Build a Security Roadmap

Presented by

Carlos Rivera | Isabelle Hertanto | Cameron Smith

 Your Presenters

Introduction
Carlos Rivera
Principal Research
Advisor, Security &
Privacy

Isabelle Hertanto
Principal Research While easy to develop, security plans blindly
Director, Security &
Privacy following best practices are unlikely to win over
many stakeholders. To be truly successful, an
information security strategy needs to be
holistic, risk-aware, and business-aligned.
Cameron Smith
Research Lead,
Security & Privacy

Info-Tech Research Group 2

 Breach Costs
• The cost of a breach is higher
when remote work is involved.
• The cost comes not only directly
from payments but also indirectly
from reputational loss.
• The ubiquitous remote work that
we saw in 2021 and continue to
see in 2022 can lead to more
costly security events.
Info-Tech Research Group
The cost of a security breach
is rising steeply
The shift to remote work exposes organizations to
more costly cyber incidents than ever before.
$4.24 million $1.07 million
The cost of a data breach The average cost of breaches
rose by nearly 10% in the where remote work is
past year, the highest involved is $1.07 million
rate in over seven years. higher than breaches where
remote work is not involved.
Source: IBM, 2021
3
 Cyberattacks have a significant
financial impact
Global average cost of a data breach: $3.92 Million
Source: IBM Security, “Cost of a Data Breach Report 2022”

Average total cost of a data breach by industry Primary incident type

Public Sector $2.07 (with a confirmed data breach)
Hospitality $2.94
Media $3.15 . This year, Ransomware has continued its upward trend with
Retail $3.28 25% an almost 13% increase – a rise as big as the last five years
Transportation $3.59 combined (for a total of 25% this year).
Communication $3.62
Entertainment $3.83
Education $3.86
Consumer $3.86 The Denial of Service (DoS) action is still the clear leader,
Research
Industrial
$3.88
46% representing 46% of total incidents, followed by the
$4.47
Services $4.70 malware types of Backdoor or C2 (Command and Control
Energy $4.72 Infrastructure) at 17%.
Technology $4.97
Pharmaceuticals $5.01 There are four key paths leading to your estate: Credentials, Phishing,
Financial $5.97 Exploiting vulnerabilities and Botnets, and no organization is safe
Healthcare $10.10 without a plan to handle them all.
$0.00 $2.00 $4.00 $6.00 $8.00 $10.00 $12.00 Source: Verizon, “2022 Data Breach Investigations Report”
Info-Tech Research Group 4
Measured in US$ millions
Have you had a security incident
over the last year?

The Info-Tech
difference:
• A proven, structured approach to
mature your information security
program from reactive to strategic.
• A comprehensive set of tools to take
the pain out of each phase in the
strategy building exercise.
• Visually appealing templates to
communicate and socialize your
security strategy and roadmap to your
stakeholders.
Info-Tech Research Group
Creating the right
security strategy
Outcomes of a business-aligned strategy
• Be ready for future changes by aligning your security strategy to security
framework best practices.
• Gain insight into your current state, allowing you to focus on high-value
projects first, transitioning toward a target state.
• Instead of pursing ad hoc projects, know what needs work and how to
prioritize your pressing security issues.
• Document your current progress and path forward in the future. Know
your goals and requirements, codified in a living document.
• A comprehensive set of deliverables with concrete, defensible data to
justify any business changes.
• Future-proof your security strategy for any contingency.
6

The Info-Tech
difference:
• Evolve the security program to be more
proactive by leveraging Info-Tech’s proven,
structured approach to building a security
strategy.
• Dive deep into security obligations and
security pressures to define the business
context.
• Conduct a thorough current state and
future state analysis that is aligned with a
best-of-breed framework.
• Prioritize gap-closing initiatives to create a
living security strategy roadmap.
Info-Tech Research Group
Creating an information
security strategy
Value to the business
• Have documentation that paints a picture of the road to compliance.
Integrate your framework with your risk tolerance and external pressures.
• Eliminate gaps in process and know what is in scope for your security
strategy. Learn what pressures your business and industry are under.
• Build a comprehensive security program that brings to light all aspects of
your security program.
• Create a plan for your future state of information security. Refer to and
update your target state as your business needs change.
• Let Info-Tech do the work for you. With completed deliverables, have
tangible documents to convey your business needs.
• Pivot and change prioritization to meet the needs of your security deficits.
7
Do you have a security strategy?
 Info-Tech’s approach

“Business as Gather requirements

usual”
• Business context
• Scope
• Risk assessment
Mitigate
the threat Reactive Identify new
Security security Execute on
threat roadmap and
report progress
to senior
Strategic Develop target
Purchase new
security tool
stakeholders
Security state for
information
security
program

Maturing from reactive to Conduct current state

assessment and
strategic information develop roadmap to
security posture achieve target state
Info-Tech Research Group 9
 Info-Tech’s best-of-breed
security framework
Context and Organizational Evaluation and Compliance, Audit,

Governance
ISO Leadership Culture Direction and Review

27000 Information Security Security Culture and Security Risk Security Compliance
Program Awareness Management Management
series
Organizational Structure Security Policies Security Audit

CIS Critical
Controls Security Prevention

Identity and Access Vulnerability Human Resource

Network Security
Management Management Security
COBIT Hardware Asset Cryptography Configuration and
Endpoint Security
Management Management Change Management

Management
Malicious Code Vendor Risk
Data Security & Privacy Physical Security
Protection Management
NIST 800-
53 Application Security Cloud Security

Security Detection Security Incident Response & Recovery Measurement

NIST CSF Security Threat Security Incident

Backup and Recovery Security Metrics
Detection Management

Log and Event Security e-Discovery InfoSec in Business

Management and Forensics Continuity Planning

Info-Tech Research Group 10

 Security Strategy Model
Requirements
The Info-Tech difference:

Business Context Pressures

Enterprise Compliance Scope & Risk Stakeholder

Security Risks
Goals Obligations
` Boundaries Tolerance Expectations

Security Target State

Security
Target
Alignment Time Frame
Maturity
Goals
Maturity Security
Model Framework

Current State Gap Analysis

Assessment

Security Current State

Prioritization
Initiative List Task List Gantt Chart
Methodology

Information Security Roadmap

Info-Tech Research Group 11

 Use the Information Security Requirements
Gathering Tool to establish the business
context and scope

• Security must support the primary

business objectives. A strong
security program will enable the
business to compete in new and
creative ways, rather than simply
acting as an obstacle.

• Failure to meet business

obligations can result in
operational problems, impacting
the organization’s ability to
function and the organization’s
bottom line.
Info-Tech Research Group 12
 Use the Information Security Pressure Analysis
Tool to complete the risk assessment and
pressure analysis
Organizational Risk Assessment
Moderate High

The current inherent An inherent risk assessment

measures an organization's
organizational security risk
Low Very High information security risk
level is assessed as High prior to any consideration of
existing controls.

The assessment considers

factors such as th reats
Contributing Risk Factors (who would want to attack
the organization), assets
(why they would want to
Threats Assets Incidents attack it), and
vu l n erab i l i ti es (how they
would attack). The
Vulnerabilities assessment additionally
considers the organization's
recent history of security
People Systems Supply Chain incidents.

Security Pressure Analysis

Moderate High
The current organizational A security pressure analysis
measures the internal and
security pressure level is Very High
Low external factors that would
assessed as Moderate drive an organization to need
a more mature security
program.

The analysis considers

Contributing Pressure Factors external factors such as
regulator oversight and
External Stakeholders Internal Stakeholders customer expectations.

Internal factors include

Compliance & senior management visibility
Business
Oversight into the security program, as
well as the need to support
and secure IT operations and
strategies.
Information
Customers
Technology

Info-Tech Research Group 13

 Assessing your organization’s desired
target state maturity

Info-Tech Research Group 14

Understanding Target States
Current
2.1
AD HOC 01
Initial/ad hoc security
programs are reactive.
Lacking strategic
vision, these programs
are less effective and
less responsive to the
needs of the business.
Target
3.7
DEFINED 03
A defined security
DEVELOPING 02 program is holistic,
Developing security documented, and
programs can be proactive. At least
effective at what they some governance is in
do but are not holistic. place, however, metrics
Governance is largely are often rudimentary
absent. These and operational in
programs tend to rely nature. These
on the talents of programs still often rely
individuals rather than on best practices rather
a cohesive plan. than strong risk
management.
OPTIMIZED 05
An optimized security
MANAGED 04 program is based on
Managed security strong risk
programs have robust management practices,
governance and including the
metrics processes. production of key risk
Management and indicators (KRIs).
board-level metrics for Individual security
the overall program are services are optimized
produced. These are using key performance
reviewed by business indicators (KPIs) that
leaders and drive continually measure
security decisions. service effectiveness
More mature risk and efficiency.
management practices
take the place of best
practices.
Roadmap Execution Waves
Security initiatives are prioritized and assigned to execution waves, as described below.
These waves are then mapped into a Gantt chart to create the security roadmap.

WAVE 0
“In flight” initiatives; projects already in process
3
WAVE 1
“Must do” initiatives; quick wins and foundational
priorities
WAVE 2 2
“Should do” initiatives; strategic priorities

WAVE 3 1
“Could do” initiatives; lower value or higher cost

WAVE 4 0
“Won’t do” initiatives; costs outweigh benefits
How do we prioritize
our initiatives?
 Top Security Priorities and Constraints 2022
Survey results

TOP PRIORITIES TOP OBSTACLES

Acquiring and retaining talent 30% Staffing constraints 31%

Protecting against and responding Demand of ever-changing business

23% 23%
to ransomware environment

Securing a remote workforce 23% Budget constraints 15%

Survey respondents were asked to force-rank their security Talent management is both the #1 priority and the top
priorities. obstacle facing security leaders in 2022.

Among the priorities chosen most frequently as #1 were Unsurprisingly, the ever-changing environment in a world
talent management, addressing ransomware threats, and emerging from a pandemic and budget constraints are
securing hybrid/remote work. also top obstacles.

Info-Tech Research Group 18

 We know the priorities…
But what are security leaders actually working on?

Top security topics among Many organizations are still mastering

Info-Tech members
Security Strategy
Security Policies
Security Operations
Security Governance
Security Incident Response
the foundations of a mature
cybersecurity program.
This is a good idea!
Most breaches are still due to gaps in
foundational security, not lack of
advanced controls.

Info-Tech Research Group 19

 We know the priorities…
But what are security leaders actually working on?

Demand for security by industry

One industry plainly stands out from the
rest. Government organizations are
Real Estate & Prop Mgt
Insurance
Natural Resources
Utilities proportionally much more active in
Construction
Other/Unknown
security than other industries, and for
Education
Transportation
good reason: they are common targets.
Manufacturing and professional
Manufacturing
Media, Comm & Tech
Professional Services
Healthcare services are proportionally less
Retail
Other Services
interested in security. This is
Government
Financial Services
concerning, given the recent targeting of
Sports, Leisure & Entertainment supply chain and personal data holders
-5% 0% 5% 10% 15% by ransomware gangs.
Security projects included in annual plan
relative to industry

Info-Tech Research Group 20

BREAKOUT ACTIVITY
Building a Security Roadmap
 Build a business-aligned
strategic roadmap for your
security program
Please download our tool if you have a device that
can access the app.
Align Security with Business Goals
Configure the Information Security
Gap Analysis Tool
Review the Setup tab of the Information Security
Gap Analysis Tool. This tab contains several
configurable settings that should be customized A
to your organization. For now, the three settings
you will need to modify are:
a) The security target state. Enter the
target state from your Information
Security Pressure Analysis Tool. If you do
not enter a target state, the tool will
default to a target of 3 (Defined). B

b) Your Security Alignment Goals (from

your Information Security Requirements
Gathering Tool).
c) The starting year for your security
roadmap. C
Conduct current state assessment
1. Carefully review each of the controls in the
Gap Analysis tab. For each control, indicate
the current maturity level using the drop- 1 2 3
down list.

You should only use “N/A” if you are

confident that the control is not required in
your organization. For example, if your
organization does not perform any software
development then you can select “N/A” for
any controls related to secure coding
practices.
2. Provide comments to describe your current
state. This step is optional but recommended
as it may be important to record this
information for future reference.
3. Select the target maturity for the control. The
tool will default to the target state for your
security program, but this can be overridden
using the drop-down list.
Review the Gap Analysis Dashboard
Use the Gap Assessment
Dashboard to map your
progress. As you fill out
the Gap Analysis Tool,
check with the Dashboard
to see the difference
between your current and
target state.

Use the color-coded

legend to see how large
the gap between your
current and target state
is. The legend can be
customized further if
desired.

Security domains that

appear white have not yet
been assessed or are
rated as “N/A.”
Identify gap closure actions
1. For each of the controls where there is a
gap between the current and target state, a 1 2
gap closure action should be identified:

Review the example actions and copy one

or more of them if appropriate. Otherwise,
enter your own gap closure action.
2. Identify whether the action should be
managed as a task or as an initiative. Most
actions should be categorized as an
initiative. However, it may be more
appropriate to categorize them as a task
when:
a) They have no costs associated with
them
b) They require a low amount of initial
effort to implement and no ongoing
effort to maintain
c) They can be accomplished
independently of other tasks
Consolidate your gap closure
actions into initiatives Info-Tech Insight
In the example below, we see three gap closure actions within the Security Culture and Awareness As you go through this
domain being consolidated into a single initiative “Develop security awareness program.” exercise, you may find that
We can also see one gap closure action within the same domain being grouped with two actions from some actions that you
the Security Policies domain into another initiative “Update security policies.” previously categorized as tasks
could be consolidated into an
initiative.
Finalize your initiative list
1. Review your final list of initiatives and make any required updates.
2. Optionally, add a description or paste in a list of the individual gap closure actions that
are associated with the initiative. This will make it easier to perform the cost and benefit
analysis.
3. Use the drop-down list to indicate which of the security alignment goals most
appropriately reflects the objectives of the initiative. If you are unsure, use the legend
next to the table to find the primary security domain associated with the initiative and
then select the recommended security alignment goal.

This step is important to understand how the initiative supports the business goals 1
identified earlier.
Define costing criteria
1. On the Setup tab of the Information Security Gap Analysis Tool, 1 2
enter high, medium, and low ranges for initial and ongoing
costs and efforts.
a) Initial costs are one-time, upfront capital investments
(e.g. hardware and software costs, project-based
consulting fees, training).
b) Ongoing cost is any annually recurring operating
expenses that are new budgetary costs (e.g. licensing,
maintenance, subscription fees).
c) Initial staffing in hours is total time in person hours
required to complete a project. It is not total elapsed
time but dedicated time. Consider time required to Make sure that your ranges allow for differentiation between
gather requirements and to design, test, and implement initiatives to enable prioritization. For instance, if you set your
the solution. ranges too low, all your initiatives will be assessed as high cost,
providing no help when you must prioritize them.
d) Ongoing staffing in FTEs is the ongoing average effort
required to support that initiative after implementation.
2. In addition to ranges, provide an average for each. These will
be used to calculate estimated total costs for the roadmap.
Define benefits criteria
1
1. On the Setup tab of the Information Security Gap Analysis
Tool, enter high, medium, and low values for the Alignment
with Business Benefit.

This variable is meant to capture how well each initiative

aligns with organizational goals and objectives.

By default, this benefit is linked directly to business goals

through the primary and secondary security alignment 2
goals. This allows the tool to automatically calculate the
benefit based on the security alignment goals associated
with each initiative.

If you change these values, you may need to override the Some organizations prefer to use the “Security Benefit” criteria to
calculated values in the prioritization tab. demonstrate how well each initiative supports specific
2. Enter a high, medium, and low value for the Security Benefit. compliance goals.

This variable is meant to capture the relative security benefit

or risk reduction being provided by the gap initiative.

By default, this benefit is linked to security risk reduction.

Complete the cost/benefit analysis
1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the
criteria defined earlier.

If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
2. Enter the estimated benefits, also using the criteria defined earlier.

The Alignment with Business benefit will be automatically populated, but you can override this value using the drop-
down list if desired.

1 2
Assign initiatives to
execution waves 01 MUST DO 02 SHOULD DO
1. Using sticky flip chart sheets, create four sheets and label them
according to the four execution waves:

MUST DO – These are initiatives that need to get moving right

away. They may be quick wins, items with critical importance,
or foundational projects upon which many other initiatives
depend.

SHOULD DO – These are important initiatives that need to get

03 COULD DO 04 WON’T DO
done but cannot launch immediately due to budget constraints,
dependencies, or business impacts that require preparation.

COULD DO – Initiatives that have merit but are not a priority.

WON’T DO – Initiatives where the costs outweigh the benefits.

2. Using the further instructions on the following slides, move the
initiative sticky notes from your effort map into the waves.
Considerations for prioritization
• Starting from the top right of the effort map,
begin pulling stickies off and putting them in the
appropriate roadmap category.
• Keep dependencies in mind. If an important 01 MUST DO 02 SHOULD DO
initiative depends on a low-priority one being Low Cost
completed first, then pull dependent initiatives
up the list.
• It may be helpful to think of each wave as
representing a specific time frame (e.g. wave 1 =
first year of your roadmap, wave 2 = year two,
wave 3 = year three).
03 COULD DO 04 WON’T DO
Low High
Benefit Benefit
Info-Tech Insight
Use an iterative approach. Most
organizations tend to put too many
initiatives into wave 1. Be realistic about
what you can accomplish and take several
passes at the exercise to achieve a
balance.
High Cost
Finalize prioritization
1. Once you have completed placing your initiative sticky notes
into the waves, update the Prioritization tab with the Any initiatives that are currently in progress should be
Roadmap Wave column. assigned to Wave 0.
2. Optionally, use the Roadmap Sub-Wave column to prioritize
initiatives within a single wave.

This will allow you more granular control over the final 1 2
prioritization, especially where dependencies require extra
granularity.
 Thank You!
Please tell us what you think on
the Info-Tech LIVE mobile app

For more information please contact:

Carlos Rivera, [email protected]

Isabelle Hertanto, [email protected]

Cameron Smith, [email protected]

Info-Tech Research Group 37