Moving from tactical to strategic security
Moving from tactical to strategic security

What is a CISO to do? Millions of new malware variants are created each year, attackers are constantly scanning your environment for open ports, and your data is at risk on- and off-premises. Most CISOs and heads of IT are simply fighting fires on a daily basis to keep the environment online and fraud numbers to a minimum. 

While it is often difficult to find quiet time to think more strategically about your environment, it is a necessity. By moving from the day-to-day security tactical responses to strategic thinking, security teams can better triage discovered incidents, understand their impact to business processes, train team members in maintaining security and save time in each security process. I've represented a number of organizations throughout the years in a wide variety of attacks (i.e., nation-state, PCI, insider attacks) and there are a few traits of strategic security teams discussed below:    

Strategic teams understand their data assets – Strategic data security teams understand their data environment and have it mapped to understand where sensitive or company “crown jewel” data lies. Otherwise, how can you prioritize data in the event of a security incident? Let alone implement data loss prevention technologies, encryption, segmentation strategies and other controls? 

Even though security professionals have been preaching data mapping for years, many organizations are still not mapped, as understandably, it can be cumbersome and expensive. The best advice that I can offer here is avoid doing this task internally. There will always be a more important project than asset mapping and discovery. Many e-discovery vendors and teams are well-equipped to map your environment and assist you with a process to keep it updated, once complete. Company data maps must be treated as living, breathing documents that will require regular care and feeding.

Strategic teams assess potential and actual attackers – Strategic data security teams try to understand what adversaries are likely to attack their enterprises (and who actually attacks the enterprise). They consider their strategic company information assets and in whose hands their information assets would be most valuable. For example, is there intellectual property that has a particular manufacturing value in a country, or data that would be particularly valuable to your competitors? Consider, especially as you practice annual tabletop exercises, the types of attackers and how they could escalate incident response action.

Where possible, strategic security teams also routinely mine the attacks that they experience to gain insight into who is actually attacking them and what data attackers are after. Having intelligence regarding the potential attackers (both business knowledge and mined attack data) helps triage the routine incident from a bet-the-company attack. 

Strategic teams gain allies within the company – Information security (and legal for that matter) must gain company allies to enhance incident response and proactive security. Other business teams must want “to go to bat” for security within the company. Security will be asking for money and potential business delay and needs business unit trust for these asks. The security team earns this trust by going the extra mile in its project management, change management, vendor and other approval processes. 

Information security is a place where you play the long game. Security leaders should make the investment in mapping the enterprise, considering advesaries and building a company ally bas. It will pay dividends during the next large company incident or proactive security need.


Amy Mushahwar is an experienced data privacy, security, and management attorney with nearly 20 years of experience in the technology industry in both legal and technical capacities. Amy's practice focuses on data security, cyber risk, and privacy issues. As both a lawyer and former technologist, Amy is adept at helping clients unravel complex systems structure to fully understand legal and regulatory risk.