The information security team strategy tops the list of the must-have CISO tools. Developing a strategy is a discretionary activity and often overlooked. However if anyone wonders what you do, the value you provide, or asks where you're going, investing in a strategy pays dividends in goodwill and improved budgets. Here's the position statement for an information Security Strategy: a strategy is a presentation to communicate the mission, value, current state, and future direction of the information security service.
It's fair to say the security strategy is in large part internal marketing. How about this for a security guy's definition of marketing: the act of communicating a specific message, to a targeted group, to achieve a desired result. Here's a quick breakdown of the outcomes we'd like to see.
Target: Execs and BoD
Message: We got it covered, here's how we're contributing to business success.
Outcome: Resources approved and support to facilitate acceptable risk decisions.
Target: Line of Business Leaders
Message: We’re here to help you make good risk decisions.
Outcome: Decisions are made by the business with Security as a facilitator not dictator.
Target: Peer IT Groups
Message: We have our act together. You’ll enjoy working with us vs. against us.
Outcome: Security integrated into IT decisions and healthy process hand-offs.
Target: Your Team
Message: We have a plan. Get on board and let’s make a difference.
Outcome: Single team direction and messaging with a means to course-correct.
First order is to determine your need for polish. I've seen some CISOs hire professional design firms to wow stakeholders with fancy representations of the OSI stack and stock images of customers looking on. Personally I think your standard Office suite is sufficient to communicate your message.
In addition to the classic components of vision, mission, and service catalogue, the strategy document is a great place to answer key questions:
What are the top risks?
What are we doing about them?
Are we improving internally?
How are we helping the business?
What services do we provide vs. operations?
Is our environment resilient?
Are we compliant?
Are we efficient?
Below are some core elements I've helped produce.
1. Mission & Vision
The vision is what security should look like in the future. Take the time to communicate your vision in as few words as possible. I think brevity conveys maturity. It should say something like: Achieving <how your business describes success> by integrating privacy, security, and integrity throughout the business. Or perhaps, Information Technology risks are identified, understood, and managed to an acceptable level across the Enterprise. Business units have the tools, resources, and expertise to make optimal decisions for business success.
If your company has a tagline, it may be good practice to align with it, even come up with your own.
Your mission is how you'll achieve the vision. Again brevity is the goal e.g. develop and
measure IT security standards while enabling Business Unit autonomy and agility. Deliver value through identification of threats, assessment of risk, and providing foundational security services.
The method to organize your content is the next step. I've seen this done a few different ways. One approach is to define high level domains of security services e.g. data, access, devices, monitoring and response. Another is to leverage the balanced scorecard categories to organize how you're going to execute. This also sets up the actual balanced scorecard we'll cover in a future post. Here's my loose translation of the textbook balanced scorecard quadrants of Financial, Customer, Internal Business, and Innovation/Growth:
- Security Foundation: Service oriented performance, risk based culture & approach, process improvement and cost savings.
- Enable the Business: Integrate risk decisions, improve business solutions, exceed service levels.
- Operational Efficiency: measured operations & delivery, enterprise view, cost transparency and efficiency.
- Invest Strategically: business aligned IT solutions, <innovative|efficient|best company messaging> service.
2. Current State
Before creating content, ask yourself if you already have enough evidence to determine your message. Do you want to shock stakeholders and set expectations that action is needed? Or is the overall status nominal with modest improvements needed? Both are acceptable and have their pros/cons. In some organizations that don't have a strategy, the tendency I see is to not disclose the actual state of security since it hasn't been done before. If possible, use the strategy development process as a means to explain you haven't been hiding anything, you're just formalizing communication going forward.
Communicating current state of security to non-technical audiences in a couple pages is a challenge. Utilizing the format mentioned above, I prefer to communicate the level of visibility and control performance across each business line e.g. shared IT services, business unit application development, regional IT, partners.
If you used a tech stack to communicate your security posture, I like to switch gears when talking about people and process. Try using your service categories to communicate capability and maturity. A simple table with CMM levels as columns and your core services as rows e.g. Access Management, Operations, Compliance, Assessment, I/R, Architecture, etc.
3. Future Direction
Now that expectations are set, what are you going to do to accomplish your mission? The first question to answer is how to organize all the great work efforts you'll outline. You can organize efforts by the strategy categories or your service catalog. I prefer the strategy categories. For each you can show improvement areas in Gantt form if you have the data. If you don't already have a plan worked out, write down the desired end state in each area. Focus on "what" the category will look like vs. how.
A final touch I like on the future state is to show how you'll measure success. If you have metrics or approved plans, organize them by the above. If you're early on, simply state what you'd like to measure.
Instead of writing about each element in detail, please review our standard strategy template linked in this post. This is where we usually start when helping CISOs build or improve their strategy. Please do discuss, question, and provide feedback.
A quick word on maintenance. Developing a strategy definitely takes time and should be an official, planned activity. However it should be fairly static and updated infrequently, perhaps annually.
If you have a strategy I hope we've given you a few new ideas. If you don't have a strategy, please consider making the investment. If I were a new CISO today, I'd start collecting information for my strategy tomorrow.
Feel free to contact me directly if you'd like to discuss or need more convincing.
Security Strategy Template updated: 2/9/2016
Key updates: added Board of Director level communication templates