January 17, 2023

Last Updated on June 27, 2024

Most orgs have a business strategy and senior leadership understands what it’s for and why it’s important. But what about an information security strategy? What does that look like and why is it so important, especially in a tough economic climate?

To share key insights on managing information security in an economic downturn, John Verry, Pivot Point Security CISO and Managing Partner and host of The Virtual CISO Podcast, recorded a special briefing episode for security leaders.

Security starts with strategy
If your company doesn’t have a strategy for information security that aligns with your business strategy, on what basis can you evaluate resource allocations and other security decisions?

“If you do not have an information security strategy, I would suggest that you develop one,” John asserts. “A three-year strategy or vision is very valuable because it provides you a framework to vet every decision and every investment against.”


This ensures that your security efforts are fully aligned with your long-term business strategy. In a down economy, you can’t afford to make wrong turns that waste precious resources. Having a business-centric security strategy to guide your actions primes you for success.

Security strategy as a business enabler

Information security exists to serve the business. So, the starting point for defining your security strategy is to reference your business strategy. Before you start analyzing risks or implementing controls, you need to look at what your org is trying to accomplish.

If your business strategy is all about growth, then your security strategy needs to enable that growth. From there you can start looking at tactical decisions, like what technology to buy.

When your information security program enables the business, this creates new value in addition to preserving value through risk reduction. For example, being able to prove to investors, regulators, customers, etc., that you have a robust security and compliance program is a competitive differentiator that helps drive new business, close deals, improve business valuations, and so on.

What’s next?

To listen to this special podcast episode with John Verry, click here.

Want more insights on thinking strategically about cybersecurity? Here’s a blog post you’ll appreciate: Step 1 to “Provably Secure and Compliant”—Establish Your Vision