Build an Information Security Strategy

Develop a high value Information Security Strategy.

If you're already a member, click here to log in.

Major Business Pain Points

  • Many security leaders struggle to decide how to best to prioritize their scarce information security resources 
  • The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so. 
Build an Information Security Strategy-Major Business Pain Points


Key Points

The most successful information security strategies are:

  • Holistic – They consider the full spectrum of information security, including people, processes, and technology. 
  • Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.” 
  • Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business. 
Build an Information Security Strategy-Recommendations


  • The resources below contain a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
  • This approach includes tools for:
  • Ensuring alignment with business objectives. 
  • Assessing organizational risk and stakeholder expectations.
  • Enabling a comprehensive current state assessment.
  • Prioritizing initiatives and building out a security roadmap. 

Methodology and Tools

Executive Brief

Read the concise Executive Brief to find out why you should build an information security strategy and review the methodology.

  • Build an Information Security Strategy – Executive Brief
  • Build an Information Security Strategy – Phase 1-4

1. Assess security requirements 

Define the business and security goals of your security program and determine the organization’s security pressure risk overview.

  • Build an Information Security Strategy – Phase 1: Assess Requirements
  • Information Security Requirements Gathering Tool
  • Information Security Pressure Analysis Tool

2. Build a gap initiative strategy

Use the best-of-breed security framework to perform a gap analysis between current and target states and define security goals and duties. 

  • Build an Information Security Strategy – Phase 2: Assess Gaps
  • Information Security Program Gap Analysis Tool

3. Prioritize initiatives and build roadmap 

Synthesize the gap analysis into a list of actionable security initiatives, and prioritize these based on cost, effort, security benefit, and alignment with business demands.

  • Build an Information Security Strategy – Phase 3: Build the Roadmap

4. Execute and maintain 

Learn to use the methodology to manage security projects on the go and identify resources that will help execute the strategy successfully.

  • Build an Information Security Strategy – Phase 4: Execute and Maintain
  • Information Security Strategy Communication Deck
  • Information Security Charter

Related content: 

CISO Playbook: Cyber Resilience Strategy

All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.