Building an Effective Information Security Strategy | Gartner

Effective cybersecurity, also referred to here as information security, requires a complete and defensible security program that ensures a balance between protecting and running the business. It includes five key components:

1. An enterprise information security charter: Executive mandate

   This is a short document written in plain language that establishes clear owner accountability for protecting information resources, and provides a mandate for the CISO to establish and maintain the security program.

   This charter document must be read, understood, signed off, visibly endorsed and annually reaffirmed by the CEO and board of the organization.

2. Terms of reference: Reference model

   A key element of a defensible program is the ability to demonstrate that the organization is in line with accepted practices and standards. With respect to the security program, this means using one or more taxonomical reference models, based on accepted industry standards (such as the NIST cybersecurity framework [CSF], ISO/IEC 27001/2 or CIS Controls [formerly known as Critical Security Controls]) to guide strategic and tactical decisions.

3. Governance structures: Accountability

   Many regulations require organizations to have a CISO with appropriate independence from information resource and control owners. A virtual CISO can be an acceptable compromise in some situations. The CISO function ideally reports outside the office of the CIO to avoid certain conflicts of interest.

   As for decision making, an enterprise security steering committee can be an effective forum for discussing security challenges, proposed policies and investment plans. This forum should include representatives from information-owning business units and staff functions (IT, legal, HR and privacy office). Executive reporting frameworks and processes should also be defined.

4. Strategy: Vision, mission and roadmap

   Getting business support for the security program requires a clear vision that explains its components and objectives and how they relate to business goals. The vision should align with proven practices and standards, and be grounded in current state assessments for the organization, as well as peer benchmarks on level of spend, number of staff, program maturity or levels of compliance with generally accepted standards. See the vision, current state and prioritization tabs for more details.

1. Security processes: Execution

   The security program must be geared toward anticipating and reacting to frequent, unexpected changes in the business, technology and operating environments. It should also drive continuous improvement in the effectiveness and efficiency of security controls.

   The ability to continuously improve while simultaneously reacting to change requires the information security program to agree on a set of principles that guide security implementation and operations on a day-to-day basis, such as:

   • Making control decisions based on specific risk and risk appetite rather than on check-box compliance

   • Supporting business outcomes rather than solely protecting the infrastructure

   • Always considering the human element when designing and managing security controls