A good IT security strategy starts with understanding where the organization is now and where it needs to be. The organization should not just follow the crowd. Spend time to understand the current security posture, organizational culture, the threat landscape and how it is likely to change. Then get the right stakeholders, staff and partners to join the journey. The right people will know their domain well, and they will be passionate about what they do. Then do the right thing every day. There is a compound interest on any type of investment — whatever people put their attention and energy into grows and momentum builds. This is true for health, wealth and security posture too. So, one should decide which direction they are heading, make sure that everybody is onboard and contributing, move forward and measure progress over time.
Before an IT security strategy conversation starts, make sure you have the right understanding of the status quo. Have some informal chats with the staff and managers to understand what is really going on. Only then will you be ready to discuss the IT security strategy. Agree who is responsible for business resilience at the executive level and get them on board. However, delivery needs collaborating with key stakeholders and staff across the business. Diagnose -> Guide -> Act.
Don’t wait for pre-arranged executive meetings to have conversations about security. This is far too late to gain support. Meet key stakeholders often, keep them updated on progress of central actions, but also let them know how their areas of the businesses are doing with training and discuss any incidents that have taken place — big or small. Report to the C-suite at least quarterly to explain the changes in the security posture and discuss recent developments in the threat landscape.
Conversations should be a combination of informal and formal to track progress towards common goals. One can’t track progress with high-level slogans such as “cloudfirst” or “moving towards zero trust architecture”. This is why the strategy should not be a simple slogan, but a combination of gap analysis, the overall course of action to take, and the key actions that need to be taken over the next year. Then you can have meaningful conversations from day one. Don’t seek support for fluffy high-level slogans. Your key messages are linked to specific work packages and approximate budgetary needs.
Every stakeholder is different. Create a stakeholder map. A two-by-two grid of power vs. interest, and decide frequency based on this map.
Always bear in mind that the friendship formula is based on proximity, frequency, duration and intensity. The trust formula calls for credibility, reliability and intimacy. The last one is very similar to intensity. Having meetings about the governance needed, but unlikely to be truly intense for a business stakeholder. However, having an intense tabletop exercise is more likely. We should not talk about numbers all the time. Make it real. Tell a story. And try to roleplay “what would happen if …”.
Friendship = Proximity x (Frequency + Duration) x Intensity.
Trust = (Credibility + Reliability + Intimacy) / Self-Orientation
As you work through this process, always keep in mind the businesses' goals and its mission and remember to support that mission — security is not the end goal.