November 8, 2021

Posted by Richard Barrus

Reading Time: 2 minute(s)

Operationalizing Your Information Security Strategy

November 8, 2021

Table of Contents

Last Updated on January 19, 2024

Once you have a clear, agreed vision for where you want information security to take your company, it’s time to operationalize your information security strategy.

Are you doing everything needed to ensure you’re operationalizing your InfoSec program in an optimal way, per your strategy?

To take you from A to Z on InfoSec strategy, we talked with Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, on a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

The Execution Phase

Within Pivot Point’s proven process, the iterative execution phase falls midway between the vision and validation phases.

“All these wonderful strategies don’t mean anything unless the rubber meets the road,” Chris reminds. “The next step is building rigor and process into the information security function. How are we doing security? How are new users going to be provisioned? How are new desktops going to be rolled out? That’s documented in the information security management system (ISMS), developing policies and procedures. You can’t really operationalize it until you have the laws that govern it. Those laws are corporate policies.”

Even documentation involves strategy

Part of operationalizing your InfoSec strategy is creating documentation, which can also be approached strategically.

John explains: “If you’re an organization and let’s say over the course of the next three years you want to get ISO 27001 certification. Plus, you’re in the DIB scene, so you need CMMC Level 3. And you may even need to go to another framework, maybe a privacy framework. If you think about it logically, how are you going to evolve your policies in a way that they’re not going to continually need to be rewritten and they’re going to stay current?”

Sticking with the vision

“This is where it’s sometimes a little difficult to see the connection between these tactical activities and the strategy that we started with,” advises Chris. “But all of this has to be tied back to that strategy because this isn’t just about what are we doing today, or what are we doing tomorrow? And the way we do documentation is going to be totally different than if we didn’t care about that.”

“And it’s not just documentation,” Chris underlines. “It’s everything about the operationalization of the security practices, so that everything we build going forward has to be able to fit into whatever comes next.”

What’s Next?

If you’re looking for that rare InfoSec podcast that delivers on strategy, you’ll want to hear this show with Chris Dorr all the way through: https://pivotpointsecurity.com/podcasts/ep65-chris-dorr-why-information-security-is-key-to-business-strategy/

For another expert angle on cybersecurity strategy, we recommend this related post: https://pivotpointsecurity.com/blog/heres-how-to-fix-your-cybersecurity-program/

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Operationalizing Your Information Security Strategy

The Execution Phase

Even documentation involves strategy

Sticking with the vision

What’s Next?

Successful vCISO = All Security Roles Filled

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security