Below are the top five considerations when developing a strategy for your security program:
1. Have One: Sounds simple, and it is. Unfortunately, even in today's complex security landscape, many organizations still do not have a thoughtful or organized strategy for managing their security program. This is like taking the field in a battle with no organized direction or approach. Chances are you would not win too many battles, just as in an organizational setting a lacking security strategy will also find limited success.
2. Document your Security Strategy: In terms of importance, right behind having a strategy, is having one that is documented for all to see. This item generally runs into problems in most organizations because of organizational politics. Many CISO's are influenced to not define or document their security strategy because political forces within their organization are not ready or willing to tolerate it. Bottom-line, if you cannot document what it is you are doing, then you do not know what you are doing.
3. Make Sure it is Customized for your Organization: The security strategy for a defense contractor is going to be different than one for an ice cream maker. Ensure that your strategy takes into consideration organizational drivers and is appropriate.
4. Build Your Strategy First for your Program: Your security program strategy represents the overall direction for security in your organization. As a result, it needs to be built before any of the other components of your security program.
5. Ensure that your Strategy Matches What your Security Program is Actually Doing : If your security program strategy states that you are going to be proactive, yet your security program only focuses on conducting audits, your approach is going to run into trouble. Build a strategy that is appropriate, practical, and is something that you can build within the other components of your program.