By ProServeIT on January 17, 2017

Identify and align your information security plan with corporate strategy


The information security threats have increasingly become complex and we see more and more data breach incidents on the news. Now it’s not a matter of if you have a security incident, but when. Instead of ad hoc technology solutions, which are not adequate enough for today’s threat landscape, we suggest you consider a comprehensive information security strategy and roadmap.

Click here to download the 4-phase implementation roadmap for your reference. This blog post will focus on the 2nd step of the first phase – identifying your information security strategies that align with your organization’s overall corporate strategies.

Identify macro trends affecting your organization

Identify any external environmental factors that could influence the corporate strategy, and thereby affect the IT and information security strategy. The external factors can generally be divided into the following four categories: Political, Social, Economic, and Technological.


Examine political factors, such as trade laws, labor laws, taxes, environmental regulations, and zoning restrictions.


Examine social factors, such as gender, race, age, income, disabilities, educational attainment, employment status, and religion.


Examine economic factors, such as interest rates, inflation rate, exchange rates, increase in Gross Domestic Product (GDP), the financial and stock markets, and the job market.


Examine technological factors, such as servers, computers, networks, software and software frameworks, database technologies, wireless capabilities, availability of Software as a Service.

Information security strategy under corporate or IT strategy

You need to figure out if your information security strategy falls under your overall organization’s corporate strategy or your IT strategy. The information security plan needs to account for changing business strategies and technologies. Information security management should be up to date on the strategic direction of the business and plan for it in advance. Figuring this out will enable you to manage information security proactively.

Information security strategy falls under overall corporate strategy

  • Organizations like this highly value security and consider it a critical component of their organization. Security will often have a direct link to management and the Board. Any security risk is managed on the enterprise level.
  • E.g. financial institutions, insurance organizations, defence contractors.

Information security strategy falls under IT strategy

    • Organizations like this may place less value on information security or may not have the resources to support such a strong security program in the organization. Information security is seen as one of many management areas for IT. It is generally communicated to management through the office of the CIO.
    • E.g. professional services firms, transportation, logistics, hospitality.

Analyze your corporate goals

Identifying corporate goals is one of the first steps in aligning your IT strategy with the business vision. This will help you make wise information security investments. Information security plan should support and enable your organization’s business objectives by supporting operational performance and ensuring brand protection and shareholder value. For example, if the organization is working on a new business initiative that will require handling credit card payments, the information security team needs to know as soon as possible to ensure that the information security strategy will allow the organization to be PCI compliant.


      • Brainstorm goals and divide them into three groups: Market, Customer, and Organization
      • If corporate goals cannot be identified, use business unit goals instead.
      • If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:
        • What is the message being delivered by the CEO?
        • What are the main themes of investments and projects?
        • What are the senior leaders measured on?

Identify corporate strategy and IT strategy

Organizational strategy

Now that you understand the direction the business is headed, identify and analyze actual strategies or plans to support those goals. Identify short-term priorities, medium-term priorities, and long-term priorities.

IT strategy

If there is a formalized or documented IT strategy, review this document to:

      • Identify goals and objectives;
      • Identify specific initiatives; and
      • Identify timelines

If there is no formalized or documented IT strategy, brainstorm goals and strategies for each of the following four categories: Infrastructure, Applications, Operations, and Management.

Link information security goals to corporate and IT goals

Using a 3-column table helps link the goals under three different umbrellas – Corporate, IT, information security. The first column is for the corporate goals previously identified. The second column is for the IT goals identified beside the corporate goals they support. The third column is for the information security goals that support the corporate and IT goals.

      • E.g. Corporate goal of an engaging work environment. This requires supportive and easy-to-use technology. IT goal could be a highly tech-enabled workforce. This requires easy and secure access. Leads to the security goal of effective identity and access management (IAM) controls.
      • Note: depending on your organization, your security goals could directly support the corporate goals or support IT goals, which in turn support corporate goals.

This 3-column table will help you visually map out the connections between corporate goals and the resulting information security goals.

Let us help you with your organization’s security!

Having a security plan will make your business more agile. Now is the time to strengthen your organization’s security from implementing an effective information security plan to remain competitive in today’s world. Remember: now it’s not a matter of if you have a security incident, but when. Our team of experts have worked with many organizations to help them implement an information security strategy. Contact us today! Fill out the form below or send us an email to We will be happy to run a complimentary cloud security assessment for you and discuss how you can improve your organization’s security!

Published by ProServeIT January 17, 2017