Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

Security Strategy? What Strategy?

In Information Security, you must first define your goals. These goals have to be realistic and inline with the resources at your disposal.

One of the questions I like to ask security professionals is, “What is your security strategy?” Amazingly, the response often contains phrases like “We have firewalls and IDS’s on the perimeter”, or “We do vulnerability management using vendor xyz”.

In Information Security, you must first define your goals. These goals have to be realistic and inline with the resources at your disposal.

One of the questions I like to ask security professionals is, “What is your security strategy?” Amazingly, the response often contains phrases like “We have firewalls and IDS’s on the perimeter”, or “We do vulnerability management using vendor xyz”.

Developing an IT Security StrategyNow, call me a stickler, but I have to smile at the thought of Napoleon being asked about his strategy at the battle of Austerlitz. He likely would have responded with, “Well, I am going to use cannon, and then grenadiers, and I also have some cavalry”. That, of course, is not so much a description of a strategy, as an inventory of the available resources.

Another common answer usually goes along the lines of “We have a security policy that defines secure usage, and secure procedures”, which once again, if applied to Napoleon would translate to, “Our soldiers are being taught to use their weapons and to understand orders”. The quick-witted reader will have noticed that this also does not describe a strategy, but rather processes.

The most common response, and by far my favorite, goes something along the lines of “Our strategy is to keep hackers out, and monitor internal users”. That is the goal of course. Literally, that’s the goal – not a strategy. A strategy should somehow lead to the goal.

According to, one definition, and the one most apt for our purposes, is:

a plan, method, or series of manoeuvres or stratagems for obtaining a specific goal or result;

Couched in those terms, most businesses do not appear to have anything even remotely resembling a strategy, aside from wanting to “Keep hackers out”, or “Win the war” in Military parlance. It is little wonder that most organizations fail abysmally in securing their assets, when even what constitutes a strategy is grossly misunderstood.

Advertisement. Scroll to continue reading.

In the case of Information Security, you must first define your goals. These goals have to be realistic and inline with the resources at your disposal. If you have a huge user base for example, with little control on where they are and what hardware and software they use, you cannot hope to successfully provide full spectrum security, just as a heavily outnumbered force without heavy support could not hope to win a pitched battle against a far larger foe. Similarly, if your available budget and resource pool is too small to secure the entire infrastructure and user base, you need to assess and prioritise where the greatest risks lie and focus managing identity and access control to these valuable assets.

Precedents and inspiration can be found in military strategy and history, which also concerns itself with very similar concepts, such as having to police and monitor large populations, securing and defending strategic assets against superior strength and numbers, and controlling and managing access to critical resources. Strategies such as checkpoints, (in our case, data) fortresses, and layered defensive lines are as suitable for the corporate intranet as they are in Baghdad or Kabul.

Strategies are nested, meaning that there are different layers, or sub-strategies that together combined comprise the overall strategy. If the overall strategy for example is to manage and control access to all data and resources, the sub-strategies would each outline different approaches towards doing this, like a strategy to always be able to uniquely identify all network participants.

Far too much value is placed on buying the standard basket of technologies; Firewall, IDS, Anti-virus, and the other usual suspects, oftentimes without proper assessment of whether this portfolio is strategically the most suitable choice, nor then deployed tactically the most effective. Sadly, regulatory compliance has considerably exasperated this one-size-fits-all approach, meaning that a large chunk of that ever so tight security budget is already spent and spoken for, but not necessarily to best effect. There is now a new and upcoming generation of security technologies that blur the traditional definitions, of what constitutes a firewall for example, and these may not get the traction that they should if they appear to take away a percentage of the security budget needed to adhere to regulatory compliance. That would be a pity and counterproductive for the overall security posture.

Strategy for IT Security

These additional technologies, if the budget still allows it, are then usually added to this baseline checklist, usually to address further requirements and provide additional specialist functions, and are as a consequence treated as appendages and not fully or holistically integrated. But a thorough, well thought out strategy also has to be implemented and executed well, meaning that if your initial strategic assessment identified IAM, or DLP as important, these should be the leading technologies, around which all else is built. Anything that provides the foundation of your strategy should also be treated as a fundamental component, with supporting technologies taking only a supporting place. Most importantly, these different solutions have to be tied together, and the accompanying strategy should consider how they overlap, to provide layered security akin to chainmail, with each layer overlapping at multiple points.

To provide an illustrative example, tanks were initially considered by many as death traps and a failure, originally used as mobile battering rams or artillery. On paper and in theory, they looked like a great idea, but proved rather easy to eliminate, for example by simple infantrists sneaking up from behind and attaching an explosive charge, until trial and error showed that the deployment of accompanying supporting infantry and lighter armoured vehicles greatly countered this weakness, and once fully integrated turned them into the personification of the ultimate heavy shock cavalry that we know and stand in awe of today.

A strategy, or strategies, should somehow lead to fulfilling identified goals and priorities. Just buying a selection of off-the-shelf solutions, without proper consideration of how these integrate, interlock and interact to provide a fully layered security approach will build a very expensive, unmanageable insecurity nightmare, as many depressed and demotivated security engineers can attest to. In addition, it will provide about as much defence against hackers as a paper-bag. Without a strategy to tie all of the defensive and protective measures and technologies together, they are like an army without a general, or like a computer without software.

Related Reading: Global Security Survey: Security Budgets Increasing, But Strategy Lacking

Written By

Oliver has worked as a penetration tester, consultant, researcher, and industry analyst. He has been interviewed, cited, and quoted by media, think tanks, and academia for his research. Oliver has worked for companies such as Qualys, Verizon, Tenable, and Gartner. At Gartner he covered Security Operations topics like SIEM, and co-named SOAR. He is the Chief Futurist for Tenzir, working on the next generation of data engineering tools for security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.