The Bedel Security Blog

Information Security Strategy: 5 Tips for Success

Written by Chris Bedel | May 29, 2020



As we continue our return to normal business operations in the banking industry, we're urging our clients as well as all financial institutions to try to get back to being proactive about their information security, and cybersecurity program.

It's really easy, in a reactionary world, to let your cybersecurity program sit on the sidelines gathering dust.

Of course, you’ve been taking care of any urgent matters that have come up, like an incident or indicators of compromise. But, as we've talked about in the past, a good information security program is proactive, not reactive

One of the ways to get things moving again in a more proactive way is to think about your information security strategy. This is something that should be getting looked at once a year anyway, and it seems like a good time to pull that out and update it based on the changes that we've seen over the last 90 days.

So here are five tips to help you make that process a little easier and a little more effective.

#1 Begin with the end in mind

It's really hard to steer the ship if you don't know where you're going.  If you don't set a desired state for your information security program, you'll never get there. So, when laying out your information security strategy, it's best to start with what you want your overall program to look like in the next two to three years.

Some things to think about would be:

  • your policies
  • your governance structure
  • your risk management framework
  • incident response capabilities, etc.

Or to get a high level picture, you could use our CySPOT Health Index™ to gauge where you're at, vs. where you could be.

#2 Align with your IT strategy

Think about the technologies that you'll be rolling out in the next 12 to 18 months. As COVID-19 changed your overall IT strategy, are there some technologies that you need to be thinking about that weren't on your radar in February?

This might be an exercise you need to go through from an IT perspective before you start on the information security strategy.

If you need some ideas for that, you can take a look at 12 technologies for the post pandemic landscape.

Once you’ve established IT strategy, you can begin to ask the important question: “Is your information security program capable of keeping up with IT?”

Make sure the 2 align with one another

#3 Get good at the basics

It's kind of like Maslow’s Hierarchy of Needs: you can’t focus on higher needs until the basic are covered (like food, air, shelter).  Make sure your cybersecurity program covers the blocking and tackling before you start looking for trick plays. 

That can definitely be a challenge in a world where vendors are screaming at you that their latest tool is the end-all-be-all to “keep you safe”.  As tempting as it is, we often find that filling the gaps in the essentials of cybersecurity has a bigger and more lasting impact.

My colleague, Brian Petzold, wrote a blog post on this about 18 months ago. He points out that remediation efforts may be your best strategy for the time being.  Some areas to look at to get ideas include:

  • outstanding action items from your risk assessment
  • outstanding findings from audits or exams
  • remaining statements from the CAT tool to get to the proper maturity level

If you’re missing essential pieces, they need to be the first stop on your roadmap.

#4 Communicate the strategy to your team

One of my favorite authors, Patrick Lencioni, says that two of the four key responsibilities of a leader are to set the strategy and to over-communicate the strategy.  That concept works in information security too.

Too often, we see situations where an IT strategy, an organizational strategy, or an Information Security Strategy gets put on the shelf and never sees the light of day again for the next 12 months, until it's time to be updated.

What good is a strategy, if your team doesn't even know what it is?  How are they supposed to help you execute it, if they can't explain the objectives to someone else?

Make sure your team understands what the priorities are, so everyone can move in the same direction.

 

#5 Determine if you have the right resources to make it happen

And I'm not talking about tools here: tools, applications, and equipment are easy to come by.

I’m talking about the people. The people are what execute the strategy.

Do you have the right people to make the strategy a reality? If the answer is no, you need to think about adding full time staff, or you need to think about leveraging outsourced relationships.

Some options include:

More on those key roles can be found here

 

Conclusion

For the last 90 days, we've all had our heads down.  We were all just trying to get through a very tough time.  But as the dust begins to settle, even just a little, we all need to lift our heads up and start to look forward again.

If you need help with an information security strategy, or have questions about any of the ideas or resources shared in this blog post, please contact us at support@bedelsecurity.com. 

 

Additional Resources:

Reactive or Proactive: What Makes the Best CISO
https://www.bedelsecurity.com/blog/reactive-or-proactive-what-makes-the-best-ciso 

CySPOT™ Health Index
https://www.bedelsecurity.com/lp-cyspot-health-index 

The 3 Key Roles in Cybersecurity
https://www.bedelsecurity.com/blog/the-3-key-roles-in-cybersecurity 

Making Strategic Planning Easy
https://www.bedelsecurity.com/blog/making-strategic-planning-easy 

The Top 5 Benefits of a vCISO
https://www.bedelsecurity.com/blog/top-5-benefits-of-a-virtual-ciso