The 5 Questions Your Security Strategy Should Answer

The 5 Questions Your Security Strategy Should Answer

In News by Adam Porroni

The threat universe is like the real Universe – it’s growing and it grows at an accelerating pace. Your security strategy needs to keep pace.  Here we’ll address the 5 questions your security strategy should answer to keep pace.   

Security threats vary in style, approach, sources, effects and impacts. And they very rarely become less sophisticated with time.  

To be an effective business executive or a meaningful security leader in an organization requires vigilance and a keen understanding of this ever-changing environment in which to provide security. 

It’s not enough for only the security leadership to work on this issue or keep up on the subject. Security has become vital, not solely critical, to success in the digital economy.  

Non-technical leaders and business-focused executives should be reasonably aligned with the security strategy development process and constantly improve their awareness of key elements to that strategy. This will increase commitment to, and communication about, the strategy and how it complements other key business strategies. 

When all key functions of a business’s operations and technical activities can coordinate well and support security practices, risks can be substantially reduced.  

Even more beneficial to a company, assurances of security can increase client/customer loyalty and increase revenue opportunities. Keeping an edge on the market and the threat universe allows an organization to optimize their execution of their business strategy and maximize the R.O.I. from their security practices. 

In order to build a strong, proper security strategy, the planning process and the final strategy should help a business answer some key questions. Considering also that strategies can evolve, albeit rarely when well-planned, the following questions should be asked regularly to ensure that the strategy remains sound even after some pivots. 

The 5 questions your security strategy should answer are:  

1)  How centrally does this strategy hold your business goals as well as best-practices in security? 

The goal here is balance. Security strategies must consider that business still needs to happen each day. You can’t unplug from the Internet as a security measure if you make money from e-commerce. You can’t filter all emails out to Junk/Spam. The business functions must be respected and weighed among security practices.

For example, even something as simple as scheduling security training webinars as learn-on-your-time events rather than during time blocks that staff have pre-scheduled for day-to-day work can increase security awareness, respect morale, and ensure the least disruption to workloads for all.

2)  How well do your security practices, at all stages, align with *both* the value and risk assigned to business goals and assets 

Most security work centers on the risk profile. Understanding the value of business systems/data allows for a better understanding of the harm that could be done by an attack. From that context, security experts can consider what practices and policies to prioritize.  

For example, consider that a business has financial data about their customers and has inventory data about the number of devices they have on-hand. Financial data, if lost or destroyed or leaked, carries far more value and risk and should have more security efforts aligned with it than the inventory data.

3)  How well-enabled are your security teams to enact, direct, and optimize this strategy over time and achieve the same in the near-term? 

Remember, your team is not merely or solely the information security staff. Optimization and improvement over time can be supported and directed by non-technical team-members just the same.    

Businesses should consider every staff member a contributing member of their security team. Yes, they won’t have nearly as many responsibilities as the security team, but non-security workers should be enabled – through surveys or active contributions to threat reporting  to add context and quality to security policies.  

Likewise, security teams should spend some time with no -technical staff in order to get a better sense of the behaviors that can help or hurt the security profile of an organization.

4)  How critically and effectively does this strategy take into account the insights and information gathered from all sources of security intelligence, including data from monitoring and risk management systems?  

Working with the data, and modeling the data in the best way can streamline and enable the best strategy and near-term tactical activities. Security monitoring solutions are vitally important to giving security experts a huge set of insightsThese solutions need to be designed and implemented well, but when they are, there’s consistent intelligence available to experts and that can be the difference between getting ahead of an issue and staying stagnant or under threat. Gathering intelligence from various sources outside of a security monitoring solution is also good to enable experts to have a comprehensive view of the security environment and daily behaviors that happen. Keeping this information in-mind allows experts to anticipate threats. For example, if staff aren’t making time for security training, security leaders might recommend schedule changes or a modification to the trainings so as to increase engagement.

5)  How effective has this strategy been designed to optimize over time? 

Does it include methods for increasing security R.O.I., and does it include methods to evaluate critical and vital intelligence on security threats and postures that help improve and adapt the strategy over time?  

Starting with the risk profile is important. Some organizations try to do this, which usually involves assigning monetary values to what breaches, losses, et cetera, might bring to a business, and this is a good first step. To make things better, risk profile analysis should also include the investments made and the differenpriorities that apply to each business need.

Not often do security experts speak to returns on investments made into security. But security can be a vitally valuable business function/unit to gain returns.  

This positive outcome is even more possible when taking a comprehensive approach to cybersecurity and overall security practices.  

Prioritizing R.O.I. in security strategy planning and execution can substantially improve a company’s bottom line and its ability to stay ahead of and dominate competitive businesses. 

If you haven’t taken a close look at your security controls and strategy and/or if you can’t get good answers to the questions above.  Now is a good time for a security assessment to get your security plan back on track.   

If you have any questions about any of this, please reach out and set up a time to speak with us.  

Share this Post