Information Security Strategy Development

What a Strategy Actually Is

An information security strategy is the plan that moves the enterprise from its current security state to a desired (target) security state that supports business objectives within the defined risk appetite. CISM is emphatic about sequence: the strategy begins with business goals and objectives, derives security objectives from them, and only then selects initiatives and technology. The single most-tested ordering error in Domain 1 is starting with a control or product ("we need a SIEM") instead of the objective it serves.

The desired state is best expressed in business terms — acceptable downtime, tolerable loss, required assurance — not as a list of tools. A useful exam heuristic: if an answer names a product first, it is probably wrong for a strategy question.

Current State, Desired State, and the Gap

The roadmap is the output of a gap analysis:

Maturity models such as the Capability Maturity Model Integration (CMMI) are common tools for expressing current and target states on a comparable scale (e.g., from ad-hoc to optimized), which lets management see progress quantitatively.

Risk Appetite and Constraints Shape Feasibility

A strategy is not a wish list. It is bounded by constraints the exam expects you to weigh: budget, time, staffing and skills, existing technology, culture, and legal limits. Risk appetite — the amount of risk the board is willing to accept in pursuit of objectives — sets how aggressive the target state must be. A target state that pushes residual risk well below appetite wastes resources; one that leaves residual risk above appetite is non-compliant with governance direction. The manager's craft is choosing initiatives that bring residual risk to just within appetite at acceptable cost.

Key resources and inputs the strategy draws on include the risk assessment results, the asset inventory and classification, existing policies and standards, available budget and skills, and the maturity baseline.

The Business Model for Information Security (BMIS)

ISACA's Business Model for Information Security (BMIS) is the lens that keeps strategy holistic. It models security as a system of four interconnected elements — Organization, People, Process, and Technology — joined by dynamic interconnections (culture, governance, architecture, enabling-and-support, emergence, and human factors). The teaching point for the exam: a change to one element ripples to the others. Deploying a new technology (Technology) without addressing training (People), workflow (Process), and sponsorship (Organization) predictably fails.

When a strategy question offers a technology-only fix, the BMIS-aware answer addresses the people and process interconnections too. This mirrors the recurring CISM theme that durable security is a management discipline, not a procurement event.

SWOT, Resources, and the Roadmap Sequence

Before committing a roadmap, a manager characterizes the environment with tools such as a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats), which surfaces internal capability gaps and external threat or opportunity drivers that the strategy must address. The strategy then sequences initiatives so that foundational items (asset inventory, classification, identity governance) precede dependent ones (data loss prevention, advanced monitoring), because a control built on an unknown asset base fails.

A common exam error is selecting a sophisticated detective control as the first initiative when the enterprise has no reliable asset inventory — the foundation must come first.

The inputs and the order in which they feed the strategy are testable:

Strategy Versus Plan Versus Program

CISM separates three terms candidates blur. The strategy is the direction and target state. The plan/roadmap is the sequenced, time-bound set of initiatives to reach it. The program is the ongoing structure — people, processes, and governance — that executes and sustains the plan. A question that asks "what should be developed first" almost always wants the strategy, because the plan and program derive from it; building a program or buying tools before a strategy exists is the inversion the exam penalizes.

Finally, a strategy is living, not a one-time deliverable. It is reviewed when business objectives shift, after major incidents, when risk appetite changes, or when new obligations arise. The manager re-runs the gap analysis, re-prioritizes the roadmap, and re-presents changes for governance approval. Treating the strategy as a static binder is itself a maturity weakness — the kind a CMMI-style assessment would flag — and recognizing the need to revisit it on a defined cadence is part of the strategic-alignment outcome that governance demands.