July 8, 2015 By Brian Evans 3 min read

Check out part two of this series to learn why the CISO should be the central figure responsible for defining an organization’s information security strategic plan and aligning it with business goals.

Some say that strategic planning is no longer practical or necessary in today’s rapidly changing technical environment, but strategy still remains an essential part of defining clear companywide goals and how to achieve them. Strategic planning is about setting long-term goals, establishing the directions and constraints that will guide the tactical achievement of these aims and identifying the assets and capabilities that the organization needs to execute the plan.

The same holds true for an information security strategic plan. A clear and concise security strategic plan allows executives, management and employees to see where they are expected to go, focus their efforts in the right direction and know when they have accomplished their goals. Unfortunately, plenty of organizations lack an information security strategic plan, or at least one that is up to date. Some even claim to have a strategy but really don’t. As a result, there’s a lack of focus and inconsistency in the actions taken across the enterprise, not to mention a greater likelihood of something bad happening. If organizations continue to view strategic planning as impractical or unnecessary, then they are less likely to effectively manage information risk.

What’s Included in an Information Security Strategic Plan?

An information security strategic plan can position an organization to mitigate, transfer, accept or avoid information risk related to people, processes and technologies. An established strategy also helps the organization adequately protect the confidentiality, integrity and availability of information. The business benefits of an effective information security strategic plan are significant and can offer a competitive advantage. These may include complying with industry standards, avoiding a damaging security incident, sustaining the reputation of the business and supporting commitment to shareholders, customers, partners and suppliers.

Drivers supporting an information security strategic plan include:

  • Defining consistent and integrated methodologies for design, development and implementation;
  • Detecting and resolving problems;
  • Reducing time to delivery from solution concept through implementation;
  • Provisioning flexible and adaptable architectures;
  • Proactively making decisions to more efficiently deliver results;
  • Eliminating redundancy to better support achievement of objectives;
  • Planning and managing human resources, relying on external expertise when required to augment internal staff;
  • Evolving into an organization where security is integrated as seamlessly as possible with applications, data, processes and workflows into a unified environment.

A gap assessment of an organization’s current state and existing efforts is an important first step in establishing a security strategic plan. A documented information security program assessment against a defined standard such as ISO/IEC 27002 — especially when that standard is a part of the strategy — enables more efficient planning. Additional steps to building a policy include defining the vision, mission, strategy, initiatives and tasks to be completed so they enhance the existing information security program. The plan should contain a list of deliverables or benchmarks for the initiatives, including the name of the person responsible for each.

Customizing a Plan to Fit Business Goals and Compliance Standards

These tasks serve to align the information security program with the organization’s IT and business strategies. It also provides the overall direction for the information security program and prioritizes the initiatives and corresponding tasks into a multiyear execution plan, all while promoting compliance with appropriate security-related regulatory requirements and prevailing practices.

These strategic missions, when completed as prioritized within the plan, can significantly improve the efficiency and effectiveness of security decision-making. This aligns the program with IT and business strategies and allows businesses to assess and validate compliance with ever-changing legal, regulatory, contractual or other applicable standards. Of course, a security strategy should be continually reviewed to assess its applicability and make appropriate adjustments in direction or focus.

An information security strategic plan can be more effective when a holistic approach is adopted. This method requires the integration of people, process and technology dimensions of information security while ensuring it is risk-balanced and business-based. It requires a clear alignment between business and IT strategies. The better the alignment and integration to strategic decision-making, the easier it is to meet expectations and get the right things done in a prioritized order.

Information security is a journey and not a destination. There are always new challenges to meet. Executing a security strategic plan is a critical success factor for organizations that truly want to maximize their ability to manage information risk. Committing to this process takes resources and time. To be fully effective, security leaders need to be viewed as adding value to the business and IT strategic planning processes, focusing on how their strategy can enhance the business and help it succeed.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today