What are some tips for creating an effective information security strategy?

2.3k viewscircle icon13 Comments
Sort by:
Director of Information Security in Manufacturing3 years ago

First and foremost, the strategy has to be aligned with the business objectives, and with the business risk.  That will give a foundation, and enough to move on to a framework.  The type of business (e.g. regulated, defense related, ...( may have an impact on the framework you choose, or there may be a framework in place already. Either is fine!   Next step would be to get to some kind of quantification.  Based on the objectives, the risks, and using the framework you should be able to get some insight in how the organization is doing, and where more / different effort is needed.
After that, it is rinse and repeat.

Director in Construction3 years ago

The first step in an effective information security strategy is making sure your management is onboard to have and adopt and information security strategy.  For most management information security is, unfortunately, just a cost center that is a "bolt on".  Management hire a CISO (or a manager and call them a CISO) to "make sure they are secure and keep out of the newspaper" - but don't want to get involved.
An information security strategy is something that management, including CEO, COO and CFO all understand and are willing to support.  We need to willing to understand the business - but in turn the business needs to understand that the information security strategy is part of their buisness.

CEO in Services (non-Government)3 years ago

Agreed, for us it’s all about business enablement. Of course we have to remain compliant, follow all policy & regulations. Protect our Data l privacy…overall IP/competitive information. However we work IT from the bottom up. When entertaining new products/practices we begin our conversations with Enterprise enablement, Employee/Customer experience, Bottomline (ROI), we do our best to reverse engineer from there. * Please note we are a SMB + I’m more on on the business side of the house. Although we always have our SLT/appropriate technical teams/resources…as needed. Everyone gets to add value, contribution. 

CISO in Healthcare and Biotech3 years ago

Start with the end in mind, recognize it will be a three-to-five year journey, and take baby steps to accomplish yearly goals and objectives that support your security strategy.  Allow room within the security strategy to change direction as needed.  Pick your framework, assess your capability and hire good people to make things happen.  There is no one answer, just good, better or best types of solutions.  Always support the business, name your north star and really listen to your people.  

CISO in Software3 years ago

On top of the alignment with the business objectives (or rather as a key success factor in the alignment) I would call out education and evangelisation: 
- Do not expect your CEO / exec team / board would understand the stakes; translation of the business strategy into the world of security across the company is your job, not theirs. 
- You are co-responsible for the determination of the risk appetite – at least by making sure the leaders / execs understand what are the implications of their decision
- Maintain the contacts and learn to speak the language of the execs / board so that you can pass the right message at the right time.

Content you might like

Yes70%

No29%

Yes63%

No34%

I'm not sure2%

View Results