October 29, 2021

Last Updated on January 15, 2024

For many organizations, having a solid information security strategy is just as important as having a business strategy. Executives know what a business strategy is for, why it’s important and what it should include. But what is an information security strategy supposed to look like? How does it relate to the business strategy? And what makes an information security strategy so important?

To share expert guidance on how to think strategically about information security, Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, was our special guest on a recent episode of The Virtual CISO Podcast. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.

Differentiating between strategy and tactics in InfoSec

When it comes to strategy and tactics, information security is a lot like chess.

“If you’re playing chess, tactics are the short-term things you do; things that have to be done right now,” explains Chris. “I take his piece, he takes my piece, I end up a pawn ahead. In InfoSec, the equivalent might be deploying endpoint anti-malware. It needs to be done today, there’s a limited set of options and we’re going to go ahead and do that.”

“More nebulous and more complicated is the strategic side of things,” says Chris. “In chess, strategy is a longer-term set of guiding principles. It’s, ‘What is the game going to look like?’ And it’s the same with information security. It’s, ‘What is our information security program going to look like over the next two years, three years, five years?’ What are the guiding principles that are going to drive us to make particular [tactical] decisions?”

Examples of how strategy and tactics relate

In short, each tactical decision is guided by your information security strategy. For example, if your strategy calls for embracing a hybrid cloud model, then your choice of a new endpoint protection solution would need to align with that.

Likewise, if moving towards a particular framework, like ISO 27001 or Zero Trust, is part of your information security strategy, then all your decisions around products you purchase or people you hire will relate to instantiating that framework and maintaining compliance with it.

The importance of metrics

A key part of keeping tactics aligned with strategy is putting metrics in place so you can measure your progress toward objectives.

“You have to have things that you’re working towards,” Chris notes. “You have to have steps that you can show now. Because you can’t get to the five-year goals if you can’t get to the three-year goals. And you can’t get to the three-year goals if you don’t know where you are today.”

What’s Next?

If you’re looking to make information security into a business enabler that not only reduces risk but also creates value, listen to this podcast episode with Chris Dorr all the way through: https://pivotpointsecurity.com/podcasts/ep65-chris-dorr-why-information-security-is-key-to-business-strategy/

Looking for more insights around aligning your cybersecurity and business strategies? Check out this related blog post: https://pivotpointsecurity.com/blog/this-is-why-your-information-security-advisor-should-be-focused-on-strategy-not-tactics-products/

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!