Check out the first installment on building an information security strategy to learn why it’s important to conduct a security gap or risk assessment when establishing such a plan.

When building an information security strategic plan, it’s critical to understand the business and IT strategies. If a well-articulated business and IT strategy is available, it can be another starting point for creating the strategy. If one isn’t available, however, consider interviewing key senior executives for some forward-thinking insight. The objective is to understand the direction of the business as it relates to IT and determine what kind of security strategy could support the needs of both.

These data points serve as the foundation upon which the plan can be developed into a narrative document that defines and prioritizes broad strategic security initiatives and corresponding tasks into a multiyear road map. Initiatives capture the essence of these various tasks and provide context to their objectives and goals. The road map ultimately becomes a prioritized project plan to guide the execution and implementation of the tasks.

Security Strategy Starts With the CISO

To achieve the desired information security program, organizations should coordinate all security-related functions under the direction of a chief information security officer (CISO). The CISO should be strategically placed within the organization to ensure proper visibility of security issues and manage risk in a way that aligns with business objectives.

The CISO should serve as the focal point for information security matters and, in conjunction with an information security committee, ensure that line-of-business (LOB) security objectives are achieved. They also provide overall leadership to the information security program, coordinate with complimentary programs and integrate closely with LOB executives.

By coordinating all information security activities under the guidance and leadership of a CISO, an organization can significantly improve its security posture and reduce risk. CISOs hold responsibility for the information security program and provide the focus and strategic presence necessary for it to achieve its vision and mission.

Aligning IT Initiatives With Business Goals

Hiring a CISO is one of the most important tasks in this plan. To achieve the information security program vision and mission, the CISO should champion security initiatives throughout the organization. This requires a CISO with strong leadership skills, executive presence, security knowledge and effective placement within the organization.

  • Leadership: The CISO should provide executive leadership in developing, planning, coordinating, administering, managing, staffing and supervising all information security-related operations and activities.
  • Executive presence: A security leader should serve as a spokesperson for the information security program, deliver presentations to the board of directors and address concerns expressed by auditors, vendors and clients. The CISO should also have the executive presence to effectively represent the organization’s IT position and influence other members of the C-suite, which requires effective communication skills.
  • Security knowledge: CISOs draw from a solid basis of IT knowledge to determine the organization’s stance on security issues. This requires at least 10 years of experience in the field. The CISO should also possess strong analytical and diagnostic abilities to understand and apply theoretical concepts to practical problems.
  • Organizational placement: Organizational placement of the security leader may vary by organization. However, the information security program should be treated as an enterprisewide responsibility addressing people, process and technology issues. The CISO needs senior executive sponsorship and support.

It should take organizations roughly three calendar months to define the CISO’s expanded role, socialize with impacted parties and transform the position. It might take an additional two to three months to identify and interview candidates before ultimately hiring a CISO.

Building an Information Security Strategic Plan

Strategic initiatives like this example, when completed as prioritized within the plan, can significantly enhance and extend any organization’s information security program. Such a plan can help improve the efficiency and effectiveness of security decision-making, better align the program with IT and business strategies and enhance the organization’s ability to assess and validate compliance with ever-changing regulatory requirements. An effective information security strategic plan defines a general path for achieving initiatives and tasks, while also providing focus for those responsible for getting the job done.

Delivering an information security strategic plan is a complex process involving a wide variety of evolving technologies, processes and people. It requires an investment of time, effort and money. An effective plan helps executive management appropriately manage risk, visualize where the plan leads, understand its purpose, and prioritize and execute critical tasks.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read