significantly improve its security posture and reduce risk. CISOs hold responsibility for the information security program and provide the focus and strategic presence necessary for it to achieve its vision and mission.

Aligning IT Initiatives With Business Goals

Hiring a CISO is one of the most important tasks in this plan. To achieve the information security program vision and mission, the CISO should champion security initiatives throughout the organization. This requires a CISO with strong leadership skills, executive presence, security knowledge and effective placement within the organization.

  • Leadership: The CISO should provide executive leadership in developing, planning, coordinating, administering, managing, staffing and supervising all information security-related operations and activities.
  • Executive presence: A security leader should serve as a spokesperson for the information security program, deliver presentations to the board of directors and address concerns expressed by auditors, vendors and clients. The CISO should also have the executive presence to effectively represent the organization’s IT position and influence other members of the C-suite, which requires effective communication skills.
  • Security knowledge: CISOs draw from a solid basis of IT knowledge to determine the organization’s stance on security issues. This requires at least 10 years of experience in the field. The CISO should also possess strong analytical and diagnostic abilities to understand and apply theoretical concepts to practical problems.
  • Organizational placement: Organizational placement of the security leader may vary by organization. However, the information security program should be treated as an enterprisewide responsibility addressing people, process and technology issues. The CISO needs senior executive sponsorship and support.

It should take organizations roughly three calendar months to define the CISO’s expanded role, socialize with impacted parties and transform the position. It might take an additional two to three months to identify and interview candidates before ultimately hiring a CISO.

Building an Information Security Strategic Plan

Strategic initiatives like this example, when completed as prioritized within the plan, can significantly enhance and extend any organization’s information security program. Such a plan can help improve the efficiency and effectiveness of security decision-making, better align the program with IT and business strategies and enhance the organization’s ability to assess and validate compliance with ever-changing regulatory requirements. An effective information security strategic plan defines a general path for achieving initiatives and tasks, while also providing focus for those responsible for getting the job done.

Delivering an information security strategic plan is a complex process involving a wide variety of evolving technologies, processes and people. It requires an investment of time, effort and money. An effective plan helps executive management appropriately manage risk, visualize where the plan leads, understand its purpose, and prioritize and execute critical tasks.

 |  |  |  | 
Brian Evans
Virtual Private Cloud Security and Compliance Focal, IBM Cloud

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature