In continuing on our top down approach to implementing security (already covered the Message / Messenger problem and Risk Management) we should focus on two essential top objects. They are the Strategy and the Mission Statement. Both of these, in my opinion, are major marketing pieces that are necessary for delivering the security message. Without doing them, it's just harder to ensure the overall culture and philosophy is carried through.
I did this as a change in my current role where there are two major components to it. The first point is to the business value that security brings to the organization and the second is the typical "protectionist" model that you'll find. It's this first section that should strive to attach the goals of the group to the goals of the overall organization. In my recent one, I've followed the premise of Michael Porters "Competitive Strategy". How can security drive top line and bottom line value in the company. This can be more difficult for some organizations than others. However, being able to demonstrate, as a product / competitive differentiator, how security is better is one capability. The ability to drive relationships with customers at a deeper level around security and information sharing can be another. In regards to bottom line, removing the overall need of expensive OPEX by automating via strong controls is usually an easy one. In Michael Porter's description these are "Cost Leadership, Differentiation and Focus".
The protectionist model I use, at least in the first 2-3 years, is pretty straightforward. There are six major themes of the strategy
- Culture and Communications
- Governance, Risk and Compliance
- Data Protection
- Infrastructure Management
- Identity and Access Management
The most discussed one of late and probably most important is the "Culture and Communication". It's the theme that I've talked about before in solving the people problem. I feel the others are self explanatory. From all of these the two year road map is developed and then driven to implementation.
These are pretty straightforward and should be, again, attached to the overall needs of the organization. "Information Security is responsible for the protection of the brand, intellectual property, customer data and information technology from misuse or compromise". With this the range of scope for the organization can be made. The interesting thing to note is that "customer data" refers to both employee and true customers. Making employees a "customer" is critical to ensure that the team handles them accordingly.