"Just do what you need to do to make sure we are secure" is a fine top-down directive in theory, but it tends to fall down when P&L's and controls are scrutinized and metrics are requested. Likewise, spending hundreds of thousands of dollars and months of time identifying gaps, defining a roadmap, and deploying capabilities takes an immense amount of time. By the time you have completed the traditional process, the solution is likely to fail to accomplish ever changing board level IT risk management objectives. This leaves CIOs in a tough position when it comes to defining and implementing a security strategy.\n\n\nOverall, there are five key components to any security strategy that need to be included regardless of how comprehensive and thorough the planning process.\n\n\n1) Determine if it\u2019s possible to obtain competitive advantage \n\n\nThe current state of heightened concern about upstream and downstream B2B partners creating a newsworthy security incident has led to opportunities to stand out from the crowd. Focus on enabling relationship owners to extend client commitments. Market planned investments in security controls and capabilities to catch the attention of your customer. Let them know that your company is the trusted provider and pay it forward to see long term results. If this isn\u2019t possible, adjust course and treat security investment as the risk and insurance cost center it is in all other cases.\n\n\n2) Define a security service catalog \n\n\nCustomers, internal and external, need to see the menu so they know what they can order. Without a menu, customers will make requests based on fear, media and vendor influence. You need them to focus on a defined menu so that scope is bounded. Requests for additions to your menu of security services are treated as such - special requests. This avoids challenges with prioritization based on the subjectivity or influence of the requestor and the hot national media news about the security incident of the day.\n\n\n3) Set key resource assumptions\n\n\nCapabilities come down to time, people, and funds. After defining the service catalog, make sure to estimate the resources needed to deliver on the services - as defined. Keep in mind, this step is inextricably linked to detailed service definition. Anything that is unaddressed can become a black hole for scope creep and expectation management when the services go live.\n\n\n4) Identify the residual risk of missing components \n\n\nNo matter how well-baked the strategy, there will be new threats and risks that come about due to normal changes in the business, competitive landscape, and trends in cyber attacks and corporate espionage. Due to these changing dynamics, it is vital that residual risk is identified based on limitations in the service catalog and resources. These limitations should be clearly communicated to executive peers, audit committee, governance teams, and the board. Often, the resource constraints may be resolved as the risk is too high for these audiences to accept. Otherwise, the residual risk acceptance is important to remind all parties involved that, six months from now when the world has changed, that you anticipated it and noted the risk\u2026 and they accepted it.\n\n\n5) Design and share outcome-based metrics \n\n\nThere is no place for metrics-for-the-sake-of-metrics in an effective security program. Make sure that metrics being reported result in a decision to either stay the course or to make adjustments resources or the service offering. Otherwise, the metrics provide little insight into performance, how effectively security is working with infrastructure counterparts, or how effectively the strategy is at accomplishing corporate objectives.\n\n\nWhile these five key security program strategy components are not a silver bullet, they have led to successful outcomes in many IT organizations, large and small. The common thread - CIOs who understand that maintaining the status quo has failed to deliver the results expected by boards.