6 Steps To Get Started On Your IT Security Strategy

October 25, 2018

When I ask clients about their IT security strategy, I am generally surprised at the responses I receive. Most of the time, they give me a list of security program elements currently in play: firewalls, vulnerability management, IDS, anti-virus, etc.

But just as a shopping list does not constitute a three-course dinner, a list of elements is not the same as an IT security strategy.  Nor is it the most optimal place to begin building one!

The next most common response I get, is that there is no formal, documented security strategy in place. The company simply “does its best to keep hackers out and protect against breaches”.

But hope is not a plan. Such organizations do not appear to have anything in place that remotely resembles a security strategy. In a significant number of cases, the decision-makers in these companies lack even a basic understanding of what makes up a security strategy!

Such leaders put too much emphasis on purchasing a standard list of security tools and technologies without first assessing if they are an appropriate fit, or how effective they will be once deployed in the environment.

An Effective IT Security Strategy Starts Here

Businesses that really want to implement an effective security strategy should begin with a bottom up approach. Start by determining the direction, goals and objectives; then factor in the gaps that exist within the current program.

The information derived from a sober analysis will help develop a holistic view of the company’s security needs, and their desired state of security.

Building an enterprise information security strategy can essentially be accomplished in six basic steps:

  • Establish a security governance function within the organization to provide strategic direction
  • Assess the current state of the security program and organizational readiness
  • Understand where the organization is headed, and drive the security strategy in the same direction
  • Develop a roadmap of the desired state of the security program and how to get there
  • Develop a detailed plan for the phased implementation of the strategy
  • Measure the effectiveness of implemented controls, and demonstrate progress against goals on a continual basis

Never Assume When Strategizing Your Security Program

When I consult with clients on their security strategy I start by establishing a number of key points.

First, I explain that no organization can ever really be completely secure – even the most diligent security professionals cannot protect against every threat.

Second, the implementation of a security strategy is not a “set it and forget it” initiative. It needs to be regularly reviewed, measured for effectiveness, and modified if/when needed. Strong security governance and oversight are critical.

Third, an effective security program should always be included in an organization’s ongoing business and budget planning.

A security strategy always goes back to organizational goals and objectives. Simply obtaining an assortment of security solutions without first performing due diligence to assess whether or not they are a proper fit can lead to an expensive, potentially unmanageable and insecure security architecture.

Mark Murphy
Practice Director, Security Services

Mark Murphy is the Director of Security Services Practice, All Covered. He is a Mechanical Engineer and Certified CISO. Mark was a founding member of VioPoint, Inc. and served as VioPoint’s COO, CEO, and eventually sole owner in 2016 and oversaw the growth of VioPoint into one of the Midwest’s premier IT Security providers. VioPoint was acquired by All Covered, a division of Konica Minolta Business Solutions, USA, in February of 2018.