Developing Information Security Strategy: Planning for stakeholder requirements
Introduction
In Part 1of our Information Security (InfoSec) Strategy, we discussed the benefits of having an InfoSec strategy and the drawbacks of not having a good one. We then outlined a Design Thinking approach to developing the strategy. As a recap, below are the six steps involved in developing an effective InfoSec strategy.
In the IDENTIFY phase, organizations need to identify all the requirements they must consider to build a strategy that will be actionable. Based on this, organizations can engage the correct stakeholders and gather information with a template like the Strategyzer Canvas.
In this article, we will continue discussing how to use a customer profile canvas to learn more about your stakeholders and their requirements for an InfoSec strategy.
Develop hypothetical stakeholder profiles
As a well seasoned security professional, you are likely familiar with frameworks like ISO 27001, NIST-CSF and others. Additionally, we discussed the reasons why implementing an infoSec strategy is necessary” in the previous article. Your organization’s specific security considerations and the frameworks you align yourself with will both serve as a foundation for the planning of your InfoSec Strategy. It’s likely that the bulk of your infoSec focus will be on security controls, programs or new solutions. However, you should refrain from exclusively thinking in terms of software solutions or programs and instead, develop some hypothetical scenarios that might affect your stakeholders. These scenarios can be based on the access controls you might enforce when implementing your strategy.
If you have enough subject matter expertise, you should develop multiple hypotheses about your stakeholders using the Value proposition canvas that we introduced in the previous article. These hypotheses will provide you with the insight of the kind of questions you should ask during the workshops. It will also help you test your understanding of your business’ requirements — this is key, as the strategy you develop impacts your whole organization.
If you aren’t sufficiently familiar with the operations of your organization’s non-IT departments, skip the hypothesis stage.
Gaining foundational knowledge
To understand Strategyzer’s canvas in depth, we recommend a couple educational resources. The first is Value Proposition Design: How to Create Products and Services Customers Want, a book that will provide you with the basics of creating compelling products and services. The second is Strategyzer’s YouTube channel which is filled with specific recommendations and best practices. The below videos are a great place to start:
Strategyzer's Value Proposition Canvas Explained
Strategyzer Webinar: Value Proposition Canvas Best Practices
Don’t feel like you need to become a value proposition expert before you start developing your InfoSec strategy. But rather, continue building on your knowledge over time.
Filling out your Value Proposition Canvas
In the following section, we’ll explore what the Canvas is in greater detail and provide a hypothetical example of how an organizational stakeholder might fill one out.
The Value Proposition Canvas is divided into three sections:
1. Customer jobs
2. Customer pains and
3. Customer gains.
Customer jobs are anything your stakeholders are trying to get done in their work. Be sure not to make assumptions about what these jobs are; ask your stakeholders.Your goal is not to capture each process that your stakeholders perform (a.k.a a Business Impact Analysis BIA), but instead to capture the high level jobs your stakeholders perform to deliver value to the business.
For example, when you interview the director/CFO of your company, you might get the following list of jobs:
The above stakeholder profile shows the relevant jobs that the finance department performs involving information that is sensitive to the organization. During your stakeholder workshops, everyone should place heavy emphasis on activities that are information sharing or access control focused, when writing their list.
For the pains section of the canvas, the objective is to capture the challenges stakeholders face in completing their jobs. Pains are anything that annoys the stakeholder before, during or after a job. This section can also include any pains that are not directly related to the jobs listed in the canvas. At the end of the session, the pains portion of your stakeholder profile canvas might include:
This section will help you understand the pain points your stakeholders face due to security controls.
Gains are the outcomes and benefits your stakeholders want. They can be of something required, expected or desired. When you are done with the interview, the gains section might include:
From the above example, you can see that this finance department sends and receives financial information internally and externally. The controls that are required to protect information had forced IT to roll out sFTP protocols that stakeholders found too complex. Typically, a finance department expects the security controls to be transparent and friendly enough for the IT to rollout solutions that empowers its stakeholders to exchange information without having to worry about the leak of information. In this example, this filled-out chart would give the security professional clear expectations from the Finance department, which will aid them in designing the InfoSec strategy.
Preparing to facilitate the workshop
One of the most effective ways to get your stakeholders familiarized with the canvas is to conduct a workshop. Behind every great workshop is a great facilitator. So prepare to be a good one by brushing up on your interview and group engagement skills. We recommend familiarizing yourself with an interrogative technique called the five whys.
Once you’re ready, send an invite to all the stakeholders for the workshop. Before the workshop, you should identify a volunteer that can help you conduct a live demonstration. Have a one-on-one meeting with them to explain the canvas.
Facilitating the workshop
Here are some additional best practices to keep in mind when conducting workshop:
A single canvas must contain only one stakeholder profile.
Pay close attention to ensure pains and gains do not end up being the flip side of the same sentence. Pains are the current challenges your stakeholders face when securing information. Gains are the stakeholder expectations when the strategy is implemented.
Print the canvas out on a large piece of paper (A3 or flip-chart size) and use small sticky notes to mark each of the jobs, pains and gains.
Make pains and gains tangible and specific, not vague.
It’s your job to keep stakeholder answers on track, but do your best to keep an open mind and don’t rush to conclusions.
Consider interviewing two stakeholders per business function or department (e.g. one director and one analyst or administrator)
If there is more than one attendee present for a department or a business function, you can either use one canvas per attendee or a single canvas for the department
Some things to avoid during the workshop:
Identifying too few jobs
Identifying jobs that have no relevance to your security strategy (e.g. collecting information about the processes involved in accounts receivable)
Offering solutions to stakeholder pains
Conclusion
In this article, we continued exploring the IDENTIFY phase of our design thinking approach to InfoSec strategy. You learned about profile canvas templates and how to integrate them into a workshop setting. Developing hypothetical stakeholder profiles before the workshop can help you figure out the direction the interviews should take. In Part 3 of our series, we discuss the next step of the identify phase: stakeholder interviews.