November 8, 2021

Last Updated on January 19, 2024

Once you have a clear, agreed vision for where you want information security to take your company, it’s time to operationalize your information security strategy.

Are you doing everything needed to ensure you’re operationalizing your InfoSec program in an optimal way, per your strategy?

To take you from A to Z on InfoSec strategy, we talked with Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, on a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

The Execution Phase

Within Pivot Point’s proven process, the iterative execution phase falls midway between the vision and validation phases.

“All these wonderful strategies don’t mean anything unless the rubber meets the road,” Chris reminds. “The next step is building rigor and process into the information security function. How are we doing security? How are new users going to be provisioned? How are new desktops going to be rolled out? That’s documented in the information security management system (ISMS), developing policies and procedures. You can’t really operationalize it until you have the laws that govern it. Those laws are corporate policies.”

Even documentation involves strategy

Part of operationalizing your InfoSec strategy is creating documentation, which can also be approached strategically.

John explains: “If you’re an organization and let’s say over the course of the next three years you want to get ISO 27001 certification. Plus, you’re in the DIB scene, so you need CMMC Level 3. And you may even need to go to another framework, maybe a privacy framework. If you think about it logically, how are you going to evolve your policies in a way that they’re not going to continually need to be rewritten and they’re going to stay current?”

Sticking with the vision

“This is where it’s sometimes a little difficult to see the connection between these tactical activities and the strategy that we started with,” advises Chris. “But all of this has to be tied back to that strategy because this isn’t just about what are we doing today, or what are we doing tomorrow? And the way we do documentation is going to be totally different than if we didn’t care about that.”

“And it’s not just documentation,” Chris underlines. “It’s everything about the operationalization of the security practices, so that everything we build going forward has to be able to fit into whatever comes next.”

What’s Next?

If you’re looking for that rare InfoSec podcast that delivers on strategy, you’ll want to hear this show with Chris Dorr all the way through:

For another expert angle on cybersecurity strategy, we recommend this related post:

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!