Information security investments must be made based on sound security strategies that are established to protect existing business operations and at the same time, enable its strategic growth objectives. A sound security strategy must consider all of its business assets, its risks (including legal, regulatory and contractual requirements), to determine its control and enablement objectives.
Just as important as the security principles is a set of information security policies, standards and other framework along with its associated procedures. Investment must be made to define, implement and continuously educate its target audience about it.
All organizations are equally concerned about a single aspect of their business and that is Cybersecurity threats. In this context, Cybersecurity means being hacked by an external malicious threat agent, mostly for financial gains. A security strategy needs to have an element to deal with this threat, and it should establish effective methods to identify ongoing threats and its remediation.
Organizations must identify its business assets and the risks that are relevant, and identify protection methods. The strategy must include the present and future assets while making control and enablement objectives. Organizations must form strategic security partnerships to effectively deal with future security risks.
A sound security strategy should be based on a set of security principles that are accepted by the management and the security professional alike. It forms the foundation for security investments within your business. Some examples are:
A security organization is a combination of all those people resources required to perform information security functions within an organization, regardless of whether it is a first line-of-defence or the second-line, or even reporting within the security organizations.
The governance function must ensure information security delivers upon its objectives set forth in its frameworks. It must have a set of authorities granted by the management in order to perform its function effectively.
Its not the matter of IF but WHEN. Its an overused cliché the security industry. It is important to be prepared when all other controls fail to defend against a cyber-attack. There must be sufficient investments made in Incident Response activities in order to support the organization in case a breach indeed occur. Organization should also look at how forensic investigation could be carried out.