|
Article Description
When called to participate in a strategic planning process, often the typical planning session is more focused on security gap analysis than on developing a true strategic plan for security. Put simply, the typical security team, for various valid reasons, audits the environment for its ability to defend against generic threats or attacks, and, where they see holes in their existing controls, they develop a plan to plug them. The resulting roll-out plan isn’t a strategic plan because it’s missing a key ingredient: an explicit understanding of the company’s assets that need to be protected. Without this ingredient, security planners cannot judge whether controls are adequate, inadequate, or unnecessarily sophisticated. Without an alignment between specific business risks and security controls, the roll-out plan cannot be optimized. This article examines what is involved in developing a world-class security strategy. (PDF, 12 pages, 169 KB)
| 
