These types of plans are cybersecurity road maps that establish pathways an organization can follow to improve its overall risk management approach.
Today, technology changes at a rate most businesses can’t keep pace with, and it’s this lag that introduces risk into organizations’ business operations. To manage risk, many security leaders must implement controls across this ever-increasing, turbulent network landscape. These same security executives also apply best-practice approaches to diverse risk portfolios using traditional concepts such as defense in depth and layered security technologies. I believe traditional methods need to be changed since they were initially envisioned for centralized, managed networks that CISOs first started our careers with years ago.
Now networks typically don’t have fully defined perimeters; they’re designed for the mobile worker and geo-dispersed teams with numerous third-party connections to vendors and trusted partners. It’s these new network infrastructures that exist in the cloud, shared data centers and on mobile devices that force CISOs to revisit their strategic plans. In essence, these plans are cybersecurity roadmaps that establish pathways an organization can follow to improve its overall risk management approach. These plans should describe how the security program will protect and share information, counter new and evolving threats, and support the integration of cybersecurity as a best practice for everyday business operations.
A strategic plan should note the “current state” of security practices and describe near-term objectives to be addressed in the next 12 months, midterm goals in the next 18-24 months and long-term objectives over the next 36 months. This plan is usually developed by the CISO and is designed to be a living document. The vision, goals, and objectives of this plan should be reviewed at least annually by an Executive Cybersecurity Review Committee.
Where security practices meet business objectives
To begin, the CISO first needs to understand the current security state of the company. This effort will require a continuous review of assets such as hardware, software, network configurations, policies, security controls, prior audit results, etc. The goal is to gather information on what is the current technology and application portfolio, current business plans, and then gain an understanding of the critical data types required by business stakeholders.