How to reboot a broken or outdated security strategy

CISOs talk about how they identify when they need a new security strategy and the process of developing it and selling the reboot to stakeholders.

An enterprise security strategy should be like a weather report: subject to frequent updates. Allowing a security plan to fall out of sync with current and emerging threats, as well as evolving enterprise technologies and interests, can open the door to financial and reputational catastrophes.

Many elements contribute to a comprehensive security strategy and just as many factors can break or outdate a once-formidable security blueprint. "People, process, and technology are the key areas," says Greg Carrico, senior cybersecurity manager at business and technology consulting firm Capgemini North America. "Companies that don't maintain a pulse on current events, process automation, review cycles and current technical skillsets may continue to struggle with the protection of their most critical items without even realizing that threat actors have set their proverbial sights on them."

Indicators of an ineffective security strategy

The best security plans are crisp, relevant, and easily understood by everyone across the entire enterprise. "Your strategy needs to be feasible, acceptable, suitable, affordable, and understandable," says Brigadier General (retired) Gregory J. Touhill, the first federal CISO and currently an adjunct professor at Carnegie Mellon University's Heinz College of Information Systems and Public Policy. "As a military commander, I knew our strategy was outdated or ineffective when my troops couldn’t articulate it to me," he says. "When the troops don’t know your strategy, or how they are contributing to it, that is a major alarm bell."

An obvious sign of an outdated security strategy is an overall lack of relevance. "To ensure that critical security resources are helping to meet key strategic objectives, it's imperative for the security strategy to be directly aligned to the core components in an organization's business strategy," says Brennan P. Baybeck, an Oracle vice president and CISO for customer services.