What are some tips for creating an effective information security strategy?

2.1k views14 Comments

CISO in Software, 201 - 500 employees
1. Understand your business, its roadmap, its landscape, your customers and the technology business uses. 2. Understand your organization's culture and its ability to adapt to change and possible restrictions in the working environment. 3. Determine how committed the management is to security. 4. Ascertain the threat landscape and how active it is. All these will help develop the overall Security Strategy and its like velocity. 5. Once it is understood how aggressive or passive it needs to be then get tactical and start with a risk assessment of people, processes, and Infrastructure. 6. Adopt the most suitable framework based on Compliance / regulatory or customer needs. 7. Draft out the strategy charter !
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Start with the 3 pillars: people, process and technology. Understand the vision and mission of the business and start aligning to their processes, develop policies and procedures along with technical controls to align risk management with the business, and from that start develop the roadmap for ongoing security operations
Director, Security Operations in Telecommunication, 501 - 1,000 employees
First, one must understand the business (including legal and regulatory requirements) and the business's risk appetite.  These should form the basis for structuring a plan.
Head of IT and Security in Finance (non-banking), 51 - 200 employees
This is a very broad question which also depends on the industry you are in. You should probably start by adhering to basic security standard and framework approved by ISACA (ISO, IEC...)
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
Everyone already touched on the high level approach to your question.  Understand how your business make money.  Sit down with the executive team and/or the board (depending on your organization) to identify and agree on what are the top 10 critical business functions, their RTO, and organization's risk appetite. Then conduct a risk assessment against those business functions to identify the top 5-10 risks.  So now you know the current and target states.  Pick a control framework that will help you to implement your risk management framework that will help you to mitigate the above risks. 
Director, Strategic Security Initiatives in Software, 10,001+ employees
All LOB's need to be in sync with what the security is trying to achieve. Need support from leadership, and all LOB's to ensure Security strategy is achieved. Security is TOP priority and should be SEEN AS SUCH!!!
CISO in Finance (non-banking), 10,001+ employees
First step is to understand your business objectives and technology objectives and accordingly align your information security strategy so that those objectives can be met. If you are in industry which is tightly regulated then understand all the regulatory obligations related to tech and infosec and ensure those are met. Prepare strategy roadmap for all the security initiatives and divide into people, process and technology initiatives. Things cannot be implemented overnight and hence CISOs have to be very patient and take step by step approach. Security Strategy must be approved by Board and Top Management and must be reviewed regularly. Every major initiative must have some measurement parameters for effective implementation and sustainenance.
CISO in Software, 10,001+ employees
Have a clear vision, mission goals and associated OKRs (key results) that are visible, customer focused and measurable.
Head, Information Security and Compliance in Finance (non-banking), 1,001 - 5,000 employees
The most important block of an effective cyber security strategy is a comprehensive inventory of all digital/Information assets, personnel, and vendors. Then do the data classification. Map your assets, know your stack, Assess Risk, define a Industries standard framework.
CISO in Software, 201 - 500 employees
On top of the alignment with the business objectives (or rather as a key success factor in the alignment) I would call out education and evangelisation: 
- Do not expect your CEO / exec team / board would understand the stakes; translation of the business strategy into the world of security across the company is your job, not theirs. 
- You are co-responsible for the determination of the risk appetite – at least by making sure the leaders / execs understand what are the implications of their decision
- Maintain the contacts and learn to speak the language of the execs / board so that you can pass the right message at the right time.

Content you might like

Proactively seeking ways to integrate them18%

Evaluating their potential but proceeding cautiously75%

Not actively considering them in architecture8%

Not sure0%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41.6k views131 Upvotes319 Comments