There are many ways you may have come into this responsibility. In larger companies, you may have been the subject of a recruiting process or an internal vetting process. You may be replacing someone or inheriting an issue with board visibility. In this case, you’re probably going to have something in place. In the best case, you can carry forward most of the existing plan, but you may be faced with a complete overhaul.
If you’re coming into the position at a smaller company, you could still be subject to an internal vetting process, perhaps as the former “network” or “compliance” person. In this case, you’re likely to have at most a bare skeleton of a plan. It might not be much more than a budget or an organization chart, possibly just a list of services the other IT managers are looking forward to getting off their plates.
We are drawing attention to the latter condition because as we mentioned in the preface to Volume 1, cybercrime will continue to move “down the food chain” as more relative economic value is managed via interconnected computer networks. As a result, many smaller to medium-sized organizations have requirements to have specific security practices and capabilities in place given regulatory obligations or increased diligence necessitated by the organization’s customers and other stakeholders. CISOs hired or promoted by these companies will be scrambling to build security programs from scratch.
We’ll cover the building blocks of a sound strategic plan, aligning the plan to the organization’s business objectives, and using the strategic plan as a roadmap for the future of your cybersecurity function. While we walk through developing the plan, we’ll continue to offer both a complete treatment grounded in best practice and reveal our thought process to maintain the instructional approach to ensure this is helpful to CISOs just stepping into the role.
The cybersecurity strategic plan needs to be concise and easy to understand and reflect realistic expectations for funding that are in line with what the organization can afford. The plan document is not the place to surface a 300% increase in funding. That is a discussion that should already have taken place between you and the management team and, as appropriate, the board. The document should be organized in a methodical manner that makes it easy for the stakeholders to read and its objectives should be aligned with current business functions and processes. We recommend the following structure:
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.