Infrastructure icon

Build an Information Security Strategy

Tailor best practices to effectively manage information security.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

View Storyboard

Solution Set Storyboard thumbnail

Want to Participate in Our Research?

  • Analyst Interviews: Share your best practices, opinions, tools or templates with your peers.
  • Upcoming Workshops: Accelerate your project with an onsite, expert analyst to facilitate a workshop for you. Contact us for more details.
Become a Participant

Your Challenge

  • Organizations are struggling to keep up with today’s evolving threat landscape.
  • From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
  • Every organization needs some kind of information security program to protect their systems and assets.
  • Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.

Our Advice

Critical Insight

  • Performing an accurate assessment of your current security operations and maturity levels can be extremely hard when you don’t know what to assess or how to assess it.
  • Alignment can be a difficult area for security to get right when it’s trying to balance both regular IT and the business.
  • Communication is needed between the business leaders, IT leaders, and the security team for an effective security strategy to be in place.

Impact and Result

  • Info-Tech has analyzed and integrated regulatory and industry best practice frameworks, combining COBIT 5, PCI DSS, ISO 27000, NIST SP800-53, and SANS to ensure an exhaustive approach to security.
  • Through this process, a comprehensive current state assessment, gap analysis, and initiative generation ensures that nothing is left off the table.
  • This project will elevate the perception of the security team from being a hindrance to the organization to an enabler.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build an Information Security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Assess security requirements

Introduce security management and define the security scope while assessing the organizational risk profile.

2. Perform a gap analysis

Perform a gap analysis by assessing the current state and then determining the organizational target state.

3. Develop gap initiatives

Generate initiatives to reach the organizational target state.

Guided Implementations

This guided implementation is a nine call advisory process.

Guided Implementation #1 - Assess security requirements

Call #1 - Review the scope of the security strategy plans
Call #2 - Define the organizational risk tolerance
Call #3 - Assess the security risk profile of the business

Guided Implementation #2 - Perform a gap analysis

Call #1 - Perform a current state assessment of the security controls
Call #2 - Determine the future target state of the security controls

Guided Implementation #3 - Develop gap initiatives

Call #1 - Identify existing gaps and create gap initiatives to close the gaps
Call #2 - Determine the benefit, cost, and resources needed for each initiative

Guided Implementation #4 - Plan for the transition

Call #1 - Build a roadmap based on the security initiatives
Call #2 - Optimize your strategy

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

New to Info-Tech Academy? Learn more here

Security Strategy Course

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Course information:

  • Title: Security Strategy Course
  • Number of Course Modules: 5
  • Estimated Time to Complete: 2-2.5 hours
  • Featured:
  • James McCloskey, Sr. Research Director, Security Practice
  • Gord Harrison, SVP of Research and Advisory
  • Now Playing: Executive Brief

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

  • Introduce security management.
  • Analyze the business and IT strategy and plans.
  • Define the organization's risk tolerance levels.
  • Assess the security risk profile.

Key Benefits Achieved

  • Security obligations statement
  • Security scope and boundaries statement
  • Defined risk tolerance level
  • Security pressure posture

Outputs

Activities:

1.1

Introduce security management.

1.2

Understand business and IT strategy and plans.

1.3

Define the security obligations, scope, and boundaries.

  • Security obligations statement
  • Security scope and boundaries statement
1.4

Define risk tolerance levels.

  • Defined risk tolerance level
1.5

Assess the security pressure posture.

  • Defined security pressure posture.

Module 2: Perform a Gap Analysis

The Purpose

  • Define the current security capabilities and maturity.
  • Develop a security target state based on the organization’s security risk profile, and conduct a gap analysis. 

Key Benefits Achieved

  • Visualization of the organization’s current security capabilities and maturity level
  • Foundation built to determine your security target state by understanding the organization’s security needs and scope

Outputs

Activities:

2.1

Assess current security capabilities and performance.

  • Current security maturity levels
2.2

Review pen test results.

2.3

Define security target state.

  • Security target state

Module 3: Develop Gap Initiatives

The Purpose

  • Develop gap initiatives to reach your security target state.
  • Assess the organization’s readiness to implement the gap initiatives and scale the initiatives to develop a feasible implementation plan.

Key Benefits Achieved

  • Identified gap initiatives to augment the security program
  • Understanding of the resources needed to implement all the initiatives

Outputs

Activities:

3.1

Identify security gaps.

  • Future state – current state gap analysis
3.2

Build initiatives to bridge the gap.

  • Initiatives to address the gap
3.3

Estimate the resources needed.

  • Estimate of required effort
3.4

Prioritize gap initiatives.

  • Budget and resource readiness analysis
3.5

Determine start time and accountability.

Module 4: Plan for the Transition

The Purpose

  • Finalize the roadmap and action plan for the information security plan.
  • Create a security charter, organizational structure, change and communication plan, and/or security services catalog.
  • Develop a metrics program to measure your progress.

Key Benefits Achieved

  • Finalized information security roadmap and action plan for the organization
  • Key deliverables to kick-start the security program
  • Measurement program to monitor and improve upon the existing program

Outputs

Activities:

4.1

Finalize security roadmap and action plan.

  • Security roadmap and action plan
4.2

Build a security charter.

  • Security charter
4.3

Build the security program organizational structure.

  • Security organizational structure
4.4

Create a change and communication plan.

  • Change and communication plan
4.5

Develop a metrics program.

  • Metrics program
4.6

Develop a security services catalog.

  • Security services catalog

Search Code: 74131
Published: February 4, 2014
Last Revised: September 21, 2015