Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Building a solid information security strategy: What’s essential for resilience?


This third-in-series blog entry from Gary Warzala, completes his tour of "what's essential" for cyber resilience from the perspective of (CISO) from people, to process and IT maturity. AXELOS' RESILIA standard is integral to the process.

By Gary Warzala

Good information security and cyber resilience begins with creating a solid security strategy. So, how do organizations and their CISOs or Heads of IT and security create such a strategy? 

There are a number of critical questions, driving factors and strategic considerations to recognize in order to develop such a strategy: 

Your business strategy

What is the business strategy and what are the information risks associated with it? Is your business growing through acquisition? How extensive and what is the reliance on third parties? What has been the adoption of cloud computing? Mobile adoption? Internet footprint? What is your companies risk profile and risk tolerance? Do you have the right organizational skills and capabilities in your information security organization to support this business strategy? 

Your organization’s culture

Where does information security / risk management fit into the culture? Does it fit at all, or is it a core pillar of the business? Is there a clear and positive attitude to the topic from the executive team? 

If you can’t remediate a risk you need to be able to clearly communicate the residual risks, including the likelihood and impact through the appropriate governance channels. Again, identify areas that you need to address to support your mission to protect and enable the company. 

Your IT organization systems and infrastructure

You need to identify the key areas to focus on and the relationships you need to build. How mature are the processes? Are there organizational silos? How strong is cyber awareness across all staff in the organization? What challenges do you face in engaging all your people? 

You need to standardize and simplify: having one of everything is not the ideal state and most importantly you have to have a mature hardware and software asset inventory process. If you don’t know where your enterprise assets are you can’t protect them. Minimize the unknown-unknowns. 

Take note: Verizon publishes their global Data Breach report every year. At the top of the list every time: the compromise of unknown assets. 

In that report for 2015, Verizon provides these cost estimates for data breaches: 

  • "Using this model we estimate that the average loss for a breach of 1,000 records will be between $52,000 and $87,000—$52 to $87 per record.
  • In contrast, the average loss caused by a breach affecting 10 million records is estimated be between $2.1 million and $5.2 million—$0.21 to $0.52 per record."

In short, the message from Verizon is that it will take less time, resources, and budget to secure your data, than it will cost you when data breaches occur. 

Having an understanding of your adversaries

You need to understand who your adversaries are - is it nation state, cyber criminals, hactivists, the insider, or more and more often a blended attack. What are their methods and motivations and what information or systems are they are most likely to target? What’s the effectiveness of your security controls, your threat intelligence and your ability to deploy this intelligence to your sensors in real-time to detect adversaries before they do harm to the enterprise? 

Your Government and industry regulations

Understand what they demand of you and just do it -- the right way. Don’t get side-tracked by non-compliance; take care of this on your terms, not the regulators. Compliance is just a subset of a good information security / risk management programme anyway.

What is your relative maturity?

You need to understand the other businesses in your sector and how your programme maturity compares with theirs by performing competitive benchmarking. In many cases, it comes down to economics for your adversary so make it more difficult and costly to successfully attack your enterprise than that of your competitors.

Want more details? The team has prepared a series of discussion papers, which are posted on a new HPE Security knowledge page. We invite you to take a look, and see how Security training from Education Services will add value to your business.


About the Author


25+ years in high tech in various roles that include Consulting, Channel Mgmt, Product Mgmt and Marketing. Technology areas include storage and data management, high availability, cloud and hosting, networking, and mobility/wearable technology for enterprise, SMB , and channel business. Industries include healthcare, financial services, ISVs, Service Providers and telecos.