Creating an Information Security Strategy

The idea is to move from a reactive environment to becoming a proactive environment, taking a coordinated approach with a holistic mission that contains concise objectives.

You need to build a strategy that soundly protects and projects security

The approach must evolve from short term goals to long term goals with a mission. A good strategy will form a cohesive, coordinated effort to support the mission of the institution in a way that users can understand and know specifically what they need to do to aid in the implementation.

For this approach to succeed, you need to identify 3 components.

Mission: A summary of the institutional purpose

Objectives: An established set of overarching goals

Strategy: A road map with guiding principles moving from the current state to the desired state.

Example:

Mission: The Information Security Office (ISO) enables the organization to service users by protecting vital information and data while delivering comprehensive information security and privacy programs for the company while embracing the evolution of Information Security and becoming the leader in cyber security services to the organization.

OBJECTIVE 1: Users will be armed with the awareness and knowledge to protect institutional data and meet compliance obligations.

How do you do that? Through annual Information Security Awareness training that includes responsibility and accountability for general workstation use, password management, acceptable email use, local administrator accounts, removable media, cell phone and camera security, protecting sensitive data, social engineering and phishing threats, malware, Information security incident response and the behavior and acceptable use policy review.

OBJECTIVE 2: Users will effectively use program tools and services to protect institutional data and resources while delivering their positional duties.

How do you do that? By classifying and categorizing data you tell the employee how to handle each type of data and which data they can distribute. Important classes are:

Confidential Data (the most secure)

Internal Use Only (Data only intended to be used within the organizational structure)

General Data (Data meant to be sent outside of the organization)

OBJECTIVE 3: Information Security leadership will be a trusted advisory to institutional leadership.

How do you do that? The job of the ISO is to keep you as the user informed of emerging threats and to help you adjust to the changing threat landscape by introducing you to information security policies and regulations.

OBJECTIVE 4: A healthy set of security engineering and operations services exist to manage the security standards of the institution.

How do you do that? Information Security Staff exist to ensure that the cyber defenses are maintained daily.

Security Engineers and Architects design solutions that detect and mitigate threats from the cyber security world.

Security Operations Center personnel provides incident response plans, detection and investigation of attackers that are potentially trying to steal data from the institution.

Security Administrators enforce logging and monitoring of the data because of standards such as HIPAA and PCI that require long term audit logging solutions that provide reporting of compliance for their standard.

Identity Management administrators that address the process and the technical structure of you user provisioning systems.

These types of overarching objectives should lead to a coordinated set of efforts that are meant to achieve each objective. Each of these efforts should be sorted under the program objectives, allowing you to clearly see how they are serving each objective. Any project/effort that does not serve an objective should be re-evaluated for whether it contributes to the overall strategy. This will allow for more effective communication with your employees. A strategy that is poorly communicated can lead to an institution in disarray. If the employees do not know how the objectives affect them personally, and what they can do to contribute… the direction is often lost and therefore the effectiveness is minimized. That can lead to unhappy employees and an insecure environment.

Quarterly review of the documented objectives including success metrics and assessments to report the level of achievement is necessary to measure the success of the progress.

The Strategy

Your strategy needs to be activities of your determination of specific goals and objectives that can and should be met on an annual basis while accounting for the fact that it is an ongoing activity.

• Include a prescriptive annual plan followed by a rolling three-year plan.
• Clearly identify the point of arrival for capabilities based on management guidance and input.
• Ensure the availability and capability of necessary staff for the strategy execution.
• Gain an understanding of the organization’s culture to ensure an appropriate plan for adoption.

The point of arrival is simply a definition of the desired state of capability that the organization would like to have in place once the strategy has been executed. The best way to determine the point of arrival is to work with the leadership team to understand their goals.

Often leadership teams have different perspectives on the point of arrival, dependent upon the audience to whom they are speaking. Leaders want to project a feeling of trust and safety to external parties, including clients and partners, and may state that they will do everything they can to ensure the safety of information infrastructure and data. Alternatively, these same leaders frequently communicate to internal audiences that they would like the organization to be as good or slightly better than its peers and competitors in its industry.

It is important to correctly size the strategy based on current or expected staffing capabilities to ensure that the defined capabilities and objectives can be met. Many organizations find themselves in situations in which they have many objectives but do not have the staff available to achieve them. This is typically a primary concern during the initial foundational implementation phase in which staff requirements can be triple that of those required during the operational and maturity phases.

Understanding the culture of an organization is important when developing a strategy, and a key element is adoption. Adoption of strategy will not occur quickly or effectively if the members of the organization who are impacted by the strategy do not support the implementation. If an organization has a culture that is based on open exchange of ideas and freethinking, the use of consensus activities and open discussion of the strategy will be most effective. In contrast, an organization in which the culture is based on directives from leadership and expected alignment to those directives will not benefit from open discussion and consensus. Instead, specific guidance and messaging from senior leadership will be necessary to drive adoption of the strategy. Users need to understand what they need to do and where they fit into the strategy to make it successful, regardless of the type of strategy.