A strategic plan for information security would contain which of the following?

• Many security leaders struggle to decide how to best to prioritize their scarce information security resources
• The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

Our Advice

Critical Insight

The most successful information security strategies are:

• Holistic – They consider the full spectrum of information security, including people, processes, and technology.
• Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
• Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

Impact and Result

• Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
• This approach includes tools for:
  • Ensuring alignment with business objectives.
  • Assessing organizational risk and stakeholder expectations.
  • Enabling a comprehensive current state assessment.
  • Prioritizing initiatives and building out a security roadmap.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

Cameron County, TX

Guided Implementation

10/10

$12,599

20

Mr. Hebert was very patient and worked with us step by step, as we have a new group of cybersecurity individuals and that made the process optimal. We were only able to book him once a month and a month in advanced, so when we had a conflict we lost add...

Midis Services FZ - LLC

Guided Implementation

9/10

$12,599

20

America-Mideast Educational and Training Services, Inc.

Guided Implementation

8/10

$1,259

29

The best part is having all of the security controls from different standards aggregated and organized in one sheet. This helped us in performing the security assessment and to ensure that we have covered all critical areas. Ida did a great job in explai...

Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.

Now Playing: Academy: Security Strategy | Executive Brief

An active membership is required to access Info-Tech Academy

• Course Modules: 5
• Estimated Completion Time: 2-2.5 hours

• Featured Analysts:
• Kevin Peuhkurinen, Research Director, Security & Risk
• Gord Harrison, Senior Vice President, Research

Workshop: Build an Information Security Strategy

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

Understand business and IT strategy and plans.

Key Benefits Achieved

Defined security obligations, scope, and boundaries.

Activities

Outputs

1.1

Define business and compliance.

• Security obligations statement

1.2

Establish security program scope.

• Security scope and boundaries statement

1.3

Analyze the organization’s risk and stakeholder pressures.

• Defined risk tolerance level

1.4

Identify the organizational risk tolerance level.

• Risk assessment and pressure analysis

Module 2: Perform a Gap Analysis

The Purpose

Define the information security target state.

Key Benefits Achieved

Set goals and Initiatives for the security strategy in line with the business objectives.

Activities

Outputs

2.1

Assess current security capabilities.

• Information security target state

2.2

Identify security gaps.

• Security current state assessment

2.3

Build initiatives to bridge the gaps.

• Initiatives to address gaps

Module 3: Complete the Gap Analysis

The Purpose

Continue assessing current security capabilities.

Key Benefits Achieved

Identification of security gaps and initiatives to bridge them according to the business goals.

Activities

Outputs

3.1

Identify security gaps.

• Completed security current state assessment

3.2

Build initiatives to bridge the maturity gaps.

• Task list to address gaps

3.3

Identify initiative list and task list.

• Initiative list to address gaps

3.4

Define criteria to be used to prioritize initiatives.

• Prioritize criteria

Module 4: Develop the Roadmap

The Purpose

Create a plan for your security strategy going forward.

Key Benefits Achieved

Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

Activities

Outputs

4.1

Conduct cost/benefit analysis on initiatives.

• Information security roadmap

4.2

Prioritize gap initiatives based on cost and alignment with business.

• Draft communication deck

4.4

Determine state times and accountability.

4.5

Finalize security roadmap and action plan.

4.6

Create communication plan.

Module 5: Communicate and Implement

The Purpose

Finalize deliverables.

Key Benefits Achieved

Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

Activities

Outputs

5.1

Support communication efforts.

• Security strategy roadmap documentation

5.2

Identify resources in support of priority initiatives.

• Detailed cost and effort estimates
• Mapping of Info-Tech resources against individual initiatives

Build an Information Security Strategy

Create value by aligning your strategy to business goals and business risks.

Analyst Perspective

Set your security strategy up for success.

“Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders.

Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.”

Kevin Peuhkurinen

Research Director – Security, Risk & Compliance

Info-Tech Research Group

Executive summary

Your Challenge

• Many security leaders struggle to decide how best to prioritize their scarce information security resources.
• The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

Common Obstacle

• Developing a security strategy can be challenging. Complications include:
  • Performing an accurate assessment of your current security program can be extremely difficult when you don’t know what to assess or how.
  • Determining the appropriate target state for security can be even more challenging. A strategy built around following best practices is unlikely to garner significant support from business stakeholders.

Info-Tech’s Approach

• Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.
• This unique approach includes tools for:
  • Ensuring alignment with business objectives.
  • Assessing organizational risk and stakeholder expectations.
  • Enabling a comprehensive current state assessment.
  • Prioritizing initiatives and building out a security roadmap.

Info-Tech Insight

The most successful information security strategies are:

• Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
• Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
• Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.

It’s not a matter of if you have a security incident, but when

Organizations need to prepare and expect the inevitable security breach.

Fifty-eight percent of companies surveyed that experienced a breach were small businesses.

Eighty-nine percent of breaches have a financial or espionage motive.

Source: Ponemon Institute, “2019 Global Cost of Data Breach Study”

An information security strategy can help you prepare for incidents

Organizations need to expect the inevitable security breach.

90%

of businesses have experienced an external threat in the last year.

50%

of IT professionals consider security to be their number one priority.

53%

of organizations claimed to have experienced an insider attack in the previous 12 months. 1

46%

of businesses believe the frequency of attacks is increasing. 2

Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

Sources: 1 Kaspersky Lab, “Global IT Security Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report”

Persistent Issues

Evolving Ransomware

• Continual changes in types and platforms make ransomware a persistent threat. The frequency of ransomware attacks was reported to have increased by 67% in the past five years. 1

Phishing Attacks

• Despite filtering and awareness, email remains the most common threat vector for phishing attacks (94%) and an average of 3% of participants in phishing campaigns still click on them. 2

Insider Privilege and Misuse

• Typically, 34% of breaches are perpetrated by insiders, with 15% involving privilege misuse. Takeaway: Care less about titles and more about access levels. 3

Denial of Service

• The median amount of time that an organization is under attack from DDoS attack is three days.

Emerging Trends

Advanced Identity and Access Governance

• Using emerging technologies in automation, orchestration, and machine learning, the management and governance of identities and access has become more advanced.

Sources: 1 Accenture, “2019 The Cost of Cyber Crime Study”; 2,3 Verizon, “2019 Data Breach Investigations Report”

New threat trends in information security aren’t new.

Previously understood attacks are simply an evolution of prior implementations, not a revolution.

Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

Cyberattacks have a significant financial impact

Global average cost of a data breach: $3.92 Million

Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview”

Primary incident type (with a confirmed data breach)

1. Leading incident type is Denial of Service attacks (DoS), taking up to 70% of all incidents.
2. When it comes to data breaches, we see that the use of stolen credentials leads to the most cases of confirmed breaches, accounting for 29%.

Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches.

Source: Verizon, “2019 Data Breach Investigations Report”

Security threats are not going away

We continue to see and hear of security breaches occurring regularly.

An attacker must be successful only once. The defender – you – must be successful every time.

Info-Tech’s approach

Maturing from reactive to strategic information security

The Info-Tech difference:

1. A proven, structured approach to mature your information security program from reactive to strategic.
2. A comprehensive set of tools to take the pain out of each phase in the strategy building exercise.
3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders.

Info-Tech’s Security Strategy Model

The Info-Tech difference:

An information security strategy model that is:

1. Business-Aligned. Determines business context and cascades enterprise goals into security alignment goals.
2. Risk-Aware. Understands the security risks of the business and how they intersect with the overall organizational risk tolerance.
3. Holistic. Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities.

Info-Tech’s best-of-breed security framework

Info-Tech’s approach

Creating an information security strategy

The Info-Tech difference:

Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.

• Dive deep into security obligations and security pressures to define the business context.
• Conduct a thorough current state and future state analysis that is aligned with a best-of-breed framework.
• Prioritize gap-closing initiatives to create a living security strategy roadmap.

Use Info-Tech’s blueprint to save one to three months

Iterative benefit

Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve but with less associated effort, time, and costs.

These estimates are based on experiences with Info-Tech clients throughout the creation of this blueprint.

Key deliverable:

Information Security Strategy Communication Deck (PPT)

Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Information Security Requirements Gathering Tool

Define the business, customer, and compliance alignment for your security program.

Information Security Pressure Analysis Tool

Determine your organization’s security pressures and ability to tolerate risk.

Information Security Program Gap Analysis Tool

Use our best-of-breed security framework to perform a gap analysis between your current and target states.

Information Security Charter

Ensure the development and management of your security policies meet the broader program vision.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostic and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical Guided Implementation on this topic look like?

Guided Implementation #1 - Assess security requirements

• Call #1 - Introduce project and complete pressure analysis.

Guided Implementation #2 - Build a gap initiative strategy

• Call #1 - Introduce the maturity assessment.
• Call #2 - Perform gap analysis and translate into initiatives.
• Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.

Guided Implementation #3 - Prioritize initiatives and build roadmap

• Call #1 - Review cost/benefit analysis and build an effort map.
• Call #2 - Build implementation waves and introduce Gantt chart.

Guided Implementation #4 - Execute and maintain

• Call #1 - Review Gantt chart and ensure budget/buy-in support.
• Call #2 - Three-month check-in: Execute and maintain.

A Guided Implementation is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical Guided Implementation is between 2-12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information, or contact or 1-888-670-8889.

Executive Brief Case Study

Credit Service Company

Industry: Financial Services

Source: Info-Tech Research group

Founded over 100 years ago, Credit Service Company (CSC)* operates in the United States with over 40 branches located across four states. The organization services over 50,000 clients.

Situation

Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.

Solution

During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.

Results

Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.

*Some details have been changed for client privacy.

Phase 1

Assess Security Requirements

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

1.1 Define goals and scope of the security strategy.

1.2 Assess your organization’s current inherent security risks.

1.3 Determine your organization’s stakeholder pressures for security.

1.4 Determine your organization’s risk tolerance.

1.5 Establish your security target state.

1.1.1 Record your business goals

Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

1. Record your identified primary and secondary business goals in the Goals Cascade tab of the Information Security Requirements Gathering Tool.

Use the drop-down lists to select an appropriate goal or choose “Other.” If you do choose “Other,” you will need to manually enter an appropriate business goal.

2. For each of your business goals, select one to two security alignment goals. The tool will provide you with recommendations, but you can override these by selecting a different goal from the drop-down lists.

A common challenge for security leaders is how to express their initiatives in terms that are meaningful to business executives. This exercise helps to make an explicit link between what the business cares about and what security is trying to accomplish.

1.1.2 Review your goals cascade

Estimated Time: 15 minutes

1. When you have completed the goals cascade, you can review a graphic diagram that illustrates your goals. The graphic is found on the Results tab of the Information Security Requirements Gathering Tool.
   • Security must support the primary business objectives. A strong security program will enable the business to compete in new and creative ways, rather than simply acting as an obstacle.
   • Failure to meet business obligations can result in operational problems, impacting the organization’s ability to function and the organization’s bottom line.
2. Once you have reviewed the diagram, copy it into the Information Security Strategy Communication Deck.

Identify your compliance obligations

Most conventional regulatory obligations are legally mandated legislation or compliance obligations, such as:

Sarbanes-Oxley Act (SOX)

Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud.

Payment Card Industry Data Security Standard (PCI DSS)

Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected.

Health Insurance Portability and Accountability Act (HIPAA)

Applies to the healthcare sector and protects the privacy of individually identifiable healthcare information.

Health Information Technology for Economic and Clinical Health (HITECH)

Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business.

Compliance obligations also extend to voluntary security frameworks:

NIST

National Institute of Standards and Technology; a non-regulatory agency that develops and publicizes measurement

CIS – 20 CSC

Center for Internet Security – 20 Critical Security Controls; foundational set of effective cybersecurity practices.

ISO 27001

An information security management system framework outlining policies and procedures.

COBIT 5

An information technology and management and governance framework.

HITRUST

A common security framework for organizations that use or hold regulated personal health information.

1.1.3 Record your compliance obligations

Estimated Time: 30 minutes

1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   • Laws
   • Government regulations
   • Industry standards
   • Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your security strategy, include only those that have information security or privacy requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Information Security Requirements Gathering Tool.

Establish your scope and boundaries

It is important to know at the outset of the strategy: what are we trying to secure?

This includes physical areas we are responsible for, types of data we care about, and departments or IT systems we are responsible for.

This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

Physical Scope and Boundaries

• How many offices and locations does your organization have?
• Which locations/offices will be covered by your information security management system (ISMS)?
• How sensitive is the data residing at each location?
• You may have many physical locations, and it is not necessary to list every one. Rather, list exceptional cases that are specifically in or out of scope.

IT Systems Scope and Boundaries

• There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Does your ISMS need to secure all your programs or a select few?
• Is the system owned or outsourced?
• Where are we accountable for security?
• How sensitive is the data that each system handles?

Organizational Scope and Boundaries

• Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. Operations) not need any security coverage?
• Do you have the ability to make security decisions for each department?
• Who are the key stakeholders/data owners for each department?

Organizational scope considerations

Many different groups will fall within the purview of the security strategy. Consider these two main points when deciding which departments will be in scope:

1. If a group/user has access to data or systems that can impact the organization, then securing that group/user should be included within scope of the security strategy.
2. If your organization provides some work direction to a group/user, they should be included within scope of the security strategy.

1. Identify your departments and business groups
   • Start by identifying departments that provide some essential input or service to the organization or departments that interact with sensitive data.
2. Break out different subsidiaries or divisions
   • Subsidiaries may or may not be responsible for securing themselves and protecting their data, but either way they are often heavily reliant on corporate for guidance and share IT resourcing support.
3. Identify user groups
   • Many user groups exist, all requiring different levels of security. For example, from on-premises to remote access, from full-time employees to part-time or contractors.

Physical scope considerations

List physical locations by type

Offices

The primary location(s) where business operations are carried out. Usually leased or owned by the business.

Regional Offices

These are secondary offices that can be normal business offices or home offices. These locations will have a VPN connection and some sort of tenant.

Co-Locations

These are redundant data center sites set up for additional space, equipment, and bandwidth.

Remote Access

This includes all remaining instances of employees or contractors using a VPN to connect.

Clients and Vendors

Various vendors and clients have dedicated VPN connections that will have some control over infrastructure (whether owed/laaS/other).

List physical locations by nature of the location

Core areas within physical scope

These are many physical locations that are directly managed. These are high-risk locations with many personal and services, resulting in many possible vulnerabilities and attack vectors.

Locations on the edge of control

These are on the edge of the physical scope, and thus, in scope of the security strategy. These include remote locations, remote access connections, etc.

Third-party connections

Networks of third-party users are within physical scope and need defined security requirements and definitions of how this varies per user.

BYOD

Mostly privately owned mobile devices with either on-network or remote access.

It would be overkill and unhelpful to list every single location or device that is in scope. Rather, list by broad categories as suggested above or simply list exceptional cases that are in/out of scope.

IT systems scope considerations

Consider identifying your IT systems by your level of control or ownership.

Fully owned systems

These are systems that are wholly owned or managed by your organization.

IT is almost always the admin of these systems. Generally they are hosted on premises. All securitization through methods such as patching or antivirus is done and managed by your IT department.

Cloud/remote hosted (SaaS)

These are systems with a lot of uncertainties because the vendor or service provided is either not known or what they are doing for security is not fully known.

These systems need to be secured regardless, but supplier and vendor relationship management becomes a major component of how to manage these systems. Often, each system has varying levels of risk based on vendor practices.

Hybrid owned (IaaS/PaaS)

You likely have a good understanding of control for these systems, but they may not be fully managed by you (i.e. ownership of the infrastructure). These systems are often hosted by third parties that do some level of admin work.

A main concern is the unclear definition of responsibility in maintaining these systems. These are managed to some degree by third parties; it is challenging for your security program to perform the full gamut of security or administrative functions.

Unknown/unowned systems

There are often systems that are unowned and even unknown and that very few people are using. These apps can be very small and my not fall under your IT management system framework. These systems create huge levels of risk due to limited visibility.

For example, unapproved (shadow IT) file sharing or cloud storage applications would be unknown and unowned.

1.1.4 Record your scope and boundaries

Estimated Time: 30-60 minutes

1. Divide into groups and give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the scope buckets.
2. Collect each group’s responses and discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.
   • Careful attention should be paid to any elements of the strategy that are not in scope.
3. Discuss and aggregate all responses as to what will be in scope of the security strategy and what will not be. Record these in the Information Security Requirements Gathering Tool.

1.2 Conduct a risk assessment

Estimated Time: 1-3 hours

1. As a group, review the questions on the Risk Assessment tab of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following risk elements:
   • Threats
   • Assets
   • Vulnerabilities (people, systems, supply chain)
   • Historical security incidents

Input

• List of organizational assets
• Historical data on information security incidents

Output

• Completed risk assessment

Materials

• Information Security Pressure Analysis Tool

Participants

• Security Team
• IT Leadership
• Risk Management

Download the Information Security Pressure Analysis Tool

1.2.1 Complete the risk assessment questionnaire

Estimated Time: 60-90 minutes

1. Review each question in the questionnaire and provide the most appropriate response using the drop-down list.
   • If you are unsure of the answer, consult with subject matter experts to obtain the required data.
   • Otherwise, provide your best estimation
2. When providing responses for the historical incident questions, only count incidents that had a sizeable impact on the business.

Info-Tech Insight

Understanding your organization’s security risks is critical to identifying the most appropriate level of investment into your security program. Organizations with more security risks will need more a mature security program to mitigate those risks.

1.2.2 Review the results of the risk assessment

Estimated Time: 30 minutes

1. Once you have completed the risk assessment, you can review the output on the Results tab.
2. If required, the weightings of each of the risk elements can be customized on the Weightings tab.
3. Once you have reviewed the results, copy your risk assessment diagram into the Information Security Strategy Communication Deck.

It is important to remember that the assessment measures inherent risk, meaning the risk that exists prior to the implementation of security controls. Your security controls will be assessed later as part of the gap analysis.

1.3 Conduct pressure analysis

Estimated Time: 1-2 hours

1. As a group, review the questions on the Pressure Analysis tab of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following pressure elements:
   • Compliance and oversight
   • Customer expectations
   • Business expectations
   • IT expectations

Input

• Information on various pressure elements within the organization

Output

• Completed pressure analysis

Materials

• Information Security Pressure Analysis Tool

Participants

• Security Team
• IT Leadership
• Business Leaders
• Compliance

Download the Information Security Pressure Analysis Tool

Risk tolerance considerations

At this point, we want to frame risk tolerance in terms of business impact. Meaning, what kinds of impacts to the business would we be able to tolerate and how often? This will empower future risk decisions by allowing the impact of a potential event to be assessed, then compared against the formalized tolerance. We will consider impact from three perspectives:

F

Functional Impact

The disruption or degradation of business/organizational processes.

I

Informational Impact

The breach of confidentiality, privacy, or integrity of data/information.

R

Recoverability Impact

The disruption or degradation of the ability to return to conditions prior to a security incident.

Consider these questions:

ANALYST PERSPECTIVE

It is crucial to keep in mind that you care about a risk scenario impact to the main business processes.

For example, imagine a complete functional loss of the corporate printers. For most businesses, even the most catastrophic loss of printer function will have a small impact on their ability to carry out the main business functions.

On the flip side, even a small interruption to email or servers could have a large functional impact on business processes.

Risk tolerance descriptions

High

• Organizations with high risk tolerances are often found in industries with limited security risk, such as Construction, Agriculture and Fishing, or Mining.
• A high risk tolerance may be appropriate for organizations that do not rely on highly sensitive data, have limited compliance obligations, and where their customers do not demand strong security controls. Organizations that are highly focused on innovation and rapid growth may also tend towards a higher risk tolerance.
• However, many organizations adopt a high risk tolerance by default simply because they have not adequately assessed their risks.

Moderate

• Organizations with medium risk tolerances are often found in industries with moderate levels of security risk, such as Local Government, Education, or Retail and Wholesale
• A medium risk tolerance may be appropriate for organizations that store and process some sensitive data, have a modest number of compliance obligations, and where customer expectations for security tend to be implicit rather than explicit.

Low

• Organizations with low risk tolerances are often found in industries with elevated security risk, such as Financial Services, Federal Governments, or Defense Contractors.
• A low risk tolerance may be appropriate for organizations that store very sensitive data, process high-value financial transactions, are highly regulated, and where customers demand strong security controls.
• Some organizations claim to have a low risk tolerance, but in practice will often allow business units or IT to accept more security risk than would otherwise be permissible. A strong information security program will be required to manage risks to an acceptable level.

1.4.1 Complete the risk tolerance questionnaire

Estimated Time: 30-60 minutes

1. In a group discussion, review the low-, medium-, and high-impact scenarios and examples for each impact category. Ensure that everyone has a consistent understanding of the scenarios.
2. For each impact type, use the frequency drop-down list to identify the maximum frequency that the organization could tolerate for the event scenarios, considering:
   • The current frequency with which the scenarios are occurring in your organization may be a good indication of your tolerance. However, keep in mind that you may be able to tolerate these incidents happening more frequently than they do.
   • Hoping is not the same as tolerating. While everyone hopes that high-impact incidents never occur, carefully consider whether you could tolerate them occurring more frequently.

1.4.2 Review the results of the risk tolerance analysis

Estimated Time: 30 minutes

1. Once you have completed the risk tolerance exercise, you can review the output on the Results tab.
2. If required, the weightings of each of the impact types can be customized on the Weightings tab.
3. Once you have reviewed the results, copy your risk tolerance diagram into the Information Security Strategy Communication Deck.

A low risk tolerance will require a stronger information security program to ensure that operational security risk in the organization is minimized. If this tool reports that your risk tolerance is low, it is recommended that you review the results with your senior stakeholders to ensure agreement and support for the security program.

1.5 Establish your target state

Estimated Time: 30-60 minutes

1. As a group, review the overall results of the requirements gathering exercise:
   • Business goals cascade
   • Compliance obligations
   • Scope
2. Review the overall results of the risk assessment, pressure analysis, and risk tolerance exercises.
3. Conduct a group discussion to arrive at a consensus of what the ideal target state for the information security program should look like.
   • Developing mission and vision statements for security may be useful for focusing the group.
   • This discussion should also consider the desired time frame for achieving the target state.

Download the Information Security Pressure Analysis Tool

Input

• Information security requirements (goals cascade, compliance obligations, scope)
• Risk assessment
• Pressure analysis
• Risk tolerance

Output

• Completed information security target state

Materials

• Information Security Pressure Analysis Tool

Participants

• Security Team
• IT Leadership
• Risk Management
• Business Leaders
• Compliance

Understanding security target states

Maturity models are very effective for determining information security target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state for information security in your organization.

1. AD HOC

   Initial/Ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

2. DEVELOPING

   Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

3. DEFINED

   A defined security program is holistic, documented, and proactive. At least some governance is in place, however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

4. MANAGED

   Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

5. OPTIMIZED

   An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

1.5.1 Review the results of the target state recommendation

Estimated Time: 30-60 minutes

1. Based upon your risk assessment, pressure analysis, and risk tolerance, the Information Security Pressure Analysis Tool will provide a recommended information security target state.
2. With your group, review the recommendation against your expectations.
3. If required, the weightings of each of the factors can be customized on the Weightings tab.
4. Once you have reviewed the results, copy your target state diagram into the Information Security Strategy Communication Deck.

Info-Tech Insight

Higher target states require more investment to attain. It is critical to ensure that all key stakeholders agree on the security target state. If you set a target state that aims too high, you may struggle to gain support and funding for the strategy. Taking this opportunity to ensure alignment from the start will pay off dividends in future.

1.5.2 Review and adjust risk and pressure weightings

Estimated Time: 30 minutes

1. If the results of your risk assessment, pressure analysis, risk tolerance, or target state do not match your expectations, you may need to review and adjust the weightings for the elements within one or more of these areas.
2. On the Weightings tab, review each of the strategic categories and adjust the weights as required.
   • Each domain is weighted to contribute to your overall pressure score based on the perceived importance of the domain to the organization.
   • The sum of all weights for each category must add up to 100%.

Case Study

Credit Service Company

Industry: Financial Services

Source: Info-Tech Research group

Below are some of the primary requirements that influenced CSC’s initial strategy development.

External Pressure

Pressure Level: High

• Highly regulated industries, such as Finance, experience high external pressure.

• Security pressure was anticipated to increase over the following three years due to an increase in customer requirement.

Obligations

Regulatory: Numerous regulations and compliance requirements as a financial institution (PCI, FFIEC guidance).

Customer: Implicitly assumes personal, financial, and health information will be kept secure.

Risk Tolerance

Tolerance Level: Low

1. Management: Are risk averse and have high visibility into information security.
2. Multiple locations controlled by a central IT department decreased the organization’s risk tolerance.

Summary of Security Requirements

Define and implement dynamic information security program that understands and addresses the business’ inherent pressure, requirements (business, regulatory, and customer), and risk tolerance.

Phase 2

Build a Gap Initiative Strategy

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

• 2.1 Review Info-Tech’s framework.
• 2.2 Assess your current state of security against your target state.
• 2.3 Identify actions required to close gaps.

2.1 Review the Info-Tech framework

Estimated Time: 30-60 minutes

1. As a group, have the security team review the security framework within the Information Security Gap Analysis Tool.
2. Customize the tool as required using the instructions on the following slides.

Input

• Information security requirements
• Security target state

Output

• Customized security framework

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team

Download the Information Security Gap Analysis Tool

Understand the Info-Tech framework

Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:

• ISO 27001/27002
• COBIT
• Center for Internet Security (CIS) Critical Controls
• NIST Cybersecurity Framework
• NIST SP 800-53
• NIST SP 800-171

A best-of-breed approach ensures holistic coverage of your information security program while refraining from locking you in to a specific compliance standard.

2.1.1 Configure the Information Security Gap Analysis Tool

Estimated Time: 30 minutes

Review the Setup tab of the Information Security Gap Analysis Tool. This tab contains several configurable settings that should be customized to your organization. For now, the three settings you will need to modify are:

• The security target state. Enter the target state from your Information Security Pressure Analysis Tool. If you do not enter a target state, the tool will default to a target of 3 (Defined).
• Your Security Alignment Goals (from your Information Security Requirements Gathering Tool).
• The starting year for your security roadmap.

2.2 Assess current state of security

Estimated Time: 8-16 hours

1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to complete your current state and target state assessment.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Input

• Security target state
• Information on current state of security controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

Output

• Gap analysis

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

Download the Information Security Gap Analysis Tool

Example maturity levels

To help determine appropriate current and target maturity levels, refer to the example below for the control “Email communication is filtered for spam and potential malicious communications.”

AD HOC 01

There is no centrally managed spam filter. Spam may be filtered by endpoint email clients.

DEVELOPING 02

There is a secure email gateway. However, the processes for managing it are not documented. Administrator roles are not well defined. Minimal fine-tuning is performed, and only basic features are in use.

DEFINED 03

There is a policy and documented process for email security. Roles are assigned and administrators have adequate technical training. Most of the features of the solution are being used. Rudimentary reports are generated, and some fine-tuning is performed.

MANAGED 04

Metrics are produced to measure the effectiveness of the email security service. Advanced technical features of the solution have been implemented and are regularly fine-tuned based on the metrics.

OPTIMIZED 05

There is a dedicated email security administrator with advanced technical training. Custom filters are developed to further enhance security, based on relevant cyber threat intelligence. Email security metrics feed key risk indicators that are reported to senior management.

2.2.1 Conduct current state assessment

Estimated Time: 8-16 hours

1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
   • You should only use “N/A” if you are confident that the control is not required in your organization.
   For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

2.2.1 Conduct current state assessment

Estimated Time: 8-16 hours

1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
   • You should only use “N/A” if you are confident that the control is not required in your organization. For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

Review the Gap Analysis Dashboard

Use the Gap Assessment Dashboard to map your progress. As you fill out the Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.

Use the color-coded legend to see how large the gap between your current and target state is. The legend can be customized further if desired.

Security domains that appear white have not yet been assessed or are rated as “N/A.”

2.2.3 Identify actions required to close gaps

Estimated Time: 4-8 hours

1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to identify gap closure actions for each control that requires improvement.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Input

• Security control gap information

Output

• Gap closure action list

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

Download the Information Security Gap Analysis Tool

2.3.1 Identify gap closure actions

Estimated Time: 4-8 hours

1. For each of the controls where there is a gap between the current and target state, a gap closure action should be identified:
   • Review the example actions and copy one or more of them if appropriate. Otherwise, enter your own gap closure action.
2. Identify whether the action should be managed as a task or as an initiative. Most actions should be categorized as an initiative. However, it may be more appropriate to categorize them as a task when:
   1. They have no costs associated with them
   2. They require a low amount of initial effort to implement and no ongoing effort to maintain
   3. They can be accomplished independently of other tasks

Considerations for gap closure actions

• In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Actions column.
• The example gap closure actions may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
• Not all gaps will require their own action. You can enter one action that may address multiple gaps.
• If you find that many of your actions are along the lines of “investigate and make recommendations,” you should consider using the estimated gap closure percentage column to track the fact that these gaps will not be fully closed by the actions.

2.3.2 Define gap closure action effectiveness

Estimated Time: 1-2 hours

For each of the gap closure actions, optionally enter an estimated gap closure percentage to indicate how effective the action will be in fully closing the gap.

• For instance, an action to “investigate solutions and make recommendations” will not fully close the gap.
• This is an optional step but will be helpful to understand how much progress towards your security target state you will make based on your roadmap.
• If you do not fill in this column, the tool will assume that your actions will fully close all gaps.

Completing this step will populate the “Security Roadmap Progression” diagram in the Results tab, which will provide a graphic illustration of how close to your target state you will get based upon the roadmap.

Phase 3

Prioritize Initiatives and Build Roadmap

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

• 3.1 Define tasks and initiatives.
• 3.2 Define cost, effort, alignment, and security benefit of each initiative.
• 3.3 Prioritize initiatives.
• 3.4 Build the prioritized security roadmap

3.1 Define tasks and initiatives

Estimated Time: 2-4 hours

1. As a group, review the gap actions identified in the Gap Analysis tab.
2. Using the instructions on the following slides, finalize your task list.
3. Using the instructions on the following slides, review and consolidate your initiative list.

Input

• Gap analysis

Output

• List of tasks and initiatives

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Information Security Gap Analysis Tool

3.1.1 Finalize your task list

Estimated Time: 1-2 hours

1. Obtain a list of all your task actions by filtering on the Action Type column in the Gap Analysis tab.
2. Paste the list into the table on the Task List tab.
   • Use Paste Values to retain the table formatting
3. Enter a task owner and due date for each task. Without accountability, it is too easy to fall into complacency and neglect these tasks.

Info-Tech Insight

Tasks are not meant to be managed to the same degree that initiatives will be. However, they are still important. It is recommended that you develop a process for tracking these tasks to completion.

3.1.2 Consolidate your gap closure actions into initiatives

Estimated Time: 2-3 hours

1. Once you have finalized your task list, you will need to consolidate your list of initiative actions. Obtain a list of all your initiative actions by filtering on the Action Type column in the Gap Analysis tab.
2. Create initiatives on the Initiative List tab. While creating initiatives, consider the following:
   • As much as possible, it is recommended that you consolidate multiple actions into a single initiative. Reducing the total number of initiatives will allow for more efficient management of the overall roadmap.
   • Start by identifying areas of commonality between gap closure actions, for instance:
     • Group all actions within a security domain into a single initiative.
     • Group together similar actions, such as all actions that require updating policies.
     • Consider combining actions that have inter-dependencies.
   • While it is recommended that you consolidate actions as much as possible, some actions should become initiatives on their own. This will be appropriate when:
     • The action is time sensitive and consolidating it with other actions will cause scheduling issues.
     • Actions that could otherwise be consolidated have different business sponsors or owners and need to be kept separate for funding or accountability reasons.
3. Link the initiative actions on the Gap Analysis tab using the drop-down list in the Initiative Name column.

Initiative consolidation example

In the example below, we see three gap closure actions within the Security Culture and Awareness domain being consolidated into a single initiative “Develop security awareness program.”

We can also see one gap closure action within the same domain being grouped with two actions from the Security Policies domain into another initiative “Update security policies.”

Info-Tech Insight

As you go through this exercise, you may find that some actions that you previously categorized as tasks could be consolidated into an initiative.

3.1.3 Finalize your initiative list

Estimated Time: 30 minutes

1. Review your final list of initiatives and make any required updates.
2. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
3. Use the drop-down list to indicate which of the security alignment goals most appropriately reflects the objectives of the initiative. If you are unsure, use the legend next to the table to find the primary security domain associated with the initiative and then select the recommended security alignment goal.
   • This step is important to understand how the initiative supports the business goals identified earlier.

3.2 Conduct cost/ benefit analysis

Estimated Time: 1-2 hours

1. As a group, define the criteria to be used to conduct the cost/benefit analysis, following the instructions on the next slide.
2. Assign costing and benefits information for each initiative.
3. Define dependencies or business impacts if they will help with prioritization.

Input

• Gap analysis
• Initiative list

Output

• Completed cost/benefit analysis for initiative list

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Information Security Gap Analysis Tool

3.2.1 Define costing criteria

Estimated Time: 30 minutes

1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low ranges for initial and ongoing costs and efforts.
   1. Initial costs are one-time, upfront capital investments (e.g. hardware and software costs, project-based consulting fees, training).
   2. Ongoing cost is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
   3. Initial staffing in hours is total time in person hours required to complete a project. It is not total elapsed time but dedicated time. Consider time required to gather requirements and to design, test, and implement the solution.
   4. Ongoing staffing in FTEs is the ongoing average effort required to support that initiative after implementation.
2. In addition to ranges, provide an average for each. These will be used to calculate estimated total costs for the roadmap.

Make sure that your ranges allow for differentiation between initiatives to enable prioritization. For instance, if you set your ranges too low, all your initiatives will be assessed as high cost, providing no help when you must prioritize them.

3.2.2 Define benefits criteria

Estimated Time: 30 minutes

1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low values for the Alignment with Business Benefit.
   • This variable is meant to capture how well each initiative aligns with organizational goals and objectives.
   • By default, this benefit is linked directly to business goals through the primary and secondary security alignment goals. This allows the tool to automatically calculate the benefit based on the security alignment goals associated with each initiative.
   • If you change these values, you may need to override the calculated values in the prioritization tab.
2. Enter a high, medium, and low value for the Security Benefit.
   • This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative.
   • By default, this benefit is linked to security risk reduction.

Some organizations prefer to use the “Security Benefit” criteria to demonstrate how well each initiative supports specific compliance goals.

3.2.3 Complete the cost/benefit analysis

Estimated Time: 1-2 hours

1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
   • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
2. Enter the estimated benefits, also using the criteria defined earlier.
   • The Alignment with Business benefit will be automatically populated, but you can override this value using the drop-down list if desired.

3.2.4 Optionally enter detailed cost estimates

Estimated Time: 30 minutes

1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in steps 3.2.1 and 3.2.2. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
   • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
   • You have defined your “Medium” cost range as being “$10-100K”, so you select medium as your initial cost for this initiative in step 3.2.3. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
   • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

Case Study

Credit Service Company

Industry: Financial Services

Source: Info-Tech Research Group

3.3 Prioritize initiatives

Estimated Time: 2-3 hours

1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
   • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
   • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
2. Follow step 3.3.1 to create an effort map with the results of the cost/benefit analysis.
3. Follow step 3.3.2 to assign initiatives into execution waves.

Input

• Gap analysis
• Initiative list
• Cost/benefit analysis

Output

• Prioritized list of initiatives

Materials

• Information Security Gap Analysis Tool
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Information Security Gap Analysis Tool

3.3.1 Create effort map

Estimated Time: 30 minutes

1. On a whiteboard, draw the quadrant diagram shown.
2. Create sticky notes for each initiative on your initiative list.
3. For each initiative, use the “Cost/Effort Rating” and the “Benefit Rating” calculated on the Prioritization tab to place the corresponding sticky note onto the diagram.

An effort map is a tool used for the visualization of a cost/benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized. In this example, the initiative “Update Security Policies” was assessed as low cost/effort (3) and high benefit (10).

3.3.2 Assign initiatives to execution waves

Estimated Time: 60 minutes

1. Using sticky flip chart sheets, create four sheets and label them according to the four execution waves:
   • MUST DO – These are initiatives that need to get moving right away. They may be quick wins, items with critical importance, or foundational projects upon which many other initiatives depend.
   • SHOULD DO – These are important initiatives that need to get done but cannot launch immediately due to budget constraints, dependencies, or business impacts that require preparation.
   • COULD DO – Initiatives that have merit but are not a priority.
   • WON’T DO – Initiatives where the costs outweigh the benefits.
2. Using the further instructions on the following slides, move the initiative sticky notes from your effort map into the waves.

Considerations for prioritization

• Starting from the top right of the effort map, begin pulling stickies off and putting them in the appropriate roadmap category.
• Keep dependencies in mind. If an important initiative depends on a low-priority one being completed first, then pull dependent initiatives up the list.
• It may be helpful to think of each wave as representing a specific time frame (e.g. wave 1 = first year of your roadmap, wave 2 = year two, wave 3 = year three).

Info-Tech Insight

Use an iterative approach. Most organizations tend to put too many initiatives into wave 1. Be realistic about what you can accomplish and take several passes at the exercise to achieve a balance.

3.3.3 Finalize prioritization

Estimated Time: 30 minutes

1. Once you have completed placing your initiative sticky notes into the waves, update the Prioritization tab with the Roadmap Wave column.
2. Optionally, use the Roadmap Sub-Wave column to prioritize initiatives within a single wave.
   • This will allow you more granular control over the final prioritization, especially where dependencies require extra granularity.

Any initiatives that are currently in progress should be assigned to Wave 0.

3.4 Build roadmap

Estimated Time: 1-3 hours

1. As a group, follow step 3.4.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Information Security Gap Analysis Tool.
2. Review the roadmap for resourcing conflicts and adjust as required.
3. Review the final cost and effort estimates for the roadmap.

Input

• Gap analysis
• Cost/benefit analysis
• Prioritized initiative list
• (Optional) List of other non-security IT and business projects

Output

• Security strategic roadmap

Materials

• Information Security Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Information Security Gap Analysis Tool

3.4.1 Schedule initiatives using the Gantt chart

Estimated Time: 1-2 Hours

1. On the Gantt Chart tab for each initiative, enter an owner (the individual who will be primarily responsible for execution).
2. Additionally, enter a start month and year for the initiative and the expected duration in months.
   • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
   • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.

Info-Tech Insight

Use the Owner column to help identify resourcing constraints. If a single individual is responsible for many different initiatives that are planned to start at the same time, consider staggering those initiatives.

3.4.2 Review your roadmap

Estimated Time: 30-60 minutes

1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
   • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
   • Does your organization have regular change freezes throughout the year that will impact the schedule?
   • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
   • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
   • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

3.4.3 Review your expected roadmap progression

Estimated Time: 30 minutes

1. If you complete the optional exercise of filling in the Estimated Gap Closure Percentage column on the Gap Analysis tab, the tool will generate a diagram showing how close to your target state you can expect to get based on the tasks and initiatives in your roadmap. You can review this diagram on the Results tab.
   • Remember that this Expected Maturity at End of Roadmap score assumes that you will complete all tasks and initiatives (including all Wave 4 initiatives).
2. Copy the diagram into the Information Security Strategy Communication Deck.

Info-Tech Insight

Often, internal stakeholders will ask the question “If we do everything on this roadmap, will we be at our target state?” This diagram will help answer that question.

3.4.4 Review your cost/effort estimates table

Estimated Time: 30 minutes

1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
   • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
   • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.
   • This table provides you with the information to have important conversations with management and stakeholders
2. When you have completed your review, copy the table into the Information Security Strategy Communication Deck.

Phase 4

Execute and Maintain

Phase 1

• 1.1 Define goals & scope
• 1.2 Assess risks
• 1.3 Determine pressures
• 1.4 Determine risk tolerance
• 1.5 Establish target state

Phase 2

• 2.1 Review Info-Tech’s security framework
• 2.2 Assess your current state
• 2.3 Identify gap closure actions

Phase 3

• 3.1 Define tasks & initiatives
• 3.2 Perform cost/benefit analysis
• 3.3 Prioritize initiatives
• 3.4 Build roadmap

Phase 4

• 4.1 Build communication deck
• 4.2 Develop a security charter
• 4.3 Execute on your roadmap

This phase will walk you through the following activities:

• 4.1 Build your security strategy communication deck.
• 4.2 Develop a security charter.
• 4.3 Execute on your roadmap.

4.1 Build your communication deck

Estimated Time: 1-3 hours

1. As a group, review the Information Security Strategy Communication Deck.
2. Follow the instructions within the template and on the next few slides to customize the template with the results of your strategic roadmap planning.

Input

• Completed Security Requirements Gathering Tool
• Completed Security Pressure Analysis Tool
• Completed Security Gap Analysis Tool

Output

• Information Security Strategy Communication Deck

Materials

• Information Security Strategy Communication Deck

Participants

• Security Team
• IT Leadership

Download the Information Security Gap Analysis Tool

4.1.1 Customize the Communication Deck

Estimated Time: 1-2 hours

1. When reviewing the Information Security Strategy Communication Deck, you will find slides that contain instructions within green text boxes. Follow the instructions within the boxes, then delete the boxes.
   • Most slides only require that you copy and paste screenshots or tables from your tools into the slides.
   • However, some slides require that you customize or add text explanations that need to reflect your unique organization.
   • It is recommended that you pay attention to the Next Steps slide at the end of the deck. This will likely have a large impact on your audience.
2. Once you have customized the existing slides, you may wish to add additional slides. For instance, you may wish to add more context to the risk assessment or pressure analysis diagrams or provide details on high-priority initiatives.

Consider developing multiple versions of the deck for different audiences. Senior management may only want an executive summary, whereas the CIO may be more interested in the methodology used to develop the strategy.

Communication considerations

Developing an information security strategy is only half the job. For the strategy to be successful, you will need to garner support from key internal stakeholders. These may include the CIO, senior executives, and business leaders. Without their support, your strategy may never get the traction it needs. When building your communication deck and planning to present to these stakeholders, consider the following:

• Gaining support from stakeholders requires understanding their needs. Before presenting to a new audience, carefully consider their priorities and tailor your presentation to address them.
• Use the communication deck to clarify the business context and how your initiatives that will support business goals.
• When presenting to senior stakeholders, anticipate what questions they might ask and be sure to prepare answers in advance. Always be prepared to speak to any data point within the deck.
• If you are going to present your strategy to a group and you anticipate that one or more members of that group may be antagonistic, seek out an opportunity to speak to them before the meeting and address their concerns one on one.

If you have already fully engaged your key stakeholders through the requirements gathering exercises, presenting the strategy will be significantly easier. The stakeholders will have already bought in to the business goals, allowing you to show how the security strategy supports those goals.

Info-Tech Insight

Reinforce the concept that a security strategy is an effort to enable the organization to achieve its core mission and goals and to protect the business only to the degree that the business demands. It is important that stakeholders understand this point.

4.2 Develop a security charter

Estimated Time: 1-3 hours

1. As a group, review the Information Security Charter.
2. Customize the template as required to reflect your information security program. It may include elements such as:
   • A mission and vision statement for information security in your organization
   • The objectives and scope of the security program
   • A description of the security principles upon which your program is built
   • High-level roles and responsibilities for information security within the organization

Input

• Completed Security Requirements Gathering Tool
• Completed Security Pressure Analysis Tool
• Completed Security Gap Analysis Tool

Output

• Information security charter

Materials

• Information Security Charter

Participants

• Security Team

Download the Information Security Gap Analysis Tool

4.2.1 Customize the Information Security Charter

Estimated Time: 1-3 hours

1. Involve the stakeholders that were present during Phase 1 activities to allow you to build a charter that is truly reflective of your organization.
2. The purpose of the security charter is too:
   • Establish a mandate for information security within the organization.
   • Communicate executive commitment to risk and information security management.
   • Outline high-level responsibilities for information security within the organization.
   • Establish awareness of information security within the organization.

A security charter is a formalized and defined way to document the scope and purpose of your security program. It will define security governance and allow it to operate efficiently through your mission and vision.

4.3 Execute on your roadmap

1. Executing on your information security roadmap will require coordinated effort by multiple teams within your organization. To ensure success, consider the following recommendations:
   1. If you have a project management office, leverage them to help apply formal project management methodologies to your initiatives.
   2. Develop a process to track the tasks on your strategy task list. Because these will not be managed as formal initiatives, it will be easy to lose track of them.
   3. Develop a schedule for regular reporting of progress on the roadmap to senior management. This will help hold yourself and others accountable for moving the project forward.
2. Plan to review and update the strategy and roadmap on a regular basis. You may need to add, change, or remove initiatives as priorities shift.

Input

• Completed Security Gap Analysis Tool

Output

• Execution of your strategy and roadmap

Materials

• Information Security Gap Analysis Tool
• Project management tools as required

Participants

• Security Team
• Project Management Office
• IT and Corporate Teams, as required

Info-Tech Insight

Info-Tech has many resources that can help you quickly and effectively implement most of your initiatives. Talk to your account manager to learn more about how we can help your strategy succeed.

Summary of Accomplishment

Knowledge Gained

• Knowledge of organizational pressures and the drivers behind them
• Insight into stakeholder goals and obligations
• A defined security risk tolerance information and baseline
• Comprehensive knowledge of security current state and summary initiatives required to achieve security objectives

Deliverables Completed

• Information Security Pressure Analysis Tool
• Information Security Requirements Gathering Tool
• Information Security Program Gap Analysis Tool
• Information Security Strategy Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Information Security Program Gap Analysis Tool

Use our best-of-breed security framework to perform a gap analysis between your current and target states.

Information Security Requirements Gathering Tool

Define the business, customer, and compliance alignment for your security program.

Related Info-Tech Research

Develop a Security Operations Strategy

A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.

This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Implement a Security Governance and Management Program

Your security governance and management program needs to be aligned with business goals to be effective.

This approach also helps to provide a starting point to develop a realistic governance and management program.

This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

Align Your Security Controls to Industry Frameworks for Compliance

Don’t reinvent the wheel by reassessing your security program using a new framework.

Instead, use the tools in this blueprint to align your current assessment outcomes to required standards.

Bibliography

“2015 Cost of Data Breach Study: United States.” Sponsored by IBM. Ponemon Institute, May 2015. Web.

“2016 Cost of Cyber Crime Study & the Risk of Business Innovation.” Ponemon Institute, Oct. 2016. Web. 25 Oct. 2016.

“2016 Cost of Data Breach Study: Global Analysis.” Ponemon Institute, June 2016. Web. 26 Oct. 2016.

“2016 Data Breach Investigations Report.” Verizon, 2016. Web. 25 Oct. 2016.

“2016 NowSecure Mobile Security Report.” NowSecure, 2016. Web. 5 Nov. 2016.

“2017 Cost of Cyber Crime Study.” Ponemon Institute, Oct. 2017. Web.

“2018 Cost of Data Breach Study: Global Overview.” Ponemon Institute, July 2018. Web.

“2018 Data Breach Investigations Report.” Verizon, 2018. Web. Oct. 2019.

“2018 Global State of Information Security Survey.” CSO, 2017. Web.

“2018 Thales Data Threat Report.” Thales eSecurity, 2018. Web.

“2019 Data Breach Investigations Report.” Verizon, 2020. Web. Feb. 2020.

“2019 Global Cost of a Data Breach Study.” Ponemon Institute, Feb. 2020. Web.

“2019 The Cost of Cyber Crime Study.” Accenture, 2019. Web Jan 2020.

“2020 Thales Data Threat Report Global Edition.” Thales eSecurity, 2020. Web. Mar. 2020.

Ben Salem, Malek. “The Cyber Security Leap: From Laggard to Leader.” Accenture, 2015. Web. 20 Oct. 2016.

“Cisco 2017 Annual Cybersecurity Report.” Cisco, Jan. 2017. Web. 3 Jan. 2017.

“Cyber Attack – How Much Will You Lose?” Hewlett Packard Enterprise, Oct. 2016. Web. 3 Jan. 2017.

“Cyber Crime – A Risk You Can Manage.” Hewlett Packard Enterprise, 2016. Web. 3 Jan. 2017.

“Global IT Security Risks Survey.” Kaspersky Lab, 2015. Web. 20 October 2016.

“How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute, Jan. 2016. Web. 25 Oct. 2016.

“Insider Threat 2018 Report.” CA Technologies, 2018. Web.

“Kaspersky Lab Announces the First 2016 Consumer Cybersecurity Index.” Press Release. Kaspersky Lab, 8 Sept. 2016. Web. 3 Jan. 2017.

“Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000.” Press Release. Kaspersky Lab, 13 Sept. 2016. Web. 20 Oct. 2016.

“Kaspersky Security Bulletin 2016.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

“Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015.” PwC, 30 Sept. 2014. Web.

“Measuring Financial Impact of IT Security on Business.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

“Ponemon Institute Releases New Study on How Organizations Can Leapfrog to a Stronger Cyber Security Posture.” Ponemon Institute, 10 Apr. 2015. Web. 20 Oct. 2016.

“Predictions for 2017: ‘Indicators of Compromise’ Are Dead.” Kaspersky Lab, 2016. Web. 4 Jan. 2017.

“Take a Security Leap Forward.” Accenture, 2015. Web. 20 Oct. 2016.

“Trends 2016: (In)security Everywhere.” ESET Research Laboratories, 2016. Web. 25 Oct. 2016.

Research Contributors

• Peter Clay, Zeneth Tech Partners, Principal
• Ken Towne, Zeneth Tech Partners, Security Architect
• Luciano Siqueria, Road Track, IT Security Manager
• David Rahbany, The Hain Celestial Group, Director IT Infrastructure
• Rick Vadgama, Cimpress, Head of Information Privacy and Security
• Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
• Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
• Trevor Butler, City of Lethbridge, Information Technology General Manager
• Shane Callahan, Tractor Supply, Director of Information Security
• Jeff Zalusky, Chrysalis, President/CEO
• Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
• Dan Humbert, YMCA of Central Florida, Director of Information Technology
• Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
• Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
• Joan Middleton, Village of Mount Prospect, IT Director
• Jim Burns, Great America Financial Services, Vice President Information Technology
• Ryan Breed, Hudson’s Bay, Information Security Analyst
• James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems