Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…
- What is a Strategy?
1. What's the difference between a strategy and a policy?
- A policy is binding statements
- A strategy is thought out planning
2. What a strategy isn't… 1. A list of tech you want to buy 2. A remediation plan that follows an audit/assessment 3. A continued justification for the way you've always done things 4. The stuff your favorite vendor told you needs doing 3. A strategy is… 1. Based on the needs and desires of the org and its senior leaders 2. Culturally relevant 3. A guide to where investment (money and people) need to be made 4. Balanced between boldness and reassurance 5. Built on a set of capabilities that map to business success criteria
- Why do you want one?
1. Creates a consistent frame of reference for talking about the program
2. Helps senior leaders understand the where/why of the investments
3. Lays out a connected story for CFOrg to make budget less hard
4. Provides a decision-making framework that enables effective choices
- How do I make one?
1. Understand the business of your Business
2. Know who your stakeholders really are
3. Capability = (Tech + Service) * Process
4. Crawl, Walk, Run
5. It Takes A Village
In our next episodes we'll break down each of the steps and talk more about strategy…