Get Instant Access
to This Blueprint

Security icon

Build an Information Security Strategy

Create value by aligning your strategy to business goals and business risks.

  • Many security leaders struggle to decide how to best to prioritize their scarce information security resources
  • The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

Our Advice

Critical Insight

The most successful information security strategies are:

  • Holistic – They consider the full spectrum of information security, including people, processes, and technology.
  • Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
  • Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

Impact and Result

  • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
  • This approach includes tools for:
    • Ensuring alignment with business objectives.
    • Assessing organizational risk and stakeholder expectations.
    • Enabling a comprehensive current state assessment.
    • Prioritizing initiatives and building out a security roadmap.

Build an Information Security Strategy Research & Tools

1. Information Security (IS) Strategy Research – A step-by-step document that helps you build a holistic, risk-based, and business-aligned IS strategy.

Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context. Use this storyboard to augment your security strategy by ensuring alignment with business objectives, assessing your organization's risk and stakeholder expectations, understanding your current security state, and prioritizing initiatives and a security roadmap.

Build an Information Security Strategy – Phases 1-4

2. Information Security Requirements Gathering Tool – A tool to make informed security risk decisions to support business needs.

Use this tool to formally identify business goals and customer and compliance obligations and make explicit links to how security initiatives propose to support these business interests. Then define the scope and boundaries for the security strategy and the risk tolerance definitions that will guide future security risk decisions.

Information Security Requirements Gathering Tool

3. Information Security Pressure Analysis Tool – An evaluation tool to invest in the right security functions using a pressure analysis approach.

Security pressure posture analysis helps your organization assess your real security context and enables you to invest in the right security functions while balancing the cost and value in alignment with business strategies. Security pressure sets the baseline that will help you avoid over-investing or under-investing in your security functions.

Information Security Pressure Analysis Tool

4. Information Security Program Gap Analysis Tool – A structured tool to systematically understand your current security state.

Effective security planning should not be one size fits all – it must consider business alignment, security benefit, and resource cost. To enable an effective security program, all areas of security need to be evaluated closely to determine where the organization sits currently and where it needs to go in the future.

Information Security Program Gap Analysis Tool

5. Information Security Strategy Communication Deck – A best-of-breed presentation document to build a clear, concise, and compelling strategy document.

Use this communication deck template to present the results of the security strategy to stakeholders, demonstrate the progression from the current state to the future state, and establish the roadmap of the security initiatives that will be implemented. This information security communication deck will help ensure that you’re communicating effectively for your cause.

Information Security Strategy Communication Deck

6. Information Security Charter – An essential document for defining the scope and purpose of a security project or program.

A charter is an essential document for defining the scope and purpose of security. Without a charter to control and set clear objectives for this committee, the responsibility of security governance initiatives will likely be undefined within the enterprise, preventing the security governance program from operating efficiently. This template can act as the foundation for a security charter to provide guidance to the governance of information security.

Information Security Charter

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.6/10

Overall Impact

$45,577

Average $ Saved

33

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

HSS Enterprises Ltd c/o IKO

Guided Implementation

10/10

$10,000

20

South Carolina Department of Employment and Workforce

Guided Implementation

10/10

N/A

4

American National Insurance Company Inc

Workshop

10/10

$12,999

10

St. Mary's University

Guided Implementation

10/10

$32,499

120

Worldnet International

Guided Implementation

10/10

$129K

50

IHC New Zealand Incorporated

Guided Implementation

9/10

$28,599

9

PrizePicks

Guided Implementation

10/10

$32,499

5

County of Nevada

Guided Implementation

9/10

N/A

5

City of O'Fallon

Guided Implementation

10/10

N/A

120

Sioux Lookout Meno Ya Win Health Centre

Guided Implementation

9/10

$20,500

20

SCEE

Guided Implementation

10/10

$21,499

50

AHF Products

Guided Implementation

8/10

$9,099

10

County of San Luis Obispo

Workshop

9/10

$32,499

10

Ministry of Industry, Innovation, Science and Technology

Workshop

9/10

$129K

50

Ausenco Engineering Canada Inc

Guided Implementation

10/10

$30,000

32

ATS CORPORATION

Guided Implementation

10/10

$10,000

20

Virginia Department of Health

Guided Implementation

10/10

N/A

115

Donor Network West

Guided Implementation

10/10

$32,499

10

Unity Health Care

Guided Implementation

10/10

$24,699

120

Loomis AB

Guided Implementation

10/10

$32,499

20

Government of Bermuda

Guided Implementation

10/10

$12,999

20

Canopy Growth

Guided Implementation

10/10

$17,500

10

Opentech Alliance

Guided Implementation

10/10

$779K

120

Matanuska-Susitna County

Guided Implementation

10/10

$25,000

20

Kentucky Public Pensions Authority

Workshop

9/10

N/A

10

Alabama Department of Economic and Community Affairs

Guided Implementation

10/10

$2,599

50

City of Saskatoon, SK

Workshop

10/10

$50,000

90

Power and Water Corporation

Guided Implementation

10/10

$42,999

18

ReCor Medical

Guided Implementation

10/10

N/A

N/A

Airgain

Guided Implementation

10/10

$129K

50

Load More Testimonials

Security Strategy

Note: This course will be updated in August 2023.
Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Now Playing:
Academy: Security Strategy | Executive Brief

An active membership is required to access Info-Tech Academy
  • Course Modules: 5
  • Estimated Completion Time: 2-2.5 hours
  • Featured Analysts:
  • Kevin Peuhkurinen, Research Director, Security & Risk
  • Gord Harrison, Senior Vice President, Research

Workshop: Build an Information Security Strategy

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

Understand business and IT strategy and plans.

Key Benefits Achieved

Defined security obligations, scope, and boundaries.

Activities

Outputs

1.1

Define business and compliance.

  • Security obligations statement
1.2

Establish security program scope.

  • Security scope and boundaries statement
1.3

Analyze the organization’s risk and stakeholder pressures.

  • Defined risk tolerance level
1.4

Identify the organizational risk tolerance level.

  • Risk assessment and pressure analysis

Module 2: Perform a Gap Analysis

The Purpose

Define the information security target state.

Key Benefits Achieved

Set goals and Initiatives for the security strategy in line with the business objectives.

Activities

Outputs

2.1

Assess current security capabilities.

  • Information security target state
2.2

Identify security gaps.

  • Security current state assessment
2.3

Build initiatives to bridge the gaps.

  • Initiatives to address gaps

Module 3: Complete the Gap Analysis

The Purpose

Continue assessing current security capabilities.

Key Benefits Achieved

Identification of security gaps and initiatives to bridge them according to the business goals.

Activities

Outputs

3.1

Identify security gaps.

  • Completed security current state assessment
3.2

Build initiatives to bridge the maturity gaps.

  • Task list to address gaps
3.3

Identify initiative list and task list.

  • Initiative list to address gaps
3.4

Define criteria to be used to prioritize initiatives.

  • Prioritize criteria

Module 4: Develop the Roadmap

The Purpose

Create a plan for your security strategy going forward.

Key Benefits Achieved

Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

Activities

Outputs

4.1

Conduct cost/benefit analysis on initiatives.

  • Information security roadmap
4.2

Prioritize gap initiatives based on cost and alignment with business.

  • Draft communication deck
4.3

Build an effort list.

4.4

Determine state times and accountability.

4.5

Finalize security roadmap and action plan.

4.6

Create communication plan.

Module 5: Communicate and Implement

The Purpose

Finalize deliverables.

Key Benefits Achieved

Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

Activities

Outputs

5.1

Support communication efforts.

  • Security strategy roadmap documentation
5.2

Identify resources in support of priority initiatives.

  • Detailed cost and effort estimates
  • Mapping of Info-Tech resources against individual initiatives
Unlock This Blueprint

Build an Information Security Strategy

Create value by aligning your strategy to business goals and business risks.

Analyst Perspective

Set your security strategy up for success.

“Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders.

Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.”

Kevin Peuhkurinen

Research Director – Security, Risk & Compliance

Info-Tech Research Group

Executive summary

Your Challenge

  • Many security leaders struggle to decide how best to prioritize their scarce information security resources.
  • The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

Common Obstacle

  • Developing a security strategy can be challenging. Complications include:
    • Performing an accurate assessment of your current security program can be extremely difficult when you don’t know what to assess or how.
    • Determining the appropriate target state for security can be even more challenging. A strategy built around following best practices is unlikely to garner significant support from business stakeholders.

Info-Tech’s Approach

  • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.
  • This unique approach includes tools for:
    • Ensuring alignment with business objectives.
    • Assessing organizational risk and stakeholder expectations.
    • Enabling a comprehensive current state assessment.
    • Prioritizing initiatives and building out a security roadmap.

Info-Tech Insight

The most successful information security strategies are:

  • Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
  • Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
  • Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.

It’s not a matter of if you have a security incident, but when

Organizations need to prepare and expect the inevitable security breach.

Fifty-eight percent of companies surveyed that experienced a breach were small businesses.

Eighty-nine percent of breaches have a financial or espionage motive.

Three graphs are depicted. The first is labeled ‘Total Cost for Three Data Breach Root Causes,’ the second ‘Distribution of Benchmark by Root Cause of the Data Breach,’ and the third ‘Per Capita for Three Root Causes of a Data Breach.’ The three root causes are malicious or criminal attack (US$166 million per capita), system glitch ($132 million per capita), and human error ($133 million per capita).

Source: Ponemon Institute, “2019 Global Cost of Data Breach Study”

An information security strategy can help you prepare for incidents

Organizations need to expect the inevitable security breach.

90%

of businesses have experienced an external threat in the last year.

50%

of IT professionals consider security to be their number one priority.

53%

of organizations claimed to have experienced an insider attack in the previous 12 months. 1

46%

of businesses believe the frequency of attacks is increasing. 2

Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

Sources: 1 Kaspersky Lab, “Global IT Security Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report”

Persistent Issues

Evolving Ransomware

  • Continual changes in types and platforms make ransomware a persistent threat. The frequency of ransomware attacks was reported to have increased by 67% in the past five years. 1

Phishing Attacks

    • Despite filtering and awareness, email remains the most common threat vector for phishing attacks (94%) and an average of 3% of participants in phishing campaigns still click on them. 2

Insider Privilege and Misuse

  • Typically, 34% of breaches are perpetrated by insiders, with 15% involving privilege misuse. Takeaway: Care less about titles and more about access levels. 3

Denial of Service

  • The median amount of time that an organization is under attack from DDoS attack is three days.

Emerging Trends

Advanced Identity and Access Governance

  • Using emerging technologies in automation, orchestration, and machine learning, the management and governance of identities and access has become more advanced.

Sources: 1 Accenture, “2019 The Cost of Cyber Crime Study”; 2,3 Verizon, “2019 Data Breach Investigations Report”

New threat trends in information security aren’t new.

Previously understood attacks are simply an evolution of prior implementations, not a revolution.

Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

Cyberattacks have a significant financial impact

Global average cost of a data breach: $3.92 Million

Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview”

A bar graph, titled ‘Average cost of data breach by industry,’ is depicted. Of 17 industries depicted, public is the lowest average cost (US$1.29 million) and health is the highest average cost ($6.45 million).

Primary incident type (with a confirmed data breach)

  1. Leading incident type is Denial of Service attacks (DoS), taking up to 70% of all incidents.
  2. When it comes to data breaches, we see that the use of stolen credentials leads to the most cases of confirmed breaches, accounting for 29%.

Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches.

Source: Verizon, “2019 Data Breach Investigations Report”

Security threats are not going away

We continue to see and hear of security breaches occurring regularly.

A bar graph depicts the percentage of businesses who experienced a data breach in the last year–US total and global total. Numbers have increased from 2016 to 2019. In 2016, 19 percent of US businesses experienced a breach. In 2019, this number was 59 percent.

An attacker must be successful only once. The defender – you – must be successful every time.

Info-Tech’s approach

Maturing from reactive to strategic information security

Two circular graphs depict the move from ‘reactive security’ to ‘strategic security’ organizations can accomplish using Info-Tech’s approach.

Tools icon that is used in the first three stages of the strategic security graph above. Indicates Info-Tech tools included in this blueprint.

The Info-Tech difference:

  1. A proven, structured approach to mature your information security program from reactive to strategic.
  2. A comprehensive set of tools to take the pain out of each phase in the strategy building exercise.
  3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders.

Info-Tech’s Security Strategy Model

Info-Tech’s Security Strategy Model is depicted in this rectangular image with arrows. The first level depicts business context (enterprise goals, compliance obligations, scope and boundaries) and pressures (security risks, risk tolerance, stakeholder expectations). The second level depicts security target state (maturity model, security framework, security alignment goals, target maturity, time frame) and current state (current state assessment, gap analysis). The third level depicts the information security roadmap (initiative list, task list, prioritization methodology, and Gantt chart).

The Info-Tech difference:

An information security strategy model that is:

  1. Business-Aligned. Determines business context and cascades enterprise goals into security alignment goals.
  2. Risk-Aware. Understands the security risks of the business and how they intersect with the overall organizational risk tolerance.
  3. Holistic. Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities.

Info-Tech’s best-of-breed security framework

This image shows how Info-Tech’s framework is based on ISO 27000 series, CIS Top 20, COBIT 2019, NIST 800-53, and NIST CSF.

Info-Tech’s approach

Creating an information security strategy

Value to the business

Outcome

Best-of-breed security strategy

Have documentation that paints a picture of the road to compliance. Integrate your framework with your risk tolerance and external pressures.

Be ready for future changes by aligning your security strategy to security framework best practices.

Address the nature of your current information security

Eliminate gaps in process and know what is in scope for your security strategy. Learn what pressures your business and industry are under.

Gain insight into your current state, allowing you to focus on high-value projects first, transitioning towards a target state.

Highlight overlooked functions of your current security strategy

Build a comprehensive security program that brings to light all aspects of your security program.

Instead of pursing ad hoc projects, know what needs work and how to prioritize your pressing security issues.

Create a tangible roadmap to your target state

Create a plan for your future state of information security. Refer to and update your target state as your business needs change.

Document your current progress and path forward in the future. Know your goals and requirements, codified in a living document.

Use our prepopulated deliverables to fast track your progress

Let Info-Tech do the work for you. With completed deliverables, have tangible documents to convey your business needs.

A comprehensive set of deliverables with concrete, defensible data to justify any business changes.

A living security strategy

Pivot and change prioritization to meet the needs of your security deficits.

Future-proof your security strategy for any contingency.

The Info-Tech difference:

Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.

  • Dive deep into security obligations and security pressures to define the business context.
  • Conduct a thorough current state and future state analysis that is aligned with a best-of-breed framework.
  • Prioritize gap-closing initiatives to create a living security strategy roadmap.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.6/10
Overall Impact

$45,577
Average $ Saved

33
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Assess security requirements
  • Call 1: Introduce project and complete pressure analysis.

Guided Implementation 2: Build a gap initiative strategy
  • Call 1: Introduce the maturity assessment.
  • Call 2: Perform gap analysis and translate into initiatives.
  • Call 3: Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.

Guided Implementation 3: Prioritize initiatives and build roadmap
  • Call 1: Review cost/benefit analysis and build an effort map.
  • Call 2: Build implementation waves and introduce Gantt chart.

Guided Implementation 4: Execute and maintain
  • Call 1: Review Gantt chart and ensure budget/buy-in support.
  • Call 2: Three-month check-in: Execute and maintain.

Authors

Kate Wood

Isaac Kinsella

Contributors

  • Peter Clay, Zeneth Tech Partners, Principal
  • Ken Towne, Zeneth Tech Partners, Security Architect
  • Luciano Siqueria, Road Track, IT Security Manager
  • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
  • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
  • Joan Middleton, Villiage of Mount Prospect, IT Director
  • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
  • Rick Vadgama, Cimpress, Head of Information Privacy and Security
  • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
  • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
  • Trevor Butler, City of Lethbridge, Information Technology General Manager
  • Shane Callahan, Tractor Supply, Director of Information Security
  • Jeff Zalusky, Chrysalis, President/CEO
  • Dan Humbert, YMCA of Central Florida, Director of Information Technology
  • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
  • Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
  • Ryan Breed, Hudson’s Bay, Information Security Analyst
  • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

Related Content: Security Strategy & Budgeting

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019
© Info-Tech Research Group | Terms of Use | Privacy Policy