Creating a security strategy
A security strategy sets the direction for a capability’s desired security posture.
It does not delve into the specifics of how security will be implemented. That level of detail is covered in the security plan.
Every security strategy is dependent on your capability’s purpose and context.
It should:
It does not delve into the specifics of how security will be implemented. That level of detail is covered in the security plan.
Every security strategy is dependent on your capability’s purpose and context.
It should:
- be realistic and actionable
- provide clarity in expectations
- link risk management efforts to security objectives
- improve communication with stakeholders
- reduce the potential for unacceptable loss
Benefits
The benefits of a good security strategy are:
- establishes focused security objectives
- assigns accountability for security actions
- proactive strategy saves future expenses by avoiding any retrofits
Outcomes
A clearly defined strategy that states the required security outcome throughout the capability’s life.
Example content of security strategy
Security goals and objectives:- defines what the capability aims to achieve in alignment with its mission
- defines the required level of security, considering any constraints such as budget, user needs and timelines
- states the cyber security framework selected to help guide the management of security. Examples of this include NCSC CAF
Capability-specific threat landscape:
- considers the unique characteristics of the capability that is being delivered, for more effective risk prioritisation and resource allocation
Risk appetite and tolerances:
- guidance can be found under risk appetite
High-level security principles:
- states the overarching principles that guide security practices, for example, terms such as defence-in-depth or least privilege
Governance structures:
- outlines how security decisions are made and who has authority and responsibility. Can include communication channels, accountability and more
The NCSC Cyber Security Board Toolkit offers practical advice on the creation and use of a cyber strategy.
Responsibility
Who is responsible for your security strategy:
- capability sponsor
- Senior Responsible Owner (SRO) or suitable equivalent
- delivery team security lead
When to create a security strategy
Your security strategy should be created at the concept stage.