Episode 198 – Building a Security Strategy – Part 1
Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…
- What is a Strategy?
-
- What’s the difference between a strategy and a policy?
-
- A policy is binding statements
- A strategy is thought out planning
- A list of tech you want to buy
- A remediation plan that follows an audit/assessment
- A continued justification for the way you’ve always done things
- The stuff your favorite vendor told you needs doing
- What a strategy isn’t…
- Based on the needs and desires of the org and its senior leaders
- Culturally relevant
- A guide to where investment (money and people) need to be made
- Balanced between boldness and reassurance
- Built on a set of capabilities that map to business success criteria
- A strategy is…
- Creates a consistent frame of reference for talking about the program
- Helps senior leaders understand the where/why of the investments
- Lays out a connected story for CFOrg to make budget less hard
- Provides a decision-making framework that enables effective choices
- Why do you want one?
- Understand the business of your Business
- Know who your stakeholders really are
- Capability = (Tech + Service) * Process
- Crawl, Walk, Run
- It Takes A Village
- How do I make one?
In our next episodes we’ll break down each of the steps and talk more about strategy…