Over the past year, the posting on this blog with the single most number of page views is “Building an Information Security Strategy” which was actually posted back in March 2007.
When it recently came to updating the strategy document, the first good question to ask was “do we still need to have a security strategy?” The answer was yes for two reasons: Firstly I like to work from a plan and secondly the boss wanted a new and updated version. He’s a hard-to-please task-master but he does very occassionally buy cakes on a Friday. Actually joking aside, my reporting line is interesting because unlike in many organisations, Information Security sits outside of the IT group. This works to my advantage and I’ll discuss further sometime in the future.
Looking back to my original post on this subject the three bullet points still hold true. This year, however, I was able to review the previous strategy document and move most of the key initiatives (described as programs in the referenced post) I’d started when I took on my current role into a “Business as Usual” section. For example, a decent patch management process has now been accomplished right across the organisation. This was formerly a key initiative because such a process simply did not exist when I started working there. Now, it’s in place, working well, and managed by the IT group who report the metrics back to me. So I can refocus some of the effort put into getting that one off the ground elsewhere.
One lesson I’ve learnt is that you have to make the most of the resources at your disposal which means you can’t expect to do everything you’d like to do. Could I have put in a bid for more resources now so that everything could be included? Maybe, but while you personally might be 100% committed to the cause of information security, there is still a business being run. It’s important to be focused and provide a plan that the rest of the business can buy into. If you try to do too much too quickly, quite simply you’ll fail. Choose the battles you know you can win.
My strategy plan has review and buy-in from the company board. The support is important because at various points throughout the year I’ll be asking for their assistance and they’ll be expecting relevant metrics to show how the strategy is progressing.