twitter facebook rss

Developing a Security Strategy Document

Posted by on May 12, 2015.

It’s important to have a security strategy plan. Although this might seem an obvious statement, relatively few companies have actually committed their plan to a formal strategy document. That’s what we’ll discuss today – the advantages of a formal document, and a template to get you started. The template comes from a CISO member of Wisegate, and was made available to all other members.

First the advantages…
Security has evolved from that silo tech department that just threw curve-balls at everything Business wanted to do. Security is now much more than just the installation of firewalls and anti-virus and policies that say, ‘No, you can’t do that’.

Today Security must be integrated into every fibre of the organization. It must work with HR (and would benefit from Marketing advice) on security awareness programs. It must work with Legal to ensure regulatory compliance; with IT to monitor the growth of mobility; and with Risk to understand what needs the closest attention.

But memory lingers, and Business is unlikely to make welcoming noises. Security must find some way of integrating itself into the very thought processes of the organization so that it can be what it must become: an enabler of secure business.

That is one of the fundamental advantages of developing a formal security strategy document. You can invite and include other department heads within a Governance Counsel. They are unlikely to decline – this is their opportunity to influence Security.

The heart of the strategy plan is the formation of that Governance Counsel; and it provides the single biggest advantage: inclusiveness. A strategy plan will help you put Security at the heart of Business.

Our Template is structured around Governance
There are five sections to our template:

  • Security mission statement
  • introduction to security in the business
  • the Governance Counsel
  • Security objectives
  • Security initiatives.

But remember that you are talking to Business leaders outside of Security – you are not talking to the techies who will be implementing the strategy. So,

  • keep it short (five pages is recommended)
  • keep it simple (you are trying to include Business, not frighten it off)
  • use diagrams (they’re not worth a thousand words, but they do keep the audience engaged)
  • remember that this document is more for Business than it is for Security.

With these tenets, let’s look at the individual sections of the document.

The Mission Statement is something you probably already have. You can use this – but make sure it is outward facing. It’s purpose here is not to enthuse Security, but to involve and enthuse Business.

The Introduction is an opportunity to outline the purposes of Security and the Security Strategy. Do not just dismiss these two sections as unimportant; they are very important. This is your opportunity to sell Security. Do a good job and you’re half way there; do a bad job and it won’t matter how good or important the rest of the strategy is – you and it will be ignored.

The Governance Counsel we have already discussed. Get Business involved. It’s not a case of just telling them what you’re doing, but discussing with them what they want. Set up regular brief meetings: monthly if you can, quarterly if necessary. You can supplement this with monthly newsletters designed just for the counsel members – but again, keep it brief and simple. They are just as busy as you are.

The Security Objectives are a high level overview of your main priorities to ensure the company’s security. Your first draft may come from you alone – but future versions will demonstrate the value of the Governance Counsel, with Risk helping you to define and locate the company’s crown jewels; HR offering insight on security awareness; and of course Legal on compliance.

The Security Initiatives will outline the methods you use to fulfill the objectives. This is where you may discuss products and security methodologies; but you must still keep everything short and simple. Remember your audience. The initiatives do not need to map directly over the objectives, but taken together, the sum effect of the initiatives should exceed the objectives.

Follow these steps and you will have an effective and workable security strategy document. But that’s not the end; it’s just the beginning. Threats are continuously evolving and generally increasing. New solutions and new methods come to market. New regulations come on stream. And you need to be ready for them. One, but just one of the reasons for those regular Governance Counsel meetings is to discuss and evolve the currency of the Security Strategy Document. Once written, it should become a living document.


Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Insights |