Build an Information Security Strategy
Align the information security strategy to organizational goals and risks to create value.
- The rate of technological change is accelerating. Organizations continue to invest in technology to run the business, layering more systems to support remote work, enhance customer experience, and generate value.
- Meanwhile, security threats are growing. Disruptive cyberattacks are more prevalent, sophisticated, and impactful than ever, targeting organizations of all industries and sizes.
- Security leaders need to adopt a proactive approach to secure the organization now and prioritize funding to high-risk areas.
Our Advice
Critical Insight
- Technological change is increasing both the protect surface and the variety of tools available to secure it.
- Security frameworks are helpful, but they don’t describe how to gather business requirements, identify organizational risks, or set an appropriate target state for the program, or which controls to select to conduct an accurate gap analysis for the security program.
- The better security leaders can balance a budget that funds cyber resiliency and drives revenue, the more likely they are to progress in their career.
Impact and Result
Build a business-aligned, risk-aware, holistic security strategy:
- Gather business requirements to prioritize improvements.
- Assess risks, stakeholder expectations, and risk appetite to set meaningful targets.
- Do a comprehensive gap analysis to identify improvements.
- Build a flexible roadmap to set the program on the right footing.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.7/10
Overall Impact
$46,892
Average $ Saved
36
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
City of Allen, TX
Guided Implementation
10/10
N/A
10
Kruger Services Inc.
Guided Implementation
8/10
$10,000
5
Advice and ready to use tool was great.
University of Limpopo
Workshop
10/10
$60,000
60
The best parts were when the facilitator allowed the team to discover requirements and gaps on their own. He subtly resisted to giving the inputs ... Read More
Dufferin Peel Catholic District School Board
Guided Implementation
10/10
N/A
12
The President and Fellows of Harvard College, a Massachusetts nonprofit corporation, acting by and through Harvard Business School
Workshop
10/10
$68,500
85
Outstandingworkshop and engagement. We learned a great deal, and flexibility was key. Facilitation was outstanding.
Wiss, Janney, Elstner Associates, Inc.
Guided Implementation
10/10
$68,500
120
I recently participated in an online workshop led by Petar, and it was an outstanding experience. Petar brings an incredible wealth of knowledge an... Read More
California Department of Health Care Services
Guided Implementation
10/10
N/A
50
Viktor was very helpful, knowledgeable and easy to work with, thanks!
Abbott Laboratories
Guided Implementation
10/10
$30,140
5
Mike was extremely helpful and supportive throughout the process, we were able to complete the activity and received much needed assistance.
State of New Mexico - New Mexico Department of Public Safety
Guided Implementation
10/10
$41,100
120
It is difficult to quantify both the time saved and the value impact of my engagement with Jon. The blueprint itself is helpful but having Jon and ... Read More
Kinark Child And Family Services
Guided Implementation
8/10
N/A
18
The experience working with Petar was great. He was very thorough in helping us achieve our goals. We will work with him again if and when given th... Read More
National Cooperative Bank NA
Workshop
8/10
$13,700
10
Overall, the experience was positive. This workshop marked the third occurrence in the past decade. With the implementation of an independent thre... Read More
Oak Valley Health
Guided Implementation
10/10
$25,000
9
State of New Mexico Early Childhood & Care Department
Guided Implementation
10/10
N/A
120
Donor Network West
Guided Implementation
10/10
$13,700
5
Very good advice on what to focus on and how to approach regulators. worst part was realizing all the work that I still had to do.
A. Farber Associates
Workshop
10/10
$100K
120
The best parts of my experience were the exceptional expertise of Dave Kernohan, the comprehensive and well-structured workshop content, the benefi... Read More
CNY Centro, Inc.
Guided Implementation
10/10
N/A
N/A
Jon was awesome to work with and had a wealth of knowledge. He was patient with us when were having problems understanding certain topics, and took... Read More
El Dorado Irrigation District
Guided Implementation
10/10
$2,740
5
GSW Manufacturing
Guided Implementation
9/10
$9,590
5
The level of detail in the review of our system was impressive. It does help to focus our efforts on research from InfoTech that will make the mos... Read More
Town Of Whitby
Workshop
10/10
$55,000
23
great facilitation and knowledge from Sumit. Lots of knowledge and it will be good to have time to reflect and review. Thank you for the 4 days it ... Read More
iFIT
Workshop
10/10
$68,500
60
The best part of this experience was having Dave Kernohan lead our workshop. He was able to quickly build rapport virtually with the security team... Read More
Firstmac Limited
Guided Implementation
10/10
$22,750
20
The ranking above is for the overall experience. The end result is a solid gap analysis and plan for cyber security moving forward. having independ... Read More
City of Williamsburg, VA
Guided Implementation
10/10
$34,250
110
Petar led me through the entire process flawlessly. He kept me on-track and took the time to explain everything while offering his thoughts and ex... Read More
Cidel Bank & Trust
Guided Implementation
9/10
N/A
20
Facilitator was very knowledgeable of the subject area and was able to provide valuable insight. Also, the excel tools made the process easy to get... Read More
Carver County, MN
Guided Implementation
10/10
$13,700
10
Our analyst was great to work with and very knowledgeable.
Capital Regional District
Guided Implementation
10/10
$50,000
50
Jon and Manoj were the best part - They were so good at listening to my specific needs and concerns and explaining how to approach resolving them. ... Read More
Westoba Credit Union Limited
Guided Implementation
10/10
$10,000
14
Matches well with our current initiatives and helps build the business case for doing certain work and requesting additional resources.
County of Chesterfield, Virginia
Guided Implementation
10/10
$32,195
20
Efficient use of time with targeted focus on right tools and approach based on our current state.
CICSA CO OP Credit Union
Guided Implementation
10/10
$68,500
50
For me this is easily a $50k value add. EY, PWC etc. will charge $25k for a Cybersecurity Strategy and it will only entail a fraction of what Jo... Read More
City of Winter Park
Guided Implementation
10/10
$13,700
5
SaskEnergy
Workshop
10/10
$50,000
10
Sumit is a great facilitator. Best part was producing a much needed output in a prescribed period of time. Would have taken us much much longer i... Read More
Security Strategy
Tailor best practices to effectively manage information security.
This course makes up part of the Security & Risk Certificate.
- Course Modules: 5
- Estimated Completion Time: 1 hour
- Featured Analysts:
- Michel Hébert, Principal Research Director
Workshop: Build an Information Security Strategy
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess business requirements
The Purpose
- Assess business requirements.
Key Benefits Achieved
- Identify security program alignment criteria.
Activities
Outputs
Understand business and IT strategy and plans.
Define business and compliance requirements.
Establish the security program scope.
Analyze the organization’s risks and stakeholder pressures.
Assess organizational risk appetite.
- Goals cascade for the security program
- Security scope and boundaries statement
- Risk assessment and pressure analysis
- Organizational risk appetite
Module 2: Perform a gap analysis
The Purpose
- Perform a gap analysis.
Key Benefits Achieved
- Define the program's target state.
- Assess the organization's current state.
Activities
Outputs
Define the information security target state.
Assess current security capabilities.
Identify security gaps.
Build initiatives to bridge the gaps.
- Information security target state
- Security current state assessment
- Initiatives to address gaps
Module 3: Complete the gap analysis
The Purpose
- Complete the gap analysis.
Key Benefits Achieved
- Security program improvement tasks and initiatives
Activities
Outputs
Continue assessing current security capabilities.
Identify security gaps.
Build initiatives to bridge the maturity gaps.
Identify initiative list and task list.
Define criteria to be used to prioritize initiatives.
- Completed security current state assessment
- Task list to address gaps
- Initiative list to address gaps
- Prioritization criteria
Module 4: Develop roadmap
The Purpose
- Develop the roadmap.
Key Benefits Achieved
- Security program roadmap
- Communication resources
Activities
Outputs
Conduct cost-benefit analysis on initiatives.
Prioritize gap initiatives based on cost, time, and alignment with the business.
Build effort map.
Determine start times and accountability.
Finalize security roadmap and action plan.
Create communication plan.
- Information security roadmap
- Draft communication deck
Build an Information Security Strategy
Align the information security strategy to organizational goals and risks to create value.
EXECUTIVE BRIEF
Analyst Perspective
Align initiatives to the goals of your organization and the risks it faces.
|
The rapid pace of technological change is a call to action to information security leaders. Too often, security leaders find their programs stuck in reactive mode, as years of mounting security technical debt take their toll on the organization. Shifting from a reactive to proactive approach has never been more urgent, yet it remains a daunting task. As we make security plans, we need to do more than blindly follow best practice frameworks. Only a proactive information security strategy, one that is holistic, risk-aware, and aligned to business needs, can help us navigate the changes ahead. Kate Wood |
Executive Summary
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
|
|
Build a business-aligned, risk-aware, holistic security strategy:
|
Info-Tech Insight
The most successful information security strategies are:
- Holistic. They consider the full spectrum of information security including people, processes, and technologies.
- Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
- Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.
Your challenge
The stakes for information security programs have never been greater.
- The rate of technological change is accelerating. Organizations continue to invest in technology to run the business, layering more systems to support remote work, enhance customer experience, and generate value.
- Meanwhile, security threats are growing. Disruptive cyberattacks are more prevalent, sophisticated, and impactful than ever, targeting organizations of all industries and sizes.
- Information security incidents were ranked as the most important business risk worldwide for the second year in a row according to the Allianz Risk Barometer 2023.
- According to Cybersecurity Ventures, the cost of cybercrimes worldwide will grow by 15% year over year for the next five years, reaching US$10.5 trillion annually by 2025, up from US$3 trillion in 2015.
- Security leaders need to adopt a proactive approach to secure the organization now and prioritize funding to high-risk areas.
Your challenge
The average cost of security incidents is reaching an all-time high.
83% percent of organizations that have had more than one breach in 2022.
US$4.45 million Average cost of a data breach in 2023.
US$5.13 million Average cost of a ransomware attack, not including the cost of the ransom.
Source: IBM, 2022, 2023.
Your challenge
Common attacks persist, which suggests that most are still not getting security fundamentals right.
66% Organizations hit by ransomware in 2021 and 2022.1
35% Organizations who conducted phishing simulations in 2022.2
84% Organizations who experienced phishing attacks with direct financial loss in 2022.2
Sources: 1 Sophos, 2022, 2023;
2 Ponemon, 2023.
Common obstacles
Reactive security strategies can’t keep up.
Info-Tech’s approach
Build a proactive security strategy.
Use a best-of-breed model based on leading frameworks
Info-Tech’s methodology for building an information security strategy
|
1. Assess Business Requirements |
2. Conduct a Gap Analysis |
3. Build a Roadmap of Prioritized Initiatives |
4. Execute and Maintain the Strategy |
|
|---|---|---|---|---|
|
Phase Steps |
1.1 Define goals & scope 1.2 Assess risks 1.3 Determine pressures 1.4 Determine risk appetite 1.5 Establish target state |
2.1 Review security framework 2.2 Assess your current state 2.3 Identify gap closure actions |
3.1 Define tasks & initiatives 3.2 Perform cost-benefit analysis 3.3 Prioritize initiatives 3.4 Build roadmap |
4.1 Build communication deck 4.2 Develop a security charter 4.3 Execute on your roadmap |
|
Phase Outcomes |
|
|
|
|
|
Tools |
Information Security Requirements Gathering Tool; Information Security Pressure Analysis Tool |
Information Security Program Gap Analysis Tool |
Information Security Program Gap Analysis Tool |
Information Security Strategy Communication Deck |
Insight summary
|
Your security strategy is a business strategy first. |
|
|
Assess business requirements |
Seek agreement on the program target state |
|
Prioritize initiatives and roadmap |
Execute and maintain strategy |
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Information Security Requirements Gathering Tool
Define the business, customer, and compliance alignment for your security program.
Information Security Pressure Analysis Tool
Determine your organization’s security pressures and ability to tolerate risk.
Information Security Program Gap Analysis Tool
Use our best-of-breed security framework to perform a gap analysis between your current and target states.
Information Security Charter
Ensure the development and management of your security policies meet the broader program vision.
Key deliverable:
Information Security Strategy Communication Deck
Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.
This blueprint is ideal for program updates
|
1. Program Update “I am happy with the fundamentals of my security program. I need to assess and improve our security posture.” Use this blueprint to:
|
This project is part of a broader program to improve your information security posture. 1. Lay Program Foundations 2. Define Security Governance 3. Build Security Strategy 4. Build Security Catalog 5. Define Security Architecture 6. Design Security Services 7. Operate, Measure, and Improve |
|
2. Program Renewal “I am worried the security program is getting stale. I need to understand what makes my organization unique to prioritize core security capabilities.” Complete the first two phases of Design and Implement a Business-Aligned Security Program. We will learn how to use the output from the security program design tool to inform your security strategy in Phase 2 of this project. |
Info-Tech’s approach will accelerate your progress
Estimates reflect advisory and workshop client experiences.
|
With Blueprint |
Without Blueprint |
||
|---|---|---|---|
|
Phase 1: Assess Business Requirements |
1 to 5 people |
0.5 to 2 days |
1-2 weeks |
|
Phase 2: Conduct a Gap Analysis |
1 to 5 people |
2 to 3 days |
4-8 weeks |
|
Phase 3: Build a Roadmap of Prioritized Initiatives |
1 to 2 people |
1 day |
1-2 weeks |
|
Phase 4: Execute & Maintain the Strategy |
1 to 5 people |
1-2 days |
1-2 weeks |
Time Saved: 7-14 weeks
Benefits are iterative
Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve, but with less associated effort, time, and costs.
Run Info-Tech diagnostics to measure the success of your strategy
|
Audience: Security Manager |
Governance & Management Maturity Scorecard Understand the maturity of your security program across eight domains.
|
|
Audience: Business Leaders |
Security Business Satisfaction and Alignment Report Assess the organization’s satisfaction with the security program. |
- Info-Tech diagnostics are standardized surveys that accelerate the process of gathering and analyzing pain point data.
- Diagnostics also produce historical and industry trends against which to benchmark your organization.
- Reach out to your account manager or follow the links to deploy some or all these diagnostics to validate your assumptions. Diagnostics are included in your membership.
Info-Tech offers various levels of support to best suit your needs
| DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
|---|---|---|---|
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical Guided Implementation on this topic look like?
| Assess Business Requirements |
Conduct a Gap Analysis |
Prioritize Initiatives and Roadmap |
Execute and Maintain the Strategy |
|---|---|---|---|
|
Call #1: Introduce project and complete business requirements gathering. Call #2: Introduce pressure analysis. |
Call #3: Introduce the maturity assessment. Call #4: Perform gap analysis and translate into initiatives. |
Call #5: Consolidate related gap initiatives and define cost, effort, alignment, and security benefits. Call #6: Review cost-benefit analysis and build an effort map. Call #7: Build implementation waves and introduce Gantt chart. |
Call #8: Review Gantt chart and ensure budget/buy-in support. Call #9: Three-month check-in: Execute and maintain the strategy. |
A Guided Implementation is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical Guided Implementation takes place in 2 to 12 calls scheduled over the course of 4 to 6 months.
Executive Brief Case Study
INDUSTRY: Financial Services
SOURCE: Info-Tech Research Group
Credit Service Company
Founded over 100 years ago, Credit Service Company (CSC)* services over 50,000 US clients in 40 branches across four states.
Situation
Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.
Solution
During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.
Results
Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.
*Some details have been changed for client privacy.
Phase 1
Assess Business Requirements
|
Phase 1 |
Phase 2 |
Phase 3 |
Phase 4 |
|---|---|---|---|
|
1.1 Define goals & scope 1.2 Assess risks 1.3 Determine pressures 1.4 Assess risk appetite 1.5 Establish target state |
2.1 Review security framework 2.2 Assess your current state 2.3 Identify gap closure actions |
3.1 Define tasks & initiatives 3.2 Perform cost-benefit analysis 3.3 Prioritize initiatives 3.4 Build roadmap |
4.1 Build communication deck 4.2 Develop a security charter 4.3 Execute on your roadmap |
This phase will walk you through the following activities:
- 1.1 Define strategic goals and scope
- 1.2 Assess inherent security risks
- 1.3 Assess stakeholder pressures
- 1.4 Assess risk appetite
- 1.5 Establish program target state
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 4-phase advisory process. You'll receive 9 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Assess business requirements
- Call 1: Introduce project and complete business requirements gathering.
- Call 2: Introduce pressure analysis.
Guided Implementation 2: Conduct a gap analysis
- Call 1: Introduce the maturity assessment.
- Call 2: Perform gap analysis and translate into initiatives.
Guided Implementation 3: Prioritize initiatives and roadmap
- Call 1: Consolidate related gap initiatives and define cost, effort, alignment, and security benefits.
- Call 2: Review cost-benefit analysis and build an effort map.
- Call 3: Build implementation waves and introduce Gantt chart.
Guided Implementation 4: Execute and maintain the strategy
- Call 1: Review Gantt chart and ensure budget/buy-in support.
- Call 2: Three-month check-in: Execute and maintain the strategy.
Contributors
- Peter Clay, Zeneth Tech Partners, Principal
- Ken Towne, Zeneth Tech Partners, Security Architect
- Luciano Siqueria, Road Track, IT Security Manager
- Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
- Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
- Joan Middleton, Villiage of Mount Prospect, IT Director
- David Rahbany, The Hain Celestial Group, Director IT Infrastructure
- Rick Vadgama, Cimpress, Head of Information Privacy and Security
- Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
- Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
- Trevor Butler, City of Lethbridge, Information Technology General Manager
- Shane Callahan, Tractor Supply, Director of Information Security
- Jeff Zalusky, Chrysalis, President/CEO
- Dan Humbert, YMCA of Central Florida, Director of Information Technology
- Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
- Jim Burns, GreatAmerica Financial Services, Vice President Information Technology
- Ryan Breed, Hudson’s Bay, Information Security Analyst
- James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems
Design and Implement a Business-Aligned Security Program
Build an Information Security Strategy
Secure Operations in High-Risk Jurisdictions
Develop a Security Awareness and Training Program That Empowers End Users
Build, Optimize, and Present a Risk-Based Security Budget
Hire or Develop a World-Class CISO
Fast Track Your GDPR Compliance Efforts
Build a Cloud Security Strategy
Identify the Components of Your Cloud Security Architecture
Security Priorities 2022
2020 Security Priorities Report
Manage Third-Party Service Security Outsourcing
Select a Security Outsourcing Partner
Improve Security Governance With a Security Steering Committee
The First 100 Days as CISO
Determine Your Zero Trust Readiness
Cost-Optimize Your Security Budget
Threat Preparedness Using MITRE ATT&CK®
Build a Zero Trust Roadmap
Security Priorities 2023
Security Priorities 2024
Grow Your Own Cybersecurity Team
