Developing Information Security Strategy: Introduction
This is the first of a new multipart educational series: Developing Information Security Strategy. By the end of this series, you will be equipped with the foundational knowledge you need to confidently develop an information security (InfoSec) strategy for your organization. As much as possible, we will focus on outlining principles and best practices, but we will also discuss the technical aspects of a plan wherever it provides context or clarity.
In this series, we will explore a range of topics that are necessary to create an optimal strategy.
Note:
Some of the materials used in this article belong to Strategyzer, published under creative commons license and other restrictive license to share and use. Contact Strategyzer to use some of the materials to bundle with your software services.
Information Security vs Cybersecurity
The terms Information Security and Cybersecurity are used interchangeably when it comes to securing information. However, there are important differences between the two terms.
Information Security refers to the securing of information, regardless of its use, access and storage. Cybersecurity refers to the practice of controlling access to information that is stored, used and transmitted over the internet. Information security can be as easy as protecting the filing cabinet where your legal team stores hard copy documents. Cybersecurity builds on the controls you have in place for securing information and protects them from being accessed without authorization from the Cyberspace.
Why does information need to be secured?
At the most basic level, we all protect information from a variety of potential threats. We install software and put in place access controls that protect our computer systems or specific information, to make sure that cyber criminals and other ill-intentioned parties don’t access our data. In the non-digital world, we keep documents like our passports in a secure place to protect ourselves from identity theft.
Similarly, organizations protect confidential information, such as financial statements and information assets, such as computers or servers. Having these security systems in place also helps organizations to instill confidence in their stakeholders. For example, a public organization needs to be able to demonstrate to its investors that confidential information cannot be leaked.
Benefits of an Information Security Strategy
There are multitudes of benefits for securing organizational information with a strategy instead of implementing ad-hoc measures in silos. A well-developed strategy can help an organization:
reduce the risk of information being leaked to (or accessed by) the wrong hands
assures the board of directors and investors that the organization is aware of its exposure to cybersecurity risks and has a plan to keep information secure.
meet regulatory compliance requirements
give their customers the peace of mind that their personal, financial and health information are safe
maintain customer trust (and therefore, a competitive edge) by using auditable security controls and providing them with the assurance that their information is secure.
reduce the cost of securing information by only implementing security systems you are certain will benefit your organization
reduce insurance costs due to demonstrable security practices
Potential Drawbacks of having an Information Security
While there are many benefits of having an information security strategy, there can also be some unintended downsides when the strategy is poorly managed. Some of these include:
A lack of direction for the information security strategy leading to the implementation of excessive security controls (causing major inconvenience to the organization).
The strategy is misalignment with organizational objectives.
The organization may not be aptly prepared for new information management processes, leading to wasted time investment and redundant security systems.
Implementing too many security systems at once can leave an organization not having a clear picture of how each system’s controls are performing. Poorly implemented systems negatively affect organizational productivity.
Lack of well defined resources and processes that help the the organization understand and follow security measures
Systems and processes that are not properly integrated into regular organizational operations can lead to a disintegration of security practices, conflicts among teams and wasted working hours.
A lack of involvement during InfoSec planning and implementation from business leadership such as marketing, sales or manufacturing operations may lead to broken information systems that stifle an organization’s competitive advantage.
Methodology for building a strategy
Oftentimes we at Akrogoniaios Technologies have seen organizations that have implemented strategies that are technical marvels, but simultaneously stifle their ability to innovate quickly. Organizations sometimes build walled gardens — a heavily armed ecosystem that does not interact freely with the outside world to support ideas that can push the company forward.
We need a radical new way of strategizing information security: one that liberates information from its silos and allows the business to move forward whichever way they see fit. However, this is only possible when organizations secure their information independent of its use. An organization with well-managed information systems can withstand intentional and accidental information leaks that would otherwise inflict irreparable harm.
A Design Thinking Approach to Building your InfoSec Strategy
Figure 01: Design Thinking: A non- linear approach to developing your InfoSec strategy
The way we think about information security strategy must change. Throughout this series, we have used a Design Thinking process to walk you through the process of designing an optimal strategy for your organization. It is a non-linear, interactive methodology that can be applied to all types of creative problem solving.
This is not yet another framework such as COBIT to implement your InfoSec strategy. Instead, this is a method to design your InfoSec strategy that benefits your organization and receive support from your peers. An in-depth discussion of design thinking is outside the scope of this series. However, if you would like to learn more about this concept, we recommend you pick up a copy of the book The Design Thinking Playbook: Mindful Digital Transformation of Teams, Products, Services, Businesses and Ecosystems.
There are many processes available to an organization looking to develop an InfoSec strategy, but we have developed our own custom approach, using Design Thinking Principles. For the remainder of the series, this will be the process we follow. You’re free to use or adapt our methodology within your own organization or find another system that works for you.
The lines in Figure 01 are to indicate that you can return to any step in this process, as required. When developing a strategy it should be your goal to intentionally engage all relevant stakeholders to create systems that will benefit your organization. Until such time that sufficient consensus has been reached, you should not rush implementation. An InfoSec strategy that is accepted by organizational stakeholders beyond your immediate team will help you build a healthy corporate culture that increases the resiliency of your organization.
We will walk through each phase as if you are developing a brand new InfoSec strategy with occasional remarks about updating an existing strategy. Wherever you are currently in the process of building your InfoSec strategy, we’re excited to arm you with new, actionable strategies.
IDENTIFY
The purpose of the first phase is to identify the factors that will influence your strategy. To do so, ask these questions:
Why do you need an InfoSec strategy?
Who are your stakeholders and what do they want?
What are the organizational boundaries?
What existing frameworks can you reference to guide your strategy?
What is the current state of your information security?
What security systems do you have, and how mature are they?
We’ll further explore the first two questions in this article.
Why do you need an InfoSec strategy?
Organizations that have taken the initiative to hire a senior professional to oversee their security strategy have likely identified problems (real or potential). Some common problems that organizations face when developing an InfoSec strategy include:
Due to organizational silos, there is a lack of holistic security oversight. This can result in the InfoSec team developing a program that doesn’t address all the risks of securing information within the organization.
Regulators have mandated compliance with their requirements for securing organizational information assets
Local and federal governments have mandated compliance with security requirements
The board of directors aren’t confident that the infoSec strategy will sufficiently prevent a threat actor from inflicting serious damage to their business
The organization feels ill-equipped toto protect their information
Knowing the source concern is an important first step in developing an InfoSec strategy. On the flipside, it’s also likely they’ve identified the opportunities that having an InfoSec strategy could provide. For example, proving your organization can responsibly manage customer information could raise your organization’s profile during its bond issuing rounds, enabling you to raise more capital.
Once you have identified why you need an InfoSec Strategy, you can move on to the biggest part of this phase — learning what your stakeholders want.
Who are your stakeholders and what do they want?
Engaging the right business and IT stakeholders is an important next step of the Identify phase. You must humanize your stakeholders and develop personas for them, instead of thinking about them as just one large group (such as a department). After all, an organization is nothing without its people. It is the people who plot the direction where the organization must go.
For example, if your organization sells subscriptions of your online platform, you should:
Engage your Information Technology or Product Development teams
Compile the concerns of the core business functions such as Marketing, Sales and Customer Support.
In this scenario, increasing the sale of subscriptions is supported by the marketing efforts. Retaining subscribers is supported by marketing and customer support efforts. Both teams will seek to stay competitive, often by sourcing and integrating new technologies. Marketing and customer support both benefit from an organization that remains flexible to expanding their technological toolkit.
The marketing department might be interested in using new social media management software that harvests social interactions to understand customer sentiment. However, if your InfoSec strategy forbids using such external information systems, the IT department will find it difficult to accommodate the marketing team’s request. This in turn will result in preventable conflict or even in the marketing team bypassing security protocols altogether.
With all the above in mind you do not have to engage every department in your InfoSec discussions. Each organization will have a VP or Director to oversee certain departments. For example, Marketing, Sales and Customer support might all falle under a VP and in that case, engaging just the VP will be sufficient to get a clear picture.
Exclusion of the business functions must be based on the direct impact on the organization’s product development or cash flow. Once you have the list of stakeholders you will interview, you need to develop a brief persona for each of them. When creating your personas, use clear language—avoid technical jargon. Below is an example persona sheet that you can use to summarize the information you collect when interviewing your stakeholders. You’ll use the information on these forms as the basis of each interviewee’s problem statement.
Figure 03: A sample data collection sheet to be used in the interviews.
Note that this sheet is released under a much more restrictive licensing that prevents you from bundling the template with your solutions (such as software). Contact strategyzer to obtain permission for your specific use.
Conclusion
So far, we have discussed the benefits and potential drawbacks of implementing an InfoSec strategy within your organization. Most importantly, we began outlining a design thinking methodology that will help you easily begin building your strategy.
In the first phase of the design thinking process (Identify), your organization identifies what information it needs to secure and generally why developing an InfoSec Strategy would be beneficial. You should then further build on this foundation by asking your stakeholders what additional concerns and considerations should be accounted for. In Part 2 of this series, we will continue discussing the Identify phase.