Strategic Roadmap Development
SANS MGT 514 a leap towards cybersecurity management: Security Strategic Planning, Policy, and Leadership Program
This work is merely a reference to the original SANS MGT514 course, created only based on my understanding of the course. The primary objective of this entire series is to impart information with my own words and persuade people of the efficacy of SANS courses, which are created with numerous real-life examples and well-developed labs. Remember that certain portions were left ignored in order to avoid any copywriting concerns.
Day 2 of our training covered the methods and tools needed to create a strategic roadmap. This part teaches us about.
- How to identify current security state?
- How to establish a winning security roadmap?
- How to successfully roll-out security program?
Characterize Current-State
The development of a strategic roadmap compels an in-depth analysis of the organization’s existing condition, which will give a credible insight for establishing one. In order to realize the current situation, you need to consider the following factors:
Mission and Vision Statement
While vision and mission are often blended or used interchangeably but they are actually two distinct statements where the first explains “why the organization exists” and “what it wants to achieve over the long run.” The second describes what the organization is currently doing to achieve the vision definitions. Listed below are some excellent vision and mission statements those have been written by various well-known organizations.
In SANS MGT514 way: Our Cause (Who, what, where?), Our Actions (What we do?), Our Impact (Changes for better).
Topics covered:
- Analyze how security can help the company accomplish its goal and objectives.
- Writing a vision and mission statement for the security department that aligns with the organization’s overall vision and mission statement.
Example of compelling vision & mission statements
- Provide the world’s best customer experience every day.
- Inspired by our vision and driven by our values, we’re passionate about life at home.
- Create economic opportunity for every member of the global workforce.
- help share ideas in communities around the world
- Accelerating the World’s Transition to Sustainable Energy
SWOT Analysis
In operations of any business, there are risks and rewards those may be decreased by forecasting them through SWOT analysis. Strength, Weakness, Opportunities, and Risk, or SWOT, is an acronym that is frequently used at the beginning of a strategic planning process and offers important assistance in decision-making.
- Strengths: favorable attributes those could be used for success
- Weaknesses: Unfavorable circumstances those may harm or hinder desired goals
- Opportunities: Situations outside business those may be used for benefits
- Threats: External elements those might pose risk to business
Roadmap Development
Program leaders create a strategic roadmap by developing a solid plan that is linked with the organization’s vision and develop a strategy with objectives to achieve those goals. The creation of a roadmap for your security program or team should include more than just identifying technological capabilities. A winning road map will include:
Visioning
The process of visioning, which involves developing game-changing ideas, is frequently thought to be solitary and quick.
Define Intelligible Outcomes
Clearly defined roadmap sequels enable leaders to create a climate in which individuals may conceive in novel ways to accomplish desired goals.
Engage a Security Framework
Choose a pertinent framework and customize it to meet the needs of the program. This establishment is not only concerned with carrying out the vision, but also with ensuring that the security team adheres to a framework.
Security frameworks serve as a template for developing security programs, managing risk, and communicating about security using a uniform dictionary. There are several security frameworks to choose from, and it can be difficult to know which one to employ. Many of these frameworks, fortunately, share similar security ideas. Some common examples are:
- ISO 27001 Series
- General Data Protection Regulation
- NIST Cybersecurity Framework
- ENISA Evaluation Framework
- ISF Standard of Good Practices
- COBIT
Write out Gaps
To attain goals, it is compulsory to determine the distinct activities those must be performed by assessing the gaps and comprehending the current state.
Gap analysis is exercised to identify the key actions those must be taken in order to obtain the desired future state. These steps can be either qualitative or quantitative. The components needed to create a successful gap analysis report are listed below.
- Historical Analysis
- Asset Analysis
- PEST Analysis
- Threat Analysis
- SWOT Analysis
- Vision & Mission
- Business Goals
- Security Goals
- Vision & Innovation
Develop Program Roadmap
A roadmap would be created for the team to follow in order to accomplish the anticipated deliverables after identifying outcomes, describing stature and diagnosing any gaps.
Management Support and Funding
Create a compelling, convincing, and financially sound business case is essential for securing management approval and funding.
We must comprehend that senior leadership views security as simply one of many risks and opportunities that must be handled. So, we have to assist management in prioritizing and determining suitable resources allocations by developing a detailed business case. This will aid senior leadership in making wise decisions while taking into account bigger organizational constraints by presenting a business case that clearly outlines the projected costs and benefits.
A business case, in basic terms, outlines the motivation for an action. It describes a problems and possible solutions.
Note: One of the essential leadership skills that was extensively covered in this curriculum is the ability to write business cases.
Key Take Aways
No one just buys a product; to employ a product or service, one merely has a task to do. A successful leader identifies the pain areas rather than focusing just on selling the product or service.
Program Execution
Building a successful security program entails more than just creating a roadmap, establishing a strategy, and putting that approach into action. As a leader, you must act technically and think strategically as a leader
Monitoring & Reporting Program
“What gets measured gets controlled,” a well-known express. Successful security leaders create metrics and dashboards that can be customized to meet the needs of various organizational levels.
Executive Communications
Most of our stakeholders are highly preoccupied, therefore we need to periodically remind them of the fantastic work being done by the security team. This implies that we must put in place a strong marketing and communication plan.
