For those of you who are not familiar with Secure360, it's THE upper midwest US security conference. There's still time to register, come on out and enjoy!
There are many demands on the CISO. But part of the art of the position is to juggle the more granular tasks with overall priorities while trying to be strategic.
If you've spent some time learning the business and creating alignment then it time to create your security strategic plan.
All organizations need to know where they are going. Your security program also needs vision and direction.
Strategic Planning. People use the word "strategy" in different ways. To me, strategy refers to a long-term, high-level goal or outcome. The timeframe should be 3-5 years and the strategies do not contain a lot of detail.
Here's a graphic I've used to show the relationship of strategic hierarchy terms:
NIST (and the 800 series), CObIT and HITRUST. I'm a big fan of the maturity model in CObIT. I've written a bit about this in the past.
We used a number of different sources as input to the strategic planning process:
- information from business leaders (as described in part 1) - for alignment and risks
- information from the baseline (also in part 1) - for an understanding of maturity and gaps
- a threat modeling session - I will perhaps need to explain this in more depth at another time. Basically, we brought the security team together to brainstorm a list of: assets, actors, actions. These led to a number of threat scenarios. These were then reviewed for impact and likelihood - basically a form of risk assessment.
- visioning - Another item that will probably need more depth. We took the 13 high-level control objectives of the HITRUST framework and did a visioning exercise. We time-traveled 5 years into the future! And that future security program was Awesome! The team then described that awesome future program, capabilities and toolset relative to the 13 high-level control objectives. This was followed, after returning to the present, with a short sanity check dividing the listed items into: shorter-term (0-2.5 years), longer-term (2.5-5 years), and "probably not realistic".
Roadmap. You need to create a prioritized list more specific proposed projects and activities. These are then mapped to a timeframe. You will need to take into account any dependencies among the activities, as well as the resources needed. Be realistic... don't set yourself up for failure here. It's always better to under-promise and over-deliver!
Once you have these pieces of the puzzle, all you need to do is... Execute!
Of course, there are many other components to a holistic security program. What other critical pieces do you think need to be considered in the development of a new program?