Domain 01 - Information Security Governance

63. Lesson 7: Information Security Strategy Overview

So let's take a look at the information security strategy as an overview. And to start off, I'll give you a quote from The Concept of Corporate Strategy, second edition. And they said, "A corporate strategy is the pattern of decisions made by a company that determines and reveals the objectives, the purposes or goals, and produces the principles, policies, and plans for achieving those goals." It specifies the types of business that the company will conduct, the type of economic and human organisation that it is or will become, and the nature of the economic and non-economic contributions that it will make to its shareholders, employees, customers, and communities. So there you have it. That's kind of the idea of a corporate strategy. And of course, remember that the goal was for our information strategy to be able to work with the corporate strategy to support the ends of what that organisation is in business to do.

64. Another View of Strategy

Now we can take another look at the other view, I should say, of the strategy. And it could be argued that past events cannot predict your strategic outcomes. And that's not necessarily saying that we can't learn from history, but really, as we're coming up with strategy, it always seems like a new idea, a new market to emerge technologies. And sometimes we can learn from some of the past events, but they wouldn't be the sole foundation for what you're expecting in your future events. the strategic outcomes. Your well-managed initiatives should be balanced across all activities of adapting the core business to be able to meet future challenges.

65. Lesson 8: Creating Information Security Strategy

Let's take a look at creating an information security strategy. Now, one of the things you have to realise is that there are a number of pitfalls that can occur when you're creating a strategy, and management should try to avoid those pitfalls as well as try to achieve the desired outcome.

66. Information Security Strategy

When we take a look at the actual process that you would go through as far as information security strategy, you can take a look at it from different levels as far as responsibilities and roles within the company. Senior management's goal, of course, is to come up with a business strategy and they're going to create the overriding business objectives. Again, what we've kept saying, trying to make sure that we get the business to be profitable at what it does. Steering committees or executive management may be more involved in risk management or information system security. And that means that they're going to incorporate their security attributes into the business objective. But again, remember, the goal is still to support the business objectives. Your chief information security officer or your steering committee might also be the ones that are involved in the security action plan, the policies,their standards, and through that they're going to create their security programs. And again, between the business objectives, the security attributes, and security programs, we're going to get into the implementation of your security strategy. From that point of view, there's going to be times when we're going to still have to review it, modify it, test it, and analyse it, which may bring us full circle back into going back into the process of revamping this and almost having kind of a life cycle of the strategy. But that's not an uncommon event in any type of design.

67. Common Pitfalls Part1

Some of the common pitfalls we see in trying to come up with a security strategy start off with things like overconfidence. Now, overconfidence is sometimes just what it sounds like—being way too confident in the expected outcomes—without taking into account a wider set of options. saying that no, this pathway that I'm on is the one I'm going to take. It's worked in the past, and there's no doubt. I guess one of the things I've heard is that generally people would rather be precisely wrong than vaguely right. So remember that there are other alternatives. There are many different considerations that you can go through and come up with the ultimate security strategy rather than just placing all of your emphasis on one particular track, optimism. I know it sounds horrible to say optimism sounds like a pitfall, but we always like to be optimistic. But that can kind of go with the overconfidence that, again, we may have estimations that seem like a good deal. We may say, "Oh yes, there's no doubt that this particular measure is going to work." This policy is going to do its job. And you know what? We may have underestimated or again, kind of over promised and under delivered anchoring is another pitfall that we have to deal with, especially if we take an example of anchoring costs of parts of this project or of a certain type of control or technology. Anchoring is this idea that once a person hears a number for the first time in the delivery of these particular options that we're going to use. Let's say again, they are purchasing something and the first number they hear is the one that seems to kind of anchor into their minds so that as they start hearing other numbers that might be greater, they will remember. They're not as happy to hear those because they've kind of anchored themselves to the very first number they heard. You know, if I wanted to put this into an analogy of purchasing a firewall, and somebody says, "Hey, here's one that's $10,000," but then we realise it's really not the one that I need, that it doesn't have all of the supporting licences or features. And suddenly I started hearing, "Well, you know, as we analyse this example strategy, we're really going to be looking at a price of 20 or $30,000. And I might say, hey, no, I heard $10,000, and I'm kind of stuck on that number. Now I've got to find a solution that's $10,000. Or again, if I suddenly say, "Well, here's one that's 5000 that will do the same job, it might be like sold." So although anchoring is a good marketing plan, it's not something we should use in a strategy because we need to again have that flexibility. So far, the pitfalls you seem to see are kind of getting people stuck in a certain frame of mind, on a certain path. The status quo bias is another one of those. It may be the idea of saying, "Well, we've always done business this way, so we're going to continue to do business this way," rather than looking at other opportunities or other strategies that might be available to us. We may say we always used frame relay for our Wan connectivity and we don't mind operating at suboptimal speeds and having very little bandwidth to go with this new thing you're calling Metro Ethernet. There is another solution. Now, of course, I'm talking about network connectivity rather than security, but it's again kind of that idea that this is what we've always had. Or it might be, hey, I invested a lot of money in this particular countermeasure orcontrol and because I own it, it's worth more to me than thinking about getting something new or something that will meet our objectives. Mental accounting is another aspect that we have to deal with. And again, this is where in our minds we might start looking at the numbers a little differently. In other words, it's about how you might envision money. If I say we need to invest so much money,if I tell you it's going to have to come from the profit and loss as opposed to maybe an line item for new acquisitions, you're thinking, well, I want that profit loss to look really good. So if I can't get it out of the acquisition funds, then I won't make that commitment because I don't want to change these other numbers. What we're saying is where the money is coming from and how we might choose to spend it mentally in our minds may have a different connotation. Then again, looking at the bottom line of trying to meet a certain strategy.

68. Common Pitfalls Part2

The herding instinct is kind of the ideaof following the crowd, you know, going withalmost kind of the status quo idea.I suppose the idea might be that if I'mgoing to make a decision that is disastrously wrong,I would like to make sure that I'm notthe only one who made that same decision.In other words, if a bunch of CEOs got together andmade a decision to have a strategy to go in acertain direction and it was bad, at least I can standup and say, well, I'm not the only one.I suppose in some aspects.Again, we're trying to talk aboutflexibility as well as false consensus.Now, false consensus is believing an idea that's notnecessarily true, but because a lot of people believeit, then that might be the way to go.Or we may have an idea that perhaps I mightsay, well, you know, the best solution to this problemis to get this countermeasure because that's what it seemsto me that I've always heard everybody say is thebest solution for the problem at hand.Maybe I'm saying then that the best solution would be toget a certain product that I want to use because it'smy understanding that it's the best one we can have.It may not even be true, but it'skind of, again, the idea of a falseconsensus that we think that's how everybody believes.We think that that's what is the currentmodel, the current fad, but it really isn't.So all of those are pitfalls.And I guess the overwhelming idea behind anyof these pitfalls in creating the strategy istrying to say that we need to beflexible enough to consider other approaches.To consider many ways to get to what ultimatelyis the business objective and the security objective.Rather than just sticking what we already know.Sticking with the way we've already done business.Not worrying necessarily about how it looks as faras where the funding or payments come from.Not following the crowd.Which may be all running off the cliff.I guess we've all heard that ideaabout herds of cattle in a stampede.We'll just follow the first one right off the edgeof a cliff over confidence the rest of them.Those can be pitfalls that we have totry to think about from a management perspectiveas we're coming up with our security strategies.

ExamSnap's Isaca CISM Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Isaca CISM Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.