10 things to consider in creating Information Security Strategies

1.       Gather the team, make sure it is inclusive of the key stakeholder. Understand why you want an IS strategy and why it is important.

2.       Get the senior executive in your management to back you. Can anything really happen without them?

3.       Create your strategy .

a)      Strategic and Business alignment: Businesses must identify information security drivers like applicable regulations, fraud and customer privacy, and then identify business assets, including their respective threats and vulnerabilities. Additionally, companies should review their existing information security initiatives, technologies and trust relationships

b)      Organization and Culture: A successful strategy must incorporate the executive tone; organizational and partner awareness; training needs, skills and competencies; and administrative and functional reporting structures.

c)       Management and Governance: Management must focus on how the organization develops policies and standards, manages projects and programs, makes decisions and funds information security programs. Consider your position. What regulatory requirements come to bear in your IS strategy? Are you expected to comply with PCI-DSS SOx etc?

d)      Technology: Organizations must establish a precise definition of information security that includes technology needs and standards, and how information security technology is managed.

4.       What is your goal.... is to detect or to prevent attack. Given that IS security is constantly moving it is virtually impossible to continually be up to date and to guarantee 100% security without a large dedicated team. If this is what you require it may be required to bring in outside help.

5.       When looking at the cost always bear in mind, what would the cost be of a security breach because we didn’t do this?

6.       Think strategically but don’t delay. As soon as what you have is better than before make sure it is adopted. This does not mean be reactive or deal tactically but take independent steps along your strategic path. The penalties for prevarication can be severe.

7.       Follow Plan – Do – Check - Act you have spent time and effort developing your strategy. Implement it. Make sure it does what you want and if necessary change it to get it right.

8.       It can’t happen overnight. Be prepared to invest a little time to get it right. The alternative may be much worse.

9.       Don’t be caught in the “It can’t happen to me” syndrome.

10.   Employ professionals. IT security is can be complex and difficult to describe to business focussed board members. Employ people who can do this