While security strategy covers a vast array of initiatives, there are strategic commonalities across any organization that can improve alignment to business strategy and reduce risk.
From getting a security sponsor on the senior management team to aligning with technical personnel on the IT team to improve hardening and then testing those components, there are many ways to decrease organizational risk.
In this video Chris Yule, SecureWorks Senior Principal Consultant, gives 5 tips on security strategy that can help organizations decrease risk associated with misalignment of business and IT initiatives and a lack of cultural awareness.
I would say there's 5 things that you need to do for security strategy. You need to tie it to the business strategy, make sure you get business buy in and having a sponsor on the senior management team is always crucial to make sure that the whole organization really understands what you're doing. You need to limit your attack surface, so harden things, reduce the exposure, all the typical stuff that IT security tends to be doing in terms of locking things down. Increasing visibility is a crucial one so that you're not just trying to harden things but you're also trying to tear things down, so you're testing, your vulnerability scanning, you're doing penetration tests, your monitoring your infrastructure for the bad stuff so that you're not just relying on the hardening that you're doing but you're also testing it and monitoring for the bad stuff so when it happens you can find that. You need to build a culture of security in your employees, so make sure that everybody's trained, everybody knows what their role is within the organization to keep things secure. And lastly you need to be prepared for when things go wrong. Incident response plan because everybody will get breached at some point regardless of what you do. So making sure you know what your role is, what the organizational responsibilities are and what the plan is to contain and eradicate that when it happens.