Building an effective information security strategy involves moving away from industrial defence methods focusing towards enabling key trade outcomes. Employers are urged to speak of cyber effects in relation to threat outcomes and prioritise investments to build a complete, defensible programme.
- The strategy needs to ensure a balance between running and protecting a business, and it includes the following five key components:
- An enterprise information security charter providing a mandate for the CISO to establish and maintain a security program.
- Terms of reference include the taxonomical reference models required to guide strategic and tactical decisions.
- Governance structures include decision-making committees, among others, to ensure accountability in regards to security matters.
- The security strategy needs a clear vision-vision, mission, roadmap- that explains its components and objectives and how they relate to business goals.
- The security program should be geared towards anticipating and reacting to frequent changes in the business, technology, and operating environments.
The information security strategy aims to provide a medium to long-term direction of the cybersecurity program. It documents how the security organization will support and enable the corporate strategy and digital trajectory.
Organizations in a rapidly changing digital world must possess an effective Information Security (IS) strategy which is able to balance between running and protecting the business; IS teams without this have a tendency to buy into technology without having well defined accountability and attitudes.
This strategy should also involve building a complete IS program that addresses the risks of digital business. This sort of program consists of five key components: an enterprise IS charter, a reference model or terms of reference, governance structures, strategy, and security processes.
To get buy-in from key stakeholders, an IS strategy should clearly define the objectives of the program and align itself with proven practices and standards. It should be grounded in current state assessments for the organization, such as the vision and prioritisation tabs. The vision should articulate the desired state that the IS strategy aims to achieve during the planning period.
The IS strategy should include a set of principles that guide security implementation and operations on a daily basis. This includes: making control decisions based on specific risk and risk appetite rather than check-box compliance, supporting business outcomes rather than solely protecting the infrastructure, and considering the human element when designing and managing security controls.
The CISO’s role in executing this strategy involves getting business support for the IS program and creating a clear strategic vision that aligns with proven practices and standards. Socialising the strategy with business leaders who are expected to adhere to it is an essential part of this process.