Information security strategy: have you decided how to move forward?

Hello! My name is Anton Udovichenko, I am the head of the Infosecurity audit department. Based on my experience, I prepared instructions on how to develop an information security strategy in a company.


The development of an information security (IS) strategy for many companies seems to be a difficult task, both from the point of view of organizing the development process itself and the subsequent practical implementation of the strategy. Some companies say that they can do without formal planning, without wasting time and energy on making plans, justifying this by rapid changes in the technology market that cross out all their efforts. Given the presence of effective actions, this approach can lead to some success, however, it not only does not guarantee success in the future, but also puts it in serious doubt. Formal planning significantly reduces the risk of making wrong decisions and serves as the basis for subsequent control, and also helps to increase readiness for market changes.

The need for an information security strategy, as a rule, arises for companies that already feel confident enough in the market to make plans for the years ahead, but have faced the following challenges:

  • lack of correlation between the strategic goals of the company and the directions of development of information security;
  • insufficient level of information security of key business processes of the company;
  • low return on investment in the development of information security.

The IS development strategy should be considered as some kind of map that defines landmarks on the ground and directs to the goal. It allows you to make achieving goals manageable by setting limits and priorities for tactical decisions for those who are responsible for the development of the company and / or individual areas. It should be noted that the information security strategy should not be static and, as the uncertainty factor decreases over time, the strategy should be reviewed and, if necessary, adjusted, setting new priorities for tactical decisions.

For whom is an information security strategy of interest?


Some mistakenly believe that the IS strategy is needed only by those responsible for ensuring IS. In fact, there are much more users of the IS strategy and each has their own interest, the main ones are:

Company management:

  • understanding the role of information security in the implementation of the general concept of company development;
  • ensuring coherence with the development strategy of the entire company;
  • understanding of the goals and volume of investment in information security;
  • rational distribution of investments;
  • tools for monitoring the achievement of goals.

Information Technology Service:

­
  • understanding the role of information security in the development of an IT company;
  • understanding of the requirements on the part of IS to the target IT architecture.

Information Security Service:

  • the presence of uniform principles for the development of information security;
  • understanding of the target architecture of the information security company;
  • availability of a detailed action plan (project portfolio);
  • a clear understanding of the required resources;
  • compliance with legislation and industry standards regarding information security;
  • tools for monitoring the achievement of IS goals.

The procedure for developing an information security strategy


Before you consider the main steps of developing a strategy, you need to determine the quality criterion for the IS strategy and, accordingly, with the aim of developing it, this is to get full answers to three questions:

­
  • What are the strategic goals for the development of information security, how do these goals correlate with the strategic goals of the company?
  • What is the future profile (status) of the information security company?
  • What actions need to be taken to achieve the strategic goals of information security development?

Stage 1. Preparation. To begin with, we will determine the parameters and order of project management.

Key tasks to be solved:

  • creating a project team and setting goals;
  • coordination of the structure of the data collected and adaptation of the templates;
  • coordination of project boundaries, structure and content of reporting documents;
  • coordination of the project management process
  • determination of the procedure for solving emerging problems;
  • preparation and approval of a work plan.

At this stage, in fact, you need to lay down the key factors for success and achieving the desired results, namely:

  1. Management involvement in the project: development and implementation of the information security strategy should, in the first place, be supported by company management, which should be responsible for monitoring the progress of work, allocating the necessary resources, as well as for the subsequent approval of the developed strategy.
  2. Formation of the project team: its composition should include the most competent employees and remain unchanged throughout the project. The following organizational units are distinguished in the project:
    • Project curator from the Contractor;
    • Project curator on the part of the Customer;
    • Steering Committee;
    • Project Manager on the part of the Contractor;
    • the head of the working group on the part of the Customer;
    • Contractor's project team;
    • functional specialists from the side of the customer.

  3. Clear statement of goals, requirements, limitations, as well as criteria for the success of the project, which will strictly adhere to the right direction and meet the expectations of the customer.
  4. Development of a project management procedure: communication and decision-making processes ensure the interconnection and interdependence of all management functions, thereby achieving the integrity and effectiveness of the management process. The procedure should provide for the distribution of powers and responsibilities, the procedure for interaction of participants, the procedure for coordinating intermediate and final results, the procedure for managing problems and making changes to the project.

The result of this stage should be:

  • project charter, work schedule, schedule of necessary interviews;
  • structure of reporting documents and templates for data collection / reporting documents.

Stage 2. Analysis of the current state of information security. The purpose of the stage is to collect and analyze the order and methods of processing information from the point of view of information security, the current state of security of information security.

Key questions to be answered:

  • What is the role of information security in a company?
  • What requirements are the basis for the functioning of the information security company?
  • What is the current state of IS security processes?
  • What information protection tools are used, their pros and cons?
  • What are the requirements of a business for providing information security?

The establishment of the role of information security in the company sets the general context for developing a strategy and is carried out at all levels: management, heads of departments, and employees.

Information is collected in the following areas:

  • the level of information security culture in the company;
  • IS priority in relation to business processes;
  • the impact of information security on the company's business processes;
  • management's awareness of the need for information security;
  • degree of involvement and awareness of employees on information security issues.

The next step is to identify the requirements that the company is obliged to follow or which it voluntarily decided to focus on. The requirements constitute, in essence, the basis for the functioning of IS, these include: legislation, industry standards, national and international IS standards, policies of a group of companies, etc. The

step of examining and analyzing IS maintenance processes is key, largely determining the outcome of the entire project. Its complexity lies in the need to obtain reliable and objective information sufficient to form the future profile of information security, as a rule, for a very limited time. Three conceptual approaches can be distinguished: basic, detailed and combined (expert).

Basic approach

The approach involves the analysis of the state of information security for compliance with some basic level of security. The basic level is a certain standard set of protective measures, as a rule, characteristic of companies operating in the same field, for the protection of all or individual information systems. A typical set of protective measures is formed based on the needs of companies to use some standard measures, for example, to comply with legal requirements, as well as to protect against the most common threats.

The basic approach allows you to manage the minimum amount of resources during the analysis, can be implemented even in the form of checklists with questions regarding the availability of certain measures and the parameters for their implementation. A significant drawback of this approach is the inaccuracy and limitations of the information collected, since the basic level cannot always correspond to the criticality of the processed information, the specificity of its information systems and business processes. Separate systems of a company may be characterized by varying degrees of sensitivity, different volumes and value of information; the use of general protection measures in this case will be logically incorrect.

Detailed approach

A detailed approach involves a comprehensive survey of information processing processes and ensuring the company's information security. Such an approach includes the identification and assessment of information assets, the assessment of the risks of IS breach, the assessment of the maturity of IS processes, the analysis of incident statistics, the analysis of public reviews, and regulator reports.

The results of a detailed analysis make it possible to make a well-reasoned choice of protective measures when forming the future profile of information security, however, the implementation of this approach requires a significant amount of money, time and skilled labor. In addition, there is some likelihood of obsolescence of the results of the survey, since such an approach may require considerable time.

Combined (expert) approach

The application of each of the approaches described above has significant limitations and does not always allow collecting sufficient information for an acceptable time to reasonably develop an information security strategy and form a portfolio of projects. Therefore, in practice, various combinations of these approaches are used, including both formal methods of analysis and practical experience of specialists. As a rule, this approach is based on preliminary analysis for a high-level risk assessment of information security breaches, taking into account the criticality of (confidential) information, information flows, and the importance of information systems. In the future, a detailed analysis is carried out for information systems at high risk, for others it may be limited by the basic approach. In addition, a detailed analysis and description of the key information security processes is carried out,

This approach allows, with a minimum of time and effort spent on identifying the current state, to obtain the necessary data to form the future profile of information security. It should only be noted that the objectivity and quality of the survey results in this approach will be determined by the quality of the survey methodology and the experience of its use by specialists.

In addition, it is worth saying that the choice of survey methods and the degree of employee involvement will be determined by the approach used and the survey methodology. For example, the basic approach may be limited to the analysis of internal documents and questionnaires with a number of interviews with key employees, while the other two approaches involve a larger number of employees and a wider range of tools:

  • analysis of internal documents;
  • questioning;
  • interviewing;
  • visual inspection;
  • examination using specialized technical means.

At the end of this stage, regardless of the approach chosen, you should expect:

  • expert opinion on the level of development of the information security company;
  • integral assessment of the current state of information security;
  • Description of business requirements for information security;
  • report and presentation on the results of the stage.

Stage 3. Development of the target profile of information security. At this stage, the following key tasks are solved:

  • ensuring the relationship between the strategic goals of the company and the directions of development of information security;
  • formulation of basic principles of information security strategy;
  • determination of the future profile of the information security company.

One of the main obstacles in developing an information security strategy in terms of managing the expectations that senior management has is the lack of clear initial conditions, namely, the company's development strategy with a clear description of all aspects in understandable terms. In practice, as a rule, there is either the absence of a development strategy for the company as such, or it is not formalized and, at best, can be formulated in words.

The problem of the lack of a development strategy for the company is solved by the joint efforts of business, IT and IS representatives in developing a common vision of IS tasks, taking into account the following factors:

  • what initiatives are planned across the company, including organizational changes, market and technology development;
  • what changes are planned in business and IT-processes;
  • what important decisions depend on the reliability, integrity or availability of information, or on its timely receipt;
  • what types of confidential information require protection;
  • what consequences may occur for the company after the occurrence of an information security incident;
  • what changes in the external environment can be expected, including the actions of competitors, changes in legislation, etc.

Answers to these questions can help formulate the goals of providing information security in the company. In turn, it should be borne in mind that for each initiative or proposed action, the possible or desired results, the risks of their implementation, as well as the risks in case of refusal to implement, should be evaluated.

The basic principles of the IS strategy, in fact, determine the set of global rules that should be followed when building it, as well as when choosing and implementing solutions. The principles are formulated depending on the strategic goals, processes of the company, investment opportunities, etc., therefore they are usually individual for the company. We highlight some universal principles:

  • IS integrity: applicable software and hardware solutions, as well as organizational measures, must be mutually agreed and provide a specified level of security;
  • standardization and unification: the variety of technologies used should be minimized in order to reduce the cost of maintaining expertise and decisions, their coordination and integration, licensing and maintenance;
  • ease of use: the used methods and means of providing information security should not lead to an increase in the number of erroneous actions of personnel, while this principle does not mean simplicity of architecture or a decrease in functionality;
  • minimum privileges: the essence of the principle is the allocation of least rights, which should not lead to a violation of the user's work;
  • economic efficiency: applied solutions should strive to reduce the total cost of ownership, increase the return on investment ratio and optimize other indicators for assessing the economic efficiency of investments.

The formation of the future profile of information security is the solution to several partially conflicting tasks:

  • comply with information security requirements (legislation, regulators, manufacturers, partners, etc.);
  • minimize the risks of IS breach;
  • ensure compliance with business goals, taking into account the anticipated changes in business and IT processes;
  • provide investment attractiveness of information security.

There are many standards, both international (ISO, COBIT, NIST, etc.), and Russian (STO BR, GOST, etc.), which can be adopted when forming the future profile of information security. However, it is important to remember here that no standard can be fully applied to all companies. Therefore, you should not develop a strategy based solely on one standard or do everything under the carbon copy. In the final analysis, all components of the information security process must organically fit into the logic of business development: on the one hand, do not restrain development too much, and on the other, keep risks within specified limits.

An important issue that also needs to be considered as part of the IS strategy is the number and qualifications of personnel, which is necessary to ensure the fulfillment of the basic functions. At least the simplest competency model should be developed, which, in addition to job responsibilities, will determine the organizational and industry knowledge and skills needed by staff. When developing an information security strategy, it is better to offer only those solutions that will require competencies subsequently available to the company, or at least competencies that can be obtained with a minimum of effort.

Another issue worth considering is outsourcing. It can be a good tool that accelerates the implementation of many information security functions, as well as provide their operational support. When deciding on outsourcing, it is necessary to take into account the relevant risks, since the use of third-party companies to provide IS does not always mean transferring responsibility to their customers and regulators, in addition, in the event of incidents, customers often do not care who caused the failure. In this case, the management and control functions of information security should not be completely outsourced.

The result of this stage will be:

  • goals and objectives, principles of information security development;
  • description of the composition and functionality of the target information security system;
  • description of the target information security management processes;
  • report and presentation on the results of the stage.

Stage 4. Formation of the portfolio of information security projects. At the final stage, the problem of investment efficiency in the development of information security is solved. For this purpose, a portfolio of information security projects is being formed, including the assessment and selection of potential projects, setting their priorities and setting criteria for their feasibility.

There are a large number of methods for evaluating potential projects for inclusion in the portfolio: economic-mathematical, expert-analytical, graphic. Among them, expert analytical methods, in particular, the multiple weighted criteria method, which allows evaluating based on both quantitative and qualitative criteria, prioritizing projects taking into account their specificity and being easy to use, are widely used in relation to IT / IS projects. The essence of the method is to assign a specific weight to each criterion, which is determined relative to its importance for achieving strategic goals. A set of criteria and their specific gravities are individual for each company and are determined by its specificity and scale of activity. In practice, the most commonly used groups of criteria: financial criteria, business criteria, risk criteria. The evaluation procedure using this method is simple and includes the following steps:

­
  • determination of a set of criteria and their specific gravities;
  • evaluation of each potential project according to a given set of criteria;
  • calculation of the integral assessment of each potential project;
  • ranking of potential projects based on an integrated assessment.

The next step after evaluating projects is the formation of an optimal set of projects that best ensures the achievement of the strategic goals of the company, taking into account current restrictions. At this step, significant discrepancies between the project indicators are identified and their smoothing out taking into account their interconnections. The main guidelines in finding the best solution, as a rule, are:

  • the maximum effect from the implementation of projects as soon as possible, taking into account financial constraints;
  • the effect of the implementation of a sequence of interconnected projects.

The final question that needs to be answered when developing an information security strategy is how, in the process of its subsequent implementation, to find out whether we are moving in the right direction and how much we have advanced. To assess the effectiveness of the implementation of the IS strategy, a set of metrics is laid. Metrics should be consistent with the goals of the company, therefore, when developing metrics, it is important to first determine the actual business benefit from providing information security, and then the criteria that can be used to assess the achievement of this benefit. As a rule, the company management as a metric perceives indicators in monetary terms or the degree of influence on business processes. Also a good option is to use the process maturity model, it gives a visual assessment of the degree of implementation of IS processes.

The result of this stage will be:

­
  • target portfolio of information security projects;
  • “Roadmap” for the development of information security;
  • risks and key factors for the success of IS implementation;
  • metrics and criteria for implementing the IS strategy;
  • report and presentation on the results of the stage.

Risks of implementing the IS strategy development project




The IS strategy development project is quite complex and may require the efforts of a large number of people, therefore risks are inevitable, which should be taken into account at the beginning of the project.

Lack of employee participation in the project team.

The process of developing a strategy may not be perceived by the participants as “real work”, since it is not part of their daily responsibilities for which they are paid. In addition, participation in the planning process often means a lack of responsibilities, small opportunities for the practical implementation of plans and the absence of a large number of people in the subordination — all of these attributes with which the concept of “status” is associated. This risk can to some extent be mitigated by the formation of an expanded composition of the project team, the appointment of the composition of the steering committee by order indicating the responsibilities of the project, coordination of the staff participation plan with reservation of time for participation in the project.

Change of key members of the project team.

Changing any of the key participants is a rather painful process, as it can lead to the loss of a certain competence, the redistribution of responsibilities within the team and (or) the additional cost of resources for immersing a new person in the details. Such an event can have a negative impact on the timing and quality. It is impossible to completely eliminate this risk, but it can be minimized due to the publicity of the project within the company, as well as the availability of transparent information and documentation on the project.

Incorrect understanding of the processes or incorrect interpretation of the process by the Contractor.

The development of an information security strategy requires that the Contractor’s specialists focus on unfamiliar territory, and understanding even such simple things as terms can create problems. As a rule, this risk is minimized through periodic presentations, discussion of interim results and contentious issues in working groups.

Inconsistency of customer expectations and project results.

An insufficiently clear initial understanding and formulation of the goals and objectives of developing an IS strategy on the part of the Customer can also significantly affect both quality and timing. Aligning this problem allows the coordination of the goals, objectives and limitations of the project, as well as formats and templates of output results at the initial stage of work.

To minimize negative situations, an important role is played by the existence of a problem management process, within which the identification, registration and resolution of problems is carried out. To this end, meetings of the steering committee, meetings of working groups and reports on the interim results of the project can be held on a regular basis.

Conclusion


I would like to note that the IS strategy should be considered precisely as a tool for managing the company's IS development aimed at achieving business goals and minimizing the risks of IS breach. This tool defines the boundaries of information security development goals and sets priorities for tactical decisions, making achieving the goal a manageable and feasible task for those who are responsible for this. And like any tool, the IS strategy can be sharpened for rough or accurate work with all the ensuing pros and cons, therefore, when developing it, you should be guided by a key principle - the IS strategy must be consistent with the business and there must be opportunities for its implementation.

Also popular now: