This article concludes our InfoSec strategy series. In the DISCUSS, AGREE, and FINALIZE phases of your security strategy development, the focus is to gain widespread acceptance so that you can confidently begin implementation. This is achieved by presenting the strategy to specific segments of your organization and then tweaking as necessary. Once the strategy is approved, it’s time to develop the implementation roadmap for the year’s strategy or specific programs. And just like that, your entire organization will have peace of mind that its information is safe.

Continuing from where we left off in the previous article, we discuss the DEFINE phase's remaining four goals.

Referencing your corporate goals is an important part step towards developing an effective InfoSec strategy. Once the alignment is satisfactory, you need to document the strategy for discussion. This strategy is not final since it should be discussed with your stakeholders before implementation. You should avoid providing concrete timelines for your strategy and instead adopt maturity levels. Furthermore, consulting with potential vendors will help you determine a realistic budget. When the strategy is approved, the programs will have a definite timeline and fine-tune the budget.

In the previous article, we discussed the ANALYZE phase. The purpose of the ANALYZE phase is to determine the context for your security strategy, identify the problem statements from each stakeholder, and list your organization’s problem patterns.

This article will discuss the DEFINE phase of our seven-step design thinking process for developing an InfoSec strategy. The goal is to define your Infosec solutions for the requirements you have identified in the previous phase.

In this article, we will outline the next step: the ANALYZE phase.

The goals of the ANALYZE phase are to:

• Consolidate information from the IDENTIFY phase

• Begin defining the InfoSec program objectives

• Describe the problem statements,

• Identify problem patterns

• Gain sufficient insight to define the strategy

This helps us analyze the information we have gathered to gain enough insight to define our InfoSec strategy.

Continuing where we left in the previous article, in this article, we discuss the last four activities involved in the IDENTIFY phase, that is organizational boundaries, security frameworks, how to assess the current state of the previous security programs, and finally, how to assess the maturity of the security systems that are already in place.

In this article, we continued discussing the workshop stage and outlined how to conduct interviews. We also discussed the importance of the trigger questions and gave you some sample outcomes for the customer jobs, pains and gains. In the next article, we will conclude the Identify phase by discussing the other aspects that are important to move to the next phase.

In this article, you will learn about profile canvas templates and how to integrate them into a workshop setting. Developing hypothetical stakeholder profiles before the workshop can help you figure out the direction the interviews should take. Customer profile canvas lets you learn more about the expectations of the business from the Cybersecurity strategy.

This is the first of a new multipart educational series: Developing Information Security Strategy.

Organizations sometimes build walled gardens to secure information — a heavily armed ecosystem that does not interact freely with the outside world to support ideas that can push the company forward.

We have used Design Thinking process to radically rethink the way we design and implement InfoSec Strategy in the organizations.

This is not yet another framework such as COBIT to implement your InfoSec strategy. Instead, this is a method to design your InfoSec strategy that benefits your organization and receive support from your peers.

In this series, we will explore a range of topics that are necessary to create an optimal strategy, including:

• How to incorporate security operations into your strategy

• Information classification

• How to integrate SIEM, SOAR and SDAR

• When to outsource some or all of of your InfoSec strategy