Episode 198 – Building a Security Strategy – Part 1

Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…

  1. What is a Strategy?
  2. What's the difference between a strategy and a policy?
  3. A policy is binding statements
  4. A strategy is thought out planning
  5. What a strategy isn't…
  6. A list of tech you want to buy
  7. A remediation plan that follows an audit/assessment
  8. A continued justification for the way you've always done things
  9. The stuff your favorite vendor told you needs doing
  10. A strategy is…
  11. Based on the needs and desires of the org and its senior leaders
  12. Culturally relevant
  13. A guide to where investment (money and people) need to be made
  14. Balanced between boldness and reassurance
  15. Built on a set of capabilities that map to business success criteria
  16. Why do you want one?
  17. Creates a consistent frame of reference for talking about the program
  18. Helps senior leaders understand the where/why of the investments
  19. Lays out a connected story for CFOrg to make budget less hard
  20. Provides a decision-making framework that enables effective choices
  21. How do I make one?
  22. Understand the business of your Business
  23. Know who your stakeholders really are
  24. Capability = (Tech + Service) * Process
  25. Crawl, Walk, Run
  26. It Takes A Village

In our next episodes we'll break down each of the steps and talk more about strategy…