The information security strategy serves as a roadmap to ensure that day-to-day security operational activities, fire-fighting and reacting to the ‘crisis of the day’ do not take the focus off the long term improvement of the Information Security program. Strategy projects are designed to provide measurable, impactful changes to the security program vs. the incremental changes which occur through the upgrading of a process in response to an audit finding, or to resolve an immediate issue. Strategies serve to answer the question, ‘what have you done for me lately?’ and as well as ‘what are you going to do for me next?’ In the absence of a well thought-out presentable strategy, other executives will fill in their own gaps as to the role of security, and are likely to revert to the viewpoint that security is not forward thinking and only serves to slow down their projects.
Randy Sanovic provides some insights on IT Security strategy in his chapter entitled ‘The Importance of an IT Security Strategy’ in the new book on security leadership published by ISC2 entitled, “CISO Leadership: Essential Principles for Success“, where he indicates that the days of just-in-time security are past. Some of the keys for developing a successful strategy are as follows:
Popularity: 1%
