Let’s first define what Information Security strategy is:Information Security Strategy is a plan of actions that takes the information security function from mission to vision.
Information security function is seen as a fire-fighting and overhead cost, for that there is a need to change this image and information security profile in the organisation.
Building an information security strategy is very important to the business for the following reasons:
- Optimising resources and prioritising tasks for information security functions.
- Risk management in the organisation become more effective.
- Improve communication with organisation’s executives as strategy is the common language to them.
- Raise information security profile in the organisation.
When we start to build our information security strategy we should put in our mind the following:
- The information security strategy should align with and contribute to achieve the organisational strategy.
- Information security strategy has three distinct aspects (supporting the business, defending against threats and raising the profile in the information security function)
- Standard strategy tools and techniques (such as value chain analysis, risk analysis and strategic mapping) could be used to build it.
Reference: ISF & IsecT dotcom
