Developing Information Security Strategy: Discussing and concluding
Introduction
Welcome back to our series on developing an information security (InfoSec) strategy. If you haven’t already done so, we recommend reading Parts 1-6 to familiarize yourself with the Design Thinking process that we will follow for the rest of the series.
In the previous article, we concluded our discussion of the DEFINE phase by explaining how to begin drafting a strategy that is compatible with your overall organizational goals. This article is about the last three stages of the Design Thinking process: DISCUSS, AGREE and FINALIZE.
Figure 01: The DISCUSS, AGREE, and FINALIZE phases of our Design Thinking approach.
DISCUSS
The goals of the DISCUSS phase are to:
Developing stakeholder-specific presentations
Discuss with the business and IT stakeholders
Update the strategy
Present and discuss with the executives
Developing stakeholder-specific presentations
Once you have documented the draft of your strategy, it is time to prepare-stakeholder specific presentations. These will help you to initiate discussions and collect feedback from each stakeholder group. You need to have these conversations before you present the strategy to your organization’s executives. Being able to demonstrate how your InfoSec strategy addresses the concerns of your business’ stakeholders will make it easier to get the executive team’s approval.
Your business stakeholders presentation should not be more than four slides and should only cover aspects of the strategy directly relevant to the intended audience. For example, it does not make any sense to include a DDoS attack mitigation project when presenting to finance stakeholders.
Generally speaking, these are the four slides to include in a business stakeholder presentation:
Executive summary
Programs specific to the stakeholder
Value proposition to the stakeholder
A “thank you” slide
To ensure your presentations are clear and informative, always follow these best practices:
Avoid technical jargon as much as possible. Use simple language and make it relevant to your audience.
Keep the text to a minimum. People don’t want to read long slides (and you shouldn’t be reading off of them either).
Have a conversation with your audience; don’t just recite a script.
Include lots of images or colorful shapes in your slides.
At the end of this article, we have included a list of books that you can reference to learn more about developing effective pitch presentations.
The presentation can be a bit longer for an IT audience, but keep it at six slides, plus any relevant backup slides. One of the questions that IT will ask you frequently is the strategy's timeline and resource requirements. For that, a good response is it will be redetermined each year, based on the capacity of the involved teams. Generally, if you avoid proposing technical solutions in your presentations, you can avoid endless debates with your IT stakeholders.
For IT presentations, you should include the below slides:
Executive summary
Objectives of the strategy
An overall roadmap (including a maturity-based timeline and a high-level budget for each program)
Frameworks and relevant information
Value proposition for the organization and IT team
A “thank you” slide
At this point, adding program-specific roadmaps is not recommended, even though it may be tempting to do so. Your IT department may want to know the details of various security programs that impact them. In such a case, work with your security architects (if you have any) to develop a slide in your presentation for each program in your strategy. These can be backup slides that you add to your main presentation as necessary.
Prepare the executive presentation after your discussion with all the business and IT stakeholders in your organization.
You should include the below slides in your presentation to the executive team:
Solution statement
Executive summary
High-level requirements
Objectives of the strategy
Overall roadmap (including a maturity-based timeline and high-level budget for each program)
Value proposition for the organization
Requirements of the executives to support the strategy
Next steps
A “thank you” slide
Request a meeting with the executives a few weeks in advance, as their time is usually limited. You will likely need at least a month to complete your discussions with the other groups and finalize the strategy before presenting it to the executives.
Discuss with the business and IT stakeholders
Provide a teaser slide with an email about your proposal and ask for their time. In the meeting, keep the conversations relevant and empathize with your stakeholders. If the attendees are the same as those who gave you the organizational requirements, they will appreciate that you have understood and addressed their needs.
You can provide some examples of post-implementation scenarios. However, refrain from providing IT solutions or a timeline. Use examples that resonate with your audience at all times and keep things positive. Accept their feedback and incorporate it into your strategy, if appropriate.
Your meeting with the IT stakeholders might take more than a few rounds as they implement most of your organization's security controls. They’re also the ones who will be responsible for maintaining any software solution you might bring into your organization. Acknowledge this, display empathy, and respond accordingly.
Update the strategy
After having multiple rounds of meetings with your stakeholders, go through the feedback and apply it to your strategy. At this point, you do not have to discuss the strategy with the business stakeholders again unless the update to your strategy is significant (e.g., at least one-quarter of the programs relevant to your business stakeholders have changed). Also, make changes to your executive’s presentation, as required.
You should get written acknowledgment from IT senior management to review the plan before presenting it to your executives. The acknowledgment can be an informal email with conditions (such as the timelines and the resource allocations must be discussed before launching any programs). The IT department does not have to approve your strategy unless you are reporting to an IT executive.
Presenting and discussing with the executives
Spend some time learning the interests and personalities of the executives before the meeting. At the start of the meeting, but the executives at ease by displaying empathy towards their concerns. Having less technical jargon and more business-relevant language and information will engage them and get you more feedback.
Be prepared to justify budgets. You should also reiterate that the provided budget is an estimate. If you do not have an answer to a question, politely let the enquirer know that you do not have an answer for the moment, and you will get back to them later. Depending on the nature of the feedback, you may be asked to schedule another meeting to discuss the strategy with them later (for example, the enquirer may feel the strategy has not addressed an important aspect of the business). Gather the feedback and update your strategy if required.
AGREE
In this phase, you need to seek approval for your strategy from the executives. The approval should not be just signatures or an email response; an approved budget should accompany it. Communicate the security strategy’s approval to the business and IT stakeholders and thank them for their involvement.
FINALIZE
Once the strategy is approved, it is time to start working on the programs implemented in the first year. Security architects and IT management will be heavily involved in this phase. They will develop an implementation plan for the first year or even a tentative multi-year implementation roadmap.
Ensure all the information gathered while developing your strategy is appropriately classified, secured, and archived. If any stakeholder questions are unresolved, note them to resolve at a later stage.
Closure
This article concludes our InfoSec strategy series. In the DISCUSS, AGREE, and FINALIZE phases of your security strategy development, the focus is to gain widespread acceptance so that you can confidently begin implementation. This is achieved by presenting the strategy to specific segments of your organization and then tweaking as necessary. Once the strategy is approved, it’s time to develop the implementation roadmap for the year’s strategy or specific programs. And just like that, your entire organization will have peace of mind that its information is safe.
Additional materials on preparing and presenting your strategy
Pitch Perfect: How to Say It Right the First Time, Every Time
Never Split the Difference: Negotiating As If Your Life Depended On It
Pitch anything: An innovative method for presenting, persuading, and winning the deal