Security without strategy is like a ship without a rudder and compass: difficult to steer and easily blown off course.  There is always a lot to do in security—too much, according to the security staff we speak with during our enterprise technology benchmarking—and this exacerbates the problem.  When there is too much to do, it is easy to continually jump from emergency to emergency and find yourself constantly busy, but essentially treading water.  

So, every security organization needs strategy to guide its activities.  And, it is important to understand that strategy is not policy; security strategy links corporate strategy overall to specific security policies; policies implement strategy.

Here, then, are a few concrete steps to take to build a security strategy:

  • Don’t be too generic.  Certainly, there are generic security problems and threats, ranging from spam and viruses to social engineering.  However, every industry also has it’s own concerns, such as which kinds of information and activity and infrastructure need to be protected; and every organization has its own variations on those.  For example, a manufacturer would have to take into account the separation of, or securing of the connection between, conventional data networks and the networks connecting production-line gear and the servers that control that gear.
  • Focus on how to say yes.   The goal of security (in the larger scheme of things) is to mitigate the risks of operation, to the organization and to its customers.  It is not an end in itself, and the only completely secure organization would be the one that had no confidential information of any sort to protect, about its operations, its employees, or the customers, and no technology infrastructure to compromise.  So, every organization is constantly striking a balance between security and the ability to actually operate.  Security staff need to always keep in mind that their goal, if the lines of business want to pursue some new venture or the staff want to interact in new ways, should be on making that activity as secure as possible within the limits imposed by law and regulation (which do, of course, actually rule some things out) while making it clear to the business what the limits on that security are.  The fact of law and regulation and a need to protect operations and clients means it isn’t always possible to say yes, but it is usually possible to say “Yes, if…” or “Yes, here’s how….”
  • Balance proactive and reactive.  Your strategy has to focus on continuous improvement of both the reactive kinds of security (what to do in the event of a suspected breach, how to improve security after figuring out how the breach occurred) and the proactive kinds (staff education, network security systems and services, audits and penetration tests).  This may lead to investment in tools, such as SIEM systems, that support both branches of action, as well as ongoing training.  It has to drive the development of policies that incorporate continuous review and refinement of security operations and of the policies themselves.
  • Don’t work in a vacuum.  Involve lines of business and business-technology liaisons in the processes of developing and regularly reviewing and updating security strategy and policy. Make sure they get regular updates on what has been happening, too.
  • Don’t re-invent the wheel.  There are solid security frameworks out there to help any organization build out a set of security policies to implement a security strategy.