November 2, 2021

Last Updated on January 13, 2024

Your information security strategy could be helping to give your business a competitive edge. Is it? Or is security out of sync with the business, leaving you struggling with tactical decisions and potentially vulnerable to cyber attack?

What should an information security strategy include? How does it interoperate with the business strategy? Where do you start with making security a business enabler?

To provide expert answers to the key questions around InfoSec strategy, we debriefed Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, on a recent episode of The Virtual CISO Podcast. The show is hosted by John Verry, Pivot Point Security CISO and Managing Partner.

Security strategy starts with business strategy

Information security is a business function—it exists to serve the business. So, the security strategy starts by referencing the business strategy.

“Before you begin looking at risks, before you begin looking at frameworks or controls or anything with information security, you have to look at what you are trying to do as a business,” emphasizes Chris. “If your objective as a business in five years is to become publicly traded, then everything we do in information security has to serve those business goals.”

“When you look at tactical decisions, the question is going to be something like, ‘What do we need to do today?’ Whereas the first question I always ask when starting an engagement is, ‘Where are we going and how do we get there?’”

“We need a clear vision of where we’re going,” John reframes. “If we do that well, the goal would be to convert information security into a business enabler. Information security is inherently, for most organizations, value preservation. Can we also make it value creation?”

In other words, how can we enable the information security function to help marketing, sales, product design, etc.?

Comprehensive risk assessment

Once you plug your business strategy into information security to get that clear vision of where you want to go, the next step is to pinpoint where you are. No surprise; that takes the form of a comprehensive risk and gap assessment against an appropriate trusted framework like ISO 27001 or CMMC.

“Frameworks give us this common language,” Chris points out. “Another reason that people value frameworks is because they hit the important notes. So, we walk our way across all these security functions [in the framework] and get this view of, ‘You’re great here, you need help here, this has to be our critical focus in the first three months. This we can put off until year two….’”

Integrating security into business operations

As a company refines its security strategy, security can become more and more integrated into business operations, to drive that value creation.

“In our information security strategy [at Pivot Point Security], because we’re ISO 27001 certified, we update the objectives of our ISO 27001 information security management system (ISMS) and then we use the new objectives to drive the security metrics of our program,” John notes. “That’s actually part of our stated strategy, which is cool because way too often with orgs that have an ISO 27001 certification, those objectives remain static and those security metrics remain static.”

“One of the things that we see in clients that we work with year over year as they mature, is that we tend to add to the metrics, that as we get better at helping them manage their security we need to know more information about how we’re doing,” Chris relates. “And it’s not just us; this information is what flows up to the senior management. So, we’re establishing that feedback early on every year. It’s built in that we’re getting better at what we’re doing.”

What’s Next?

If you want to help your business take a more strategic approach to security, be sure to listen to this podcast episode with Chris Dorr end-to-end:

Want more insights on thinking strategically about information security? This related blog post is just what you’re looking for:

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!