Tailor your security program according to what makes your organization unique.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard will help you lay foundations for your security program that will inform future security program decisions and give your leadership team the information they need to support your success. You will evaluate design factors that make your organization unique, prioritize the security capabilities to suit, and assess the maturity of key security program components including security governance, security strategy, security architecture, service design, and service metrics.
Use this Excel workbook to evaluate your security program against ten key design factors. The tool will produce a goals cascade that shows the relationship between business and security goals, a prioritized list of security capabilities that align to business requirements, and a list of program accountabilities.
This second Excel workbook will help you conduct a gap analysis on key security program components and identify improvement initiatives. You can then use the Security Program Design and Implementation Plan to collect results from the design and implementation tools and draft a communication deck.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine the initial design of your security program.
An initial prioritized list of security capabilities that aligns with enterprise strategy and goals.
1.1 Review Info-Tech diagnostic results.
1.2 Identify project context.
1.3 Identify enterprise strategy.
1.4 Identify enterprise goals.
1.5 Build a goal cascade.
1.6 Assess the risk profile.
1.7 Identify IT-related issues.
1.8 Evaluate initial program design.
Stakeholder satisfaction with program
Situation, challenges, opportunities
Initial set of prioritized security capabilities
Initial set of prioritized security capabilities
Initial set of prioritized security capabilities
Initial set of prioritized security capabilities
Initial set of prioritized security capabilities
Initial set of prioritized security capabilities
Refine the design of your security program.
A refined, prioritized list of security capabilities that reflects what makes your organization unique.
2.1 Gauge threat landscape.
2.2 Identify compliance requirements.
2.3 Categorize the role of IT.
2.4 Identify the sourcing model.
2.5 Identify the IT implementation model.
2.6 Identify the tech adoption strategy.
2.7 Refine the scope of the program.
Refined set of prioritized security capabilities
Refined set of prioritized security capabilities
Refined set of prioritized security capabilities
Refined set of prioritized security capabilities
Refined set of prioritized security capabilities
Refined set of prioritized security capabilities
Refined set of prioritized security capabilities
Finalize security program design.
Key accountabilities to support the security program
Gap analysis to produce an improvement plan
3.1 Identify program accountabilities.
3.2 Conduct program gap analysis.
3.3 Prioritize initiatives.
Documented program accountabilities.
Security program gap analysis
Security program gap analysis
Create and communicate an improvement roadmap for the security program.
Security program design and implementation plan to organize and communicate program improvements.
4.1 Build program roadmap
4.2 Finalize implementation plan
4.3 Sponsor check-in
Roadmap of program improvement initiatives
Roadmap of program improvement initiatives
Communication deck for program design and implementation
EXECUTIVE BRIEF
Security leaders often tout their choice of technical security framework as the first and most important program decision they make. While the right framework can help you take a snapshot of the maturity of your program and produce a quick strategy and roadmap, it won’t help you align, modernize, or transform your program to meet emerging business requirements. Common technical security frameworks focus on operational controls rather than business services and value creation. They are difficult to convey to business stakeholders and provide little program management or implementation guidance. Focus on business value first, and the security services that enable it. Your organization has its own distinct character and profile. Understand what makes your organization unique, then design and refine the design of your security program to ensure it supports the right capabilities. Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place to support the implementation of the security program. |
|
Michel Hébert |
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
---|---|---|
|
|
Tailor your security program according to what makes your organization unique.
|
Info-Tech Insight
You are a business leader who supports business goals and mitigates risk. Focus first on business value and the security services that enable it, not security controls.
Cybercriminals deploying ransomware are evolving into a growing and sophisticated criminal ecosystem that will continue to adapt to maximize its profits.
Malicious agents continue to target critical infrastructure to harm industrial processes and the customers they serve State-sponsored actors are expected to continue to target critical infrastructure to collect information through espionage, pre-position in case of future hostilities, and project state power.
Malicious actors increasingly deceive or exploit cryptocurrencies, machine learning, and artificial intelligence technologies to support their activities.
50% Only half of leaders are framing the impact of security threats as a business risk.
49% Less than half of leaders align security program cost and risk reduction targets with the business.
57% Most leaders still don’t regularly review security program performance of the business.
Organizations with misaligned security programs have 48% more security incidents...
…and the cost of their data breaches are 40% higher than those with aligned programs.
37% of stakeholders still lack confidence in their security program.
54% of senior leaders still doubt security gets the goals of the organization.
“There's so much focus on better risk management that every leadership team in every organization wants to be part of the solution.
If you can give them good data about what things they really need to do, they will work to understand it and help you solve the problem.”
1. New CISO
“I need to understand the business, prioritize core security capabilities, and identify program accountabilities quickly.”
2. Program Renewal
“The business is changing, and the threat landscape is shifting. I am concerned the program is getting stale.”
Use this blueprint to understand what makes your organization unique:
If you need a deep dive into governance, move on to a security governance and management initiative.
3. Program Update
“I am happy with the fundamentals of my security program. I need to assess and improve our security posture.”
Move on to our guidance on how to Build an Information Security Strategy instead.
Define Scope of |
Refine Scope of |
Finalize Security |
|
---|---|---|---|
Phase steps |
1.1 Identify enterprise strategy 1.2 Identify enterprise goals 1.3 Assess the risk profile 1.4 Identify IT-related issues 1.5 Define initial program design |
2.1 Gage threats and compliance 2.2 Assess IT role and sourcing 2.3 Assess IT implementation model 2.4 Assess tech adoption strategy 2.5 Refine program design |
3.1 Identify program accountabilities 3.2 Define program target state 3.3 Build program roadmap |
Phase outcomes |
|
|
|
Tools |
You are a business leader first and a security leader second
Technical security frameworks are static and focused on operational controls and standards. They belong in your program’s solar system but not at its center. Design your security program with business value and the security services that enable it in mind, not security controls.
There is no one-size-fits-all security program
Tailor your security program to your organization’s distinct profile to ensure the program generates value.
Lay the right foundations to increase engagement
Map out accountabilities, roles, and responsibilities to ensure the components of your security program work together over time to secure and enable business services.
If you build it, they will come
Your executive team wants to be part of the solution. If you give them reliable data for the things they really need to do, they will work to understand and help you solve the problem.
Security Program Design Tool
Tailor the security program to what makes your organization unique to ensure alignment.
Security Program Implementation Tool
Assess the current state of different security program components and plan next steps.
SecurityProgram Design and Implementation Plan
Communicate capabilities, accountabilities, and implementation initiatives.
Key deliverable
Security Program Design and Implementation Plan
The design and implementation plan captures the key insights your work will generate, including:
IT Benefits |
Business Benefits |
---|---|
|
|
Deliverable |
Challenge |
|
---|---|---|
Security Program Design |
|
|
Program Assessment and Implementation Plan |
|
|
Measured Value |
|
Governance & Management Maturity Scorecard
Understand the maturity of your security program across eight domains.
Audience: Security Manager
Security Business Satisfaction and Alignment Report
Assess the organization’s satisfaction with the security program.
Audience: Business Leaders
CIO Business Vision
Assess the organization’s satisfaction with IT services and identify relevant challenges.
Audience: Business Leaders
INDUSTRY: Higher Education
SOURCE: Interview
Building a business-aligned security program
Portland Community College (PCC) is the largest post-secondary institution in Oregon and serves more than 50,000 students each year. The college has a well-established information technology program, which supports its education mission in four main campuses and several smaller centers.
PCC launched a security program modernization effort to deal with the evolving threat landscape in higher education. The CISO studied the enterprise strategy and goals and reviewed the college’s risk profile and compliance requirements. The exercise helped the organization prioritize security capabilities for the renewal effort and informed the careful assessment of technical controls in the current security program.
Results
Laying the right foundations for the security program helped the security function understand how to provide the organization with a clear report of its security posture. The CISO now reports directly to the board of directors and works with stakeholders to align cost, performance, and risk reduction objectives with the needs of the college.
The security program modernization effort prioritized several critical design factors
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
Call #1: Call #2: |
Call #3: Call #4: |
Call #5: Call #6: |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 4 to 6 calls over the course of 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Initial Security |
Refine Security |
Security Program |
Roadmap and Implementation Plan |
Next Steps and |
|
Activities |
1.1.0 Review Info-Tech diagnostic results 1.1.1 Identify project context 1.1.2 Identify enterprise strategy 1.2.1 Identify enterprise goals 1.2.2 Build a goals cascade 1.3 Assess the risk profile 1.4 Identify IT-related issues 1.5 Evaluate initial program design |
2.1.1 Gauge threat landscape 2.1.2 Identify compliance requirements 2.2.1 Categorize the role of IT 2.2.2 Identify the sourcing model 2.3.1 Identify the IT implementation model 2.4.1 Identify the tech adoption strategy 2.5.1 Refine the design of the program |
3.1 Identify program accountabilities 3.2.1 Conduct program gap analysis 3.2.2 Prioritize initiatives |
3.3.1 Build program roadmap 3.3.2 Finalize implementation plan 3.3.3 Sponsor check-in |
4.1 Complete in-progress deliverables from previous four days 4.2 Set up review time for workshop deliverables and to discuss next steps |
Deliverables |
|
|
|
|
|
Workshop |
Workshop |
---|---|
Security Program Design Factors |
Security Program Gap Analysis or |