Akrogoniaios Technologies Corp.

View Original

Developing Information Security Strategy: Discussing and concluding

Introduction

Welcome back to our series on developing an information security (InfoSec) strategy. If you haven’t already done so, we recommend reading Parts 1-6 to familiarize yourself with the Design Thinking process that we will follow for the rest of the series. 

In the previous article, we concluded our discussion of the DEFINE phase by explaining how to begin drafting a strategy that is compatible with your overall organizational goals. This article is about the last three stages of the Design Thinking process: DISCUSS, AGREE and FINALIZE.

Figure 01: The DISCUSS, AGREE, and FINALIZE phases of our Design Thinking approach.

DISCUSS

The goals of the DISCUSS phase are to:

  • Developing stakeholder-specific presentations

  • Discuss with the business and IT stakeholders

  • Update the strategy

  • Present and discuss with the executives

Developing stakeholder-specific presentations

Once you have documented the draft of your strategy, it is time to prepare-stakeholder specific presentations. These will help you to initiate discussions and collect feedback from each stakeholder group. You need to have these conversations before you present the strategy to your organization’s executives. Being able to demonstrate how your InfoSec strategy addresses the concerns of your business’ stakeholders will make it easier to get the executive team’s approval.

Your business stakeholders presentation should not be more than four slides and should only cover aspects of the strategy directly relevant to the intended audience. For example, it does not make any sense to include a DDoS attack mitigation project when presenting to finance stakeholders. 

Generally speaking, these are the four slides to include in a business stakeholder presentation:

  • Executive summary

  • Programs specific to the stakeholder

  • Value proposition to the stakeholder

  • A “thank you” slide

To ensure your presentations are clear and informative, always follow these best practices:

  • Avoid technical jargon as much as possible. Use simple language and make it relevant to your audience. 

  • Keep the text to a minimum. People don’t want to read long slides (and you shouldn’t be reading off of them either).

  • Have a conversation with your audience; don’t just recite a script.

  • Include lots of images or colorful shapes in your slides.

At the end of this article, we have included a list of books that you can reference to learn more about developing effective pitch presentations. 

The presentation can be a bit longer for an IT audience, but keep it at six slides, plus any relevant backup slides. One of the questions that IT will ask you frequently is the strategy's timeline and resource requirements. For that, a good response is it will be redetermined each year, based on the capacity of the involved teams. Generally, if you avoid proposing technical solutions in your presentations, you can avoid endless debates with your IT stakeholders.

For IT presentations, you should include the below slides:

  • Executive summary

  • Objectives of the strategy

  • An overall roadmap (including a maturity-based timeline and a high-level budget for each program)

  • Frameworks and relevant information 

  • Value proposition for the organization and IT team

  • A “thank you” slide

At this point, adding program-specific roadmaps is not recommended, even though it may be tempting to do so. Your IT department may want to know the details of various security programs that impact them. In such a case, work with your security architects (if you have any) to develop a slide in your presentation for each program in your strategy. These can be backup slides that you add to your main presentation as necessary.

Prepare the executive presentation after your discussion with all the business and IT stakeholders in your organization. 

You should include the below slides in your presentation to the executive team:

  • Solution statement

  • Executive summary

  • High-level requirements

  • Objectives of the strategy

  • Overall roadmap (including a maturity-based timeline and high-level budget for each program)

  • Value proposition for the organization

  • Requirements of the executives to support the strategy

  • Next steps

  • A “thank you” slide

Request a meeting with the executives a few weeks in advance, as their time is usually limited. You will likely need at least a month to complete your discussions with the other groups and finalize the strategy before presenting it to the executives.

Discuss with the business and IT stakeholders

Provide a teaser slide with an email about your proposal and ask for their time. In the meeting, keep the conversations relevant and empathize with your stakeholders. If the attendees are the same as those who gave you the organizational requirements, they will appreciate that you have understood and addressed their needs.

You can provide some examples of post-implementation scenarios. However, refrain from providing IT solutions or a timeline. Use examples that resonate with your audience at all times and keep things positive. Accept their feedback and incorporate it into your strategy, if appropriate.

Your meeting with the IT stakeholders might take more than a few rounds as they implement most of your organization's security controls. They’re also the ones who will be responsible for maintaining any software solution you might bring into your organization. Acknowledge this, display empathy, and respond accordingly.

Update the strategy

After having multiple rounds of meetings with your stakeholders, go through the feedback and apply it to your strategy. At this point, you do not have to discuss the strategy with the business stakeholders again unless the update to your strategy is significant (e.g., at least one-quarter of the programs relevant to your business stakeholders have changed). Also, make changes to your executive’s presentation, as required. 

You should get written acknowledgment from IT senior management to review the plan before presenting it to your executives. The acknowledgment can be an informal email with conditions (such as the timelines and the resource allocations must be discussed before launching any programs). The IT department does not have to approve your strategy unless you are reporting to an IT executive.

Presenting and discussing with the executives

Spend some time learning the interests and personalities of the executives before the meeting. At the start of the meeting, but the executives at ease by displaying empathy towards their concerns. Having less technical jargon and more business-relevant language and information will engage them and get you more feedback. 

Be prepared to justify budgets. You should also reiterate that the provided budget is an estimate. If you do not have an answer to a question, politely let the enquirer know that you do not have an answer for the moment, and you will get back to them later. Depending on the nature of the feedback, you may be asked to schedule another meeting to discuss the strategy with them later (for example, the enquirer may feel the strategy has not addressed an important aspect of the business). Gather the feedback and update your strategy if required.

AGREE

In this phase, you need to seek approval for your strategy from the executives. The approval should not be just signatures or an email response; an approved budget should accompany it. Communicate the security strategy’s approval to the business and IT stakeholders and thank them for their involvement.

FINALIZE

Once the strategy is approved, it is time to start working on the programs implemented in the first year. Security architects and IT management will be heavily involved in this phase. They will develop an implementation plan for the first year or even a tentative multi-year implementation roadmap.

Ensure all the information gathered while developing your strategy is appropriately classified, secured, and archived. If any stakeholder questions are unresolved, note them to resolve at a later stage.

Closure

This article concludes our InfoSec strategy series. In the DISCUSS, AGREE, and FINALIZE phases of your security strategy development, the focus is to gain widespread acceptance so that you can confidently begin implementation. This is achieved by presenting the strategy to specific segments of your organization and then tweaking as necessary. Once the strategy is approved, it’s time to develop the implementation roadmap for the year’s strategy or specific programs. And just like that, your entire organization will have peace of mind that its information is safe.

Additional materials on preparing and presenting your strategy

Pitch Perfect: How to Say It Right the First Time, Every Time

Never Split the Difference: Negotiating As If Your Life Depended On It

Pitch anything: An innovative method for presenting, persuading, and winning the deal