Developing Information Security Strategy: Define your solutions
Introduction
Welcome back to our series on how to develop an information security (InfoSec) strategy. If you haven’t already done so, we recommend reading Parts 1-5 to familiarize yourself with the design thinking process that we will follow for the rest of the series.
In the previous article, we discussed the ANALYZE phase. The purpose of the ANALYZE phase is to determine the context for your security strategy, identify the problem statements from each stakeholder, and list your organization’s problem patterns.
This article will discuss the DEFINE phase of our seven-step design thinking process for developing an InfoSec strategy.
Figure 01: The DEFINE phase of our Design Thinking approach
The goals of the DEFINE phase are to:
Define solutions for your organization’s security requirements
Define the value proposition of the InfoSec strategy for your stakeholders
Map your solutions to the value propositions
Corporate alignment
Document the strategy
Estimate budgets for the strategy
Define timelines
Define solutions to your organization’s security requirements
Referencing your analysis from the previous phase, you can now begin defining solutions to the identified problems. The implementation of your solutions roadmap will be extensive and many teams (and vendors) will be involved. As such, the solutions at this stage should be high-level and should not detail the technology or the implementation aspects. Additionally, you must specify the objective(s) for each solution. The objectives will be the same as the ones identified during the stakeholder interviews.
One effective way to define a solution is by conducting design thinking workshops with your team. Keep in mind that the purpose of the workshop is to come up with potential solutions. Do not get attached to your possible solutions at this moment because they may change as you move through the DEFINE and DISCUSS phases.
Figure 02: A sample solution table for the identified security problems
Once you have a list of potential solutions, you can use a Value Proposition Canvas to define your value proposition to the stakeholders. You can find more links to resources explaining the value proposition canvas at the end of this article.
Define value proposition for your stakeholders
Your security strategy aims to deliver value to your stakeholders by enabling them to continue building their competitive advantage and achieving business goals. Hence, the solutions must provide value compelling enough (or at least acceptable enough) for the stakeholders to buy into your program.
Using the Value Proposition Canvas, start documenting your stakeholders’ solutions, pain relievers, and gain creators. For example, a value proposition canvas filled out by a CFO may be similar to the example below.
Figure 03: The value proposition for the CFO
At the end of your canvas workshop(s) (see Parts two and three for detailed workshop guidelines), you should have multiple documents that list your solutions and how they eliminate your stakeholders’ pain areas and provide new opportunities to stakeholders and the IT department.
Map your solutions to the value propositions
Once you have defined value propositions for each stakeholder that you have interviewed or defined (e.g. regulators), it is time to compare them with the stakeholder requirements (as identified in your Customer Canvases). This stage will help you eliminate requirements that have not been identified by more than one stakeholder.
Figure 04: The solution value proposition(s), based on stakeholder requirements mapping. The ones highlighted with lighter colors and a red border are low priority.
The value proposition canvas lists the security solutions that are useful to the specific stakeholder. Analyze both sides of the canvas and eliminate requirements that do not appear on both sides. Repeat this comparison map for each of your stakeholders.
After you have completed this exercise, you will have a solution that better suits your organization’s cybersecurity needs. Refine the possible solutions by conducting additional workshops with your team and IT SMEs, as required. Once you have completed this stage, it is time to test your solution offering with internal stakeholders, outsourced vendors, and/or managed service providers.
Closure
During the DEFINE phase, you need to be familiar with the Design Thinking process, the customer profile canvas, and the value proposition canvas. Using your organization’s rationale for implementing a security strategy as a guide, begin identifying potential solutions to problem statements that you have identified from your stakeholders. Then, define the value proposition that the solution offers to each of your stakeholders and discuss it with them.
In the next article, we will expand on the DEFINE phase.
Additional learning materials about the value proposition canvas
How do I use the Value Propositions building block of the Business Model Canvas?
Value Proposition Design: How to Create Products and Services Customers Want