Build a Defensible Cybersecurity Program in 3 Steps

To develop a defensible security program, balance protection with the need to run the business.

As the risks of digitalization evolve and cybersecurity threats grow, there’s only one way for security and risk leaders to effectively protect the organization — institute a continuous, sustainable security program. Yet all too often, organizations prioritize ticking compliance boxes over establishing effective, risk-based controls. 

Executives are more likely to subscribe to a vision when the components and objectives are relevant and laid out in nontechnical terms

The result? Programs lack defensibility at the business level, leading to mistrust and making it harder to gain adequate support and investment.

The IT Roadmap for Cybersecurity

Best practices to create a resilient, scalable and agile cybersecurity strategy.

Download Roadmap

“Business leaders continue to treat security as a business inhibitor due to the lack of a defensible security program that links into business outcomes,” says Tom Scholtz, Distinguished VP Analyst, Gartner.

Read more: The 15-Minute, 7-Slide Security Presentation for Your Board of Directors

To achieve a defensible information security management program, security and risk management leaders must bring the business along as they establish governance and develop the ability to assess and interpret risk effectively. 

Establish accountability with a security charter

A key aspect of defensibility is having the proper documentation and processes in place to  enable risk-based control decisions. 

To form the foundation of your security program, create an Enterprise Security Charter. This short, plain-language document establishes clear owner accountability for protecting information resources and provides a mandate for the CISO (or equivalent) to establish and maintain the security program. 

Executive leadership must read, understand, visibly endorse and annually review the charter, ensuring sign-off on roles, scope and responsibilities.

Establish an information security steering committee to ensure decisions aren’t made in a vacuum by the security team. Include direct, decision-making representation across business units and functions.

By creating a place for ongoing input and support for security programs from senior business leaders, other leaders are able to see the risks not only to their own business unit, but across the business.

Set a clear vision for security programs

Business support for the security program hinges on conveying a clear vision that reflects the unique business context of the enterprise. Has there been recent cost cutting? Where’s the organization on its digital journey? What regulatory requirements have shifted? 

Executives are more likely to subscribe to a vision when the components and objectives are relevant and laid out in nontechnical terms. The vision should reflect the mid and long-term business needs for security. 

Read more: How Security and Risk Leaders Can Prepare for Reduced Budgets

Provide a prioritized roadmap that clearly links projects and corrective actions to risks, vulnerabilities and the relevant business, technology and environmental drivers. 

Demonstrate a quick response to changing threats

Security is a moving target, and executives are under pressure to demonstrate that the enterprise can handle changing threats. By gearing programs toward anticipating and reacting to frequent, unexpected changes, security and risk management leaders illustrate their ability to protect the organization — no matter what happens in the business environment.  

To guide agile security planning implementation and operations day to day, develop a set of agreed-upon principles with business partners. Examples of principles include:

  • Supporting business outcomes rather than solely protecting the infrastructure

  • Considering the human element when designing and managing security controls

  • Conducting regular/periodic vulnerability assessments of the enterprise’s environment

Laying out these principles can help you continuously improve the effectiveness and efficiency of security controls while also reacting to change.

Gartner clients can read more in the full research The Characteristics of a Defensible Security Program with Tom Scholtz.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Gartner IT Roadmap for Cybersecurity: A Resilient Strategy

Gartner IT roadmap for cybersecurity based on unbiased research and...

Learn More


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching