Build an Information Security Strategy

Tailor best practices to effectively manage information security.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Organizations are struggling to keep up with today’s evolving threat landscape.
  • From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
  • Every organization needs some kind of information security program to protect their systems and assets.
  • Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.

Our Advice

Critical Insight

  • Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how to assess it.
  • Alignment can be a difficult area for security to get right when it’s trying to balance both regular IT and the business.
  • Communication is needed between the business leaders, IT leaders, and the security team for an effective security strategy to be in place.

Impact and Result

  • Info-Tech has analyzed and integrated regulatory and industry best practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and SANS to ensure an exhaustive approach to security.
  • Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
  • This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.

Build an Information Security Strategy

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an Information Security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.



Perform a gap analysis

Perform a gap analysis by assessing the current state and then determining the organizational target state.


Develop gap initiatives

Generate initiatives to reach the organizational target state.

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

New to Info-Tech Academy? Learn more here

Security Strategy Course

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Now Playing: Executive Brief

Course information:

Title: Security Strategy Course
Number of Course Modules: 5
Estimated Time to Complete: 2-2.5 hours

James McCloskey, Sr. Research Director, Security Practice
Gord Harrison, SVP of Research and Advisory

Onsite Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

  • Introduce security management.
  • Analyze the business and IT strategy and plans.
  • Define the organization's risk tolerance levels.
  • Assess the security risk profile.

Key Benefits Achieved

  • Security obligations statement
  • Security scope and boundaries statement
  • Defined risk tolerance level
  • Security pressure posture



Introduce security management.


Understand business and IT strategy and plans.


Define the security obligations, scope, and boundaries.

  • Security obligations statement
  • Security scope and boundaries statement


Define risk tolerance levels.

  • Defined risk tolerance level


Assess the security pressure posture.

  • Defined security pressure posture.

Module 2: Perform a Gap Analysis

The Purpose

  • Define the current security capabilities and maturity.
  • Develop a security target state based on the organization’s security risk profile, and conduct a gap analysis. 

Key Benefits Achieved

  • Visualization of the organization’s current security capabilities and maturity level
  • Foundation built to determine your security target state by understanding the organization’s security needs and scope



Assess current security capabilities and performance.

  • Current security maturity levels


Review pen test results.


Define security target state.

  • Security target state

Module 3: Develop Gap Initiatives

The Purpose

  • Develop gap initiatives to reach your security target state.
  • Assess the organization’s readiness to implement the gap initiatives and scale the initiatives to develop a feasible implementation plan.

Key Benefits Achieved

  • Identified gap initiatives to augment the security program
  • Understanding of the resources needed to implement all the initiatives



Identify security gaps.

  • Future state – current state gap analysis


Build initiatives to bridge the gap.

  • Initiatives to address the gap


Estimate the resources needed.

  • Estimate of required effort


Prioritize gap initiatives.

  • Budget and resource readiness analysis


Determine start time and accountability.

Module 4: Plan for the Transition

The Purpose

  • Finalize the roadmap and action plan for the information security plan.
  • Create a security charter, organizational structure, change and communication plan, and/or security services catalog.
  • Develop a metrics program to measure your progress.

Key Benefits Achieved

  • Finalized information security roadmap and action plan for the organization
  • Key deliverables to kick-start the security program
  • Measurement program to monitor and improve upon the existing program



Finalize security roadmap and action plan.

  • Security roadmap and action plan


Build a security charter.

  • Security charter


Build the security program organizational structure.

  • Security organizational structure


Create a change and communication plan.

  • Change and communication plan


Develop a metrics program.

  • Metrics program


Develop a security services catalog.

  • Security services catalog

Search Code: 74131
Published: February 4, 2014
Last Revised: September 21, 2015