Developing Information Security Strategy: Concluding IDENTIFY phase
Introduction
Welcome back to our series about developing an Information Security (InfoSec) Strategy for your organization. We recommend reading the first three parts if you haven’t already.
In Part 2 and 3 of this series, we elaborated on the IDENTIFY phase of InfoSec Strategy. By conducting workshops and interviews with an information gathering template like Strategyzer’s Customer Profile Canvas, your organization can begin discovering the needs of its various internal stakeholders. In other words, engaging your stakeholders ensures that your strategy will secure the information it needs, without creating unintended pain points or otherwise aggravating your fellow staff. In this article, we will conclude our discussion of the IDENTIFY phase by introducing four more questions you must ask yourself:
What are your organizational boundaries?
What existing frameworks can you reference to guide your strategy?
What is the current state of your information security?
What security systems do you have, and how mature are they?
Figure 01: The security strategy design process and the IDENTIFY phase
What are your organizational boundaries?
Bizfluent defines Organizational boundaries as a term that’s used to “distinguish one company from a separate but related company.”Knowing what your organization’s boundaries are is extremely important when you develop an InfoSec strategy. You need to know which units, departments and subsidiaries are within your scope and which aren’t. Your board of directors should be able to let you know about any relevant boundaries and constraints.
If you are a small business with no joint ventures or subsidiaries that operate from a different geographic area, determining the organizational boundaries will be very simple. In such cases, confirm your understanding with the business owners (or other relevant senior staff).
If you outsource some of your services and systems, you will need to determine which ones should be included as a part of your strategy. Usually, it is hard to force your organizational compliance requirements on outsourced service providers, unless they have already agreed to do so in your contract with them. In all cases, you must ensure that outsourced service providers have good security practices.
Once your boundaries are defined, document your findings, discuss with the directors, and get their approval before proceeding to the next step.
What existing frameworks can you reference to guide your strategy?
Organizations that have previously implemented a Cybersecurity or InfoSec strategy will likely already be following a defined framework. Gaining a solid understanding of what frameworks and systems are already in place will help you optimize the new strategy you seek to implement. To collect information on this subject, ask your stakeholders the following questions:
Is their current standard based on any international standards? (If not, you need to collect their rationale for implementing non-standard frameworks.)
What policies have already been approved and which are “in the pipeline?”
What is the status of policy and standards implementation?
How effective is the implementation of the current standards and policies?
How compliant is your organization, using the current framework?
What security procedures have been integrated into your IT or Business processes (such as HR onboarding, Supply chain management critical vendor clearance or IT patch management)?
Documenting the answers to the above will provide you with critical insights when designing the optimal InfoSec strategy.
What is the current state of your information security?
Most organizations that are aware of security best practices have implemented some security measures. Other organizations may be in the process of restarting their security programs after laying off key staff, but will have existing security practices integrated into their IT and broader business operations.
Conducting a security assessment will help you identify the maturity of your organization’s current security practices. Most organizations use the ISO 27001 standard to conduct assessments, and so that is what we recommend. Your InfoSec strategy will require coordination among the IT stakeholders and sometimes business stakeholders (if your information security covers the non-IT business functions).
Any part of your organization that falls under the scope of your InfoSec strategy should be informed in advance about the upcoming assessment. Usually, except for the non-IT departments, a self-assessment questionnaire should be more than enough to gather the information you need. And not having to conduct additional interviews will save you time. Choose a method that works best for your organization and complete the assessment.
What security systems do you have, and how mature are they?
Most organizations will have some security systems in place even if they have never had a formal security program. Knowing about direct and indirect security systems and their maturity is another critical insight you can use to develop a better security program.
Direct security systems refer to anything you have purchased and implemented for the sole purpose of securing the information. Indirect security systems are ones that your organization purchased primarily to manage its technology. Even so, a portion of indirect systems will typically provide you with helpful information to assess a software application’s security risk.
For example, let’s say your organization uses Microsoft SCCM to propagate security policies around its Microsoft technologies and to patch its information systems. Patching is scheduled, discussed by your change advisory board (CAB), and then applied by distributing the patches centrally from the SCCM. Once a system has been patched, your organization should then conduct a post-patch review to verify it has been effective. Most organizations may struggle with this step; If their organization’s systems aren’t administered from one central console, they instead have to manually export and validate reports from several sources.
Hence, knowing the direct and indirect security systems and their maturity levels will help you refine your in-progress security strategy and overhaul processes as necessary.
Conclusion
In this article, we discussed the last four activities involved in the IDENTIFY phase. We discussed organizational boundaries, security frameworks, how to assess the current state of the previous security programs, and finally, how to assess the maturity of the security systems that are already in place.
In our next article, we will introduce the ANALYZE phase of the design thinking process. We will also discuss how to analyze the information you have collected in the IDENTIFY phase.