Who Needs Strategy Development in IT and Information Security?

As with just about anything, an IT infrastructure also requires a well-thought strategy. The purpose of such strategy is to give the management the information to make informed decisions on security investments. The strategy bridges the security function and the business direction.

The Information Security strategy of an organization is the direction or the approach taken to meet one or more objectives related to the secure behavior of that organization. The strategy is realized through initiatives, where each represents an operational plan that achieves one or more security objectives, with the goal to collectively achieve all of them.


Just as hackers and criminals never sleep, the Information Security Officer in your organization must regard Information Security not as a product, but as a process. Constantly evolving, adapting, putting up defenses to new and emerging security breach threats. A plan – written, implemented, and then locked away in a drawer – will only do good for a while. Until things change. Again.

Staying flexible, responsive, pro-active, requires a strategy that is deeply rooted in corporate culture and reflects an educated approach to risk assessment, leverage compliance against practicality, and above all – is a perfect fit for you, and your business only.


This is a management issue: IT staff can’t and must not decide what’s important, who needs to protect it, what’s acceptable behavior from employees, and what the penalties are for non-compliance. Things to remember:

  • It’s not going to go away: putting up a firewall doesn’t make threats go away – you need a plan that is maintained and evolves.
  • IT budget will not pay for this: find the right angle to “sell” and get funding support.
  • Be ready to show results from what gets spent. Show progress. Show numbers. Tell real stories.


An Information Security strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile.

Information Security requires its own independent strategy to ensure its ability to appropriately support business goals and to mature and evolve effectively. A multi-phased approach to developing a strategy is often most effective and provides recognizable results and value to an organization.



  • Understand the organization’s current business conditions;
  • Consider the organization’s risk profile and appetite;


  • Include a prescriptive annual plan followed by a rolling three-year plan;
  • Clearly identify the point of arrival for capabilities based on management guidance and input;
  • Ensure the availability and capability of necessary staff for the strategy execution;
  • Gain an understanding of the organization’s culture to ensure an appropriate plan for adoption;


  • Define the governance model and functional inventory of capabilities and services;
  • Consider whether the strategy will include operational components or will act as a consultative element within the organization;
  • Determine the reporting structure;
  • Consider the staff and competency requirements necessary to successfully implement and operate the strategy;
  • Consider the risks of sourcing and ensure appropriate oversight by internal staff;


  • Ensure alignment with industry standards and guidelines;
  • Use a reliable assessment methodology, such as the Capability Maturity Model (CMM) for example;
  • Use Key Performance Indicators (KPI) to measure the effectiveness of the functions and capabilities developed through the strategy;


  • Take global considerations into account;
  • Determine how compliant the organization wants or needs to be;
  • Determine consequences of not conforming to policies and requirements;
  • Utilize an oversight board as part of the operational model for the strategy;
  • Ensure that appropriate communication is occurring between the Information Security group and the supporting business functions;
  • Ensure cultural awareness regarding how information protection activities are viewed within the organization.

tips for choosing the right strategy development team 

Without a defined and developed strategy, an organization’s security capabilities will continue to be viewed negatively and will have limited benefits or negligible positive impact.

Developing a strategy is a critical element in the maturation of Information Security capabilities.

If the goal of the security group is to be business-aligned, then its strategy must be developed with this goal in mind.

When an effective strategy is developed and implemented, security will become a key benefit to the organization, and its value will be easily understood through the reduction of security incidents as well as the effort and costs associated with information protection.

The true measure of success for a well-developed and implemented strategy can be found in the impressions and actions of the constituency that it serves. When they utilize security capabilities during key decision-making activities and consult with the security group on a regular basis, success can be achieved. If they continue to fear and avoid Information Security and its capabilities until it is absolutely necessary to engage, the strategy needs to be changed.