For: Security &

Risk Professionals

Define A Road Map To Accelerate Your

Security Program
by Christopher McClean, January 16, 2015

KEY TAKEAWAYS
CISOs Need A Strong Road Map To Keep Up With Business Change
Technology continues to move from behind the scenes to the forefront of interactions
between businesses and customers, and employee technology demands keep increasing
as consumer products improve. CISOs who dont have a well-defined road map to
support these business changes will never be able to keep up with them.
You Cant Do Everything, So Explain How Youll Delegate, Influence, And
Collaborate
Security leaders are now expected to be experts in the latest technologies, security
controls, global regulations, privacy issues, contracting terms, and communications. Few,
if any, security programs can live up to these expectations; your road map should explain
plans to delegate functions, influence partners, and collaborate with stakeholders.
The Road Map Is The Best Way To Show That Your Security Team Means
Business
Your colleagues in marketing, sales, customer service, finance, HR, and operations
probably still see security as the team that slows down performance. Use your road map
to demonstrate that you understand the business, know what these other functions need
to succeed, and invest in projects and services that support their goals.

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

FOR SECURITY & RISK PROFESSIONALS

JANUARY 16, 2015

Define A Road Map To Accelerate Your Security

Program
Road Map: The S&R Practice Playbook
by Christopher McClean
with Stephanie Balaouras and Claire OMalley

WHY READ THIS REPORT

A security road map guides your teams projects and initiatives. Even more importantly, it explains to
your key stakeholders how youre using the budget and resources given. Dont fall into the old routine
of simply listing the technologies youll implement and integrate over the next year; use the road map
to demonstrate your understanding of key business initiatives and all the ways the security and risk
organization will support them. For security and risk (S&R) leaders responsible for building a highperformance security organization, this report explains the forces that should drive transformation in your
program and how to incorporate them into a road map that will make internal stakeholders appreciate
how the security programs makes their objectives more attainable. This is an update of a previously
published report; Forrester reviews and updates it periodically for continued relevance and accuracy.

Table Of Contents

Notes & Resources

2 CISOs Who Arent Constantly Striving To

Improve Will Fall Behind

In developing this report, Forrester drew

from a wealth of analyst experience, insight,
and research through advisory and inquiry
discussions with end users across industry
sectors.

3 Build A Road Map To Support Your Vision For

Change
4 Keys For Your Road Map: Delegate,
Influence, And Collaborate

Related Research Documents

Delegate Functions That Dont Match Your Skills

Or Business Values

Job Description: Security Architect

December 1, 2014

Influence Expectations While Building An

Internal Brand Of Support

Lessons Learned From Global Customer

Data Breaches And Privacy Incidents of
2013-2014
November 14, 2014

Collaborate Beyond The Technology

Management Organization
WHAT IT MEANS

7 The Road Map Is The Best Way To Show You

Mean Business

Predictions 2015: Security Budgets Will

Increase, As Will Breach Costs, Fines, And
Lawsuits
November 12, 2014

2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

CISOS WHO ARENT CONSTANTLY STRIVING TO IMPROVE WILL FALL BEHIND

The only constant that CISOs can rely on is the inexorable pace of business and technology change,
which increases each year. They do their best to keep up with the increasing threat landscape
while bending over backward to support customer-facing roles and strategies. This places security
professionals in an environment that is perpetually more challenging than what theyve faced before,
where multiple pressures make security goals more difficult than ever to attain. This is a way of life
for most CISOs, and they reluctantly react to threats with resources that they know are inadequate.
More specifically:

The business technology (BT) agenda requires increasing complexity and interdependence.

Technology continues to migrate from back-office systems of record to front-office systems of

engagement in support of the BT agenda. Enterprises are quickly adopting new mobile, cloud,
and social technologies to foster closer and more rewarding relationships with their customers,
and the layering of these technologies with their various hand-off points can introduce new
vulnerabilities faster than security organizations can scan for them.

Legacy platforms are twisted to meet new technology and service demands. Most large

enterprises have old technologies and systems hidden away in their data center, which they are
now contorting to deliver new services that were never the intention of the original developers.
This leaves the security team with newly connected, business-critical applications, all running
on unsupported hardware and software, operating with little or no internal support, and lacking
even minimal security controls.

Workplace environments demand increased flexibility and cooperation. New business

models place increasing demands on the security team; remote working and consumerization
requires careful management, while the demands of outsourcing and third-party service
providers often require the delegation of security permissions, privileges, and control.1 In many
cases, security leaders have to spend more time managing business needs and expectations than
they do devising and implementing security solutions.

Resources are still constrained in the face of increasingly advanced threats. While security
budgets are increasing, they cannot keep up with business needs; this means that few CISOs
have resources to spare.2 This is exacerbated by aggressive and highly targeted attacks from
external parties that are increasingly difficult to detect and prevent.3

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

BUILD A ROAD MAP TO SUPPORT YOUR VISION FOR CHANGE

The specters of cyber-risk lurking in the shadows have revealed themselves as very tangible
threats with very serious business implications. Enterprises that want to avoid short-terms losses
(like regulatory fines and breach costs) and long-term costs (like loss of customer loyalty and
intellectual property) must invest to improve the people, processes, and technologies that keep their
information and assets safe; this decision often represents a real commitment to change, a clearer
vision in which security is critical for business success. CISOs now have to figure out how to connect
the changing objectives of their organizations with more traditional information security efforts:
data classification, data leak prevention, enterprise rights management, security analytics, mobile
and consumerization support, awareness and education, and simplification and consolidation.
These strategic goals drive new responsibilities, and there is an opportunity for CISOs to reinvent
their functions as though presented with a greenfield site. But beware; such an undertaking may be
essential to enable rapid business growth, but that doesnt mean it will be automatically popular or
well-supported. Youll have to paint a compelling vision of the future, one that positions security
as a business partner enabling pragmatic risk decisions and efficient business practices rather than
the old technology cop image.4 When the opportunity eventually arises for fundamental change,
its essential to have a clear road map that supports this vision when approaching management for
approval and budgetary sign-off. This road map should draw together five elements: the drivers for
change, an explanation in business terms, example scenarios, validation of strategy, and expected
outcomes (see Figure 1).

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

Figure 1 Key Elements For Your Road Map

Board

Director of
operational
services

Director of
enterprise risk

CIO

CISO

IT operations Architecture

Threat and
vulnerability
management

Security
architecture

Regional
representatives

= close working
relationship/overlap

Risk
Policy
Information
Vendor
Relationship
risk and
management assessment communication GRC
management
and control and awareness
strategy
control

Cyberthreats

Technical
security
consultancy

IT fraud

Project
consultancy

PCI DSS

Application
security

COBIT

Forensics and
investigations
56663

Deputy CISO

External
audit

Internal
IT audit

Privacy

Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited.

KEYS FOR YOUR ROAD MAP: DELEGATE, INFLUENCE, AND COLLABORATE

Transformational change is hard enough by itself, but you have the added challenge of instituting
change while taking on additional responsibilities and battling with severe budget restrictions. This
means that your road map needs to do more than simply describe which security projects you will
undertake and in which order; you will have to explain how the security organization itself will
change to support the business through delegation, influence, and collaboration.
Delegate Functions That Dont Match Your Skills Or Business Values
If done right, relinquishing some operational responsibilities is a positive move, allowing more time
to focus on strategic risk and policy issues and to concentrate on becoming a true information-riskfocused organization. Unfortunately, many security organizations are not taking this to heart and are

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

actually increasing responsibilities, with notable increases in CISOs looking after identity management,
application security, disaster recovery, physical security, and fraud management over the past three
years.5 In some cases, these additional responsibilities may be strategic, but more likely, they are
keeping an already over-burdened security program from having the time to support business goals.
If youre planning to delegate operational responsibilities to another part of technology management
or outsource them, your road map should explain how you will:

Delegate the execution but not the brains. While it can be enormously helpful to delegate

operational aspects of security, delegating too much too quickly is detrimental. In many cases,
you have a much better idea of the business requirements and the risk appetite of the enterprise.
Based on this knowledge, create clear processes and tune them until they are smooth and
effective. Only at that point are they ready to be delegated.

Hand over accountability in a formalized manner. As part of any transition, youll need to

define roles and responsibilities, describe and assign specific tasks, and make sure there is
clear accountability. Many processes will require participation from the security organization,
an outsourced provider, and other parts of your business. For example, if youre outsourcing
network monitoring, how will you handle a security incident?6 Who will be on the response
team? At what point will your service provider escalate issues?7

Define and monitor metrics based on your risk tolerance. Before delegating, your road map
should explain the acceptable boundaries of risk tolerance as well as metrics for success. In
certain environments, having 85% of endpoints patched one month after implementation is
good, while in other environments, this may be impossible because of operational constraints
or unacceptable based on the risk appetite. Similarly, your uptime requirements for internal
collaboration environments are likely going to be much different than requirements for
customer-facing transaction systems.

Influence Expectations While Building An Internal Brand Of Support

Changing the culture of an enterprise may feel like turning a super-tanker; the wheel may be cranked
but the change in direction is imperceptible. Despite this challenge, building influence and changing
the culture is fundamental to your progression as a business-focused security executive. Your road
map, therefore, should address how your teams role in the enterprise is changing including what
the business is expecting and how youll meet those expectations. To accelerate your progress:

Be honest about your current staffing capabilities and where you need to improve. As the

famous adage goes, you dress for the job you want, not the job you have. Similarly, you want to
build a security organization to provide the business with the services it will ultimately need to
succeed. This will require a careful review of business plans where available; is your enterprise

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

planning to expand overseas, adopt new digital business channels, or make acquisitions to
broaden its product portfolio? Each of these will have significant security and risk implications,
and your team will need very specific skills to support these efforts.

Sway the real decision-makers by aligning your organization. Leadership support is essential
to get anything done, and certain parts of the enterprise likely hold more clout than others. In
many businesses today, the chief marketing officer is a catalyst for new systems, applications,
communication channels, and other technology projects. If thats true in your enterprise,
developing a road map that shows support for these initiatives hopefully with input and
approval from the CMO will increase the likelihood that your budget requests will gain
approval and improve your chances of participating in business-level projects.8

Take advantage of critical inflection points for culture change. Institutional attitudes toward
security can change but slowly, and not without difficulty. An inflection point such as a
change in leadership, a security breach, a significant press story, a merger or acquisition, or
a regulatory mandate promising significant financial penalties can accelerate change. These
inflection points are opportunities for you to implement changes that might have otherwise
been a struggle. But be on the lookout and prepared for action; the window of opportunity is
usually quite narrow.

Collaborate Beyond The Technology Management Organization

Security organizations that report into technology management typically have an understandable
focus on technology implementation and integration. This type of organization often doesnt require
a great deal of collaboration and can become insular. As you build a road map to become more
relevant to the business, however, consider how to best facilitate more interaction outside of the
technology management. There are several good ways to do this:

Embrace your antagonists. You cant expect people to devote their time, effort, and resources to
your projects just because its the right thing to do. People dont usually violate security policies
because they want to, but because theyre up against a deadline or other more pressing priority.
Building a road map by finding the root causes of such conflicts and creating cost-effective
solutions is an essential practice for a good security organization.

Go beyond your comfort zone, and never say no. Enlightened CISOs stopped using the word

no quite some time ago the model now is to enable business, but in a secure manner. Instead of
no, try to respond with OK, but lets do it this way . . . or yes, and heres how . . . This approach
forces the security team to understand the business problem in much more depth and to come up
with solutions that balance business goals while managing security risks. At this point, saying no
to cloud, consumerization, or other justifiable business requests is a career-limiting move. Your
road map should show how youre making these complex business requests a reality.

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

Partner with the business on risk management. Its essential for the security organization to be

aware of all the various information risks as well as whos responsible for tracking and treating
them.9 Equip and train all employees to recognize an information risk issue, and build a steering
committee or security council to address information risks that have implications beyond
the tech management organization.10 You cant completely negate risk, but you can reduce the
risk to acceptable levels through preventive measures or by preparing response plans. Dont
hesitate to share your opinion and recommend mitigation plans the business relies on your
judgment and experience but make sure its clear that the business owns the risk, the security
department simply follows a road map and implements solutions to help mitigate that risk.

W H AT I T M E A N S

THE ROAD MAP IS THE BEST WAY TO SHOW YOU MEAN BUSINESS
Your security road map explains your new projects, investments, and efforts, explaining to other
stakeholders what youre doing and why. When you use business objectives as your starting
point, youre demonstrating that the security organization can have positive impacts, like better
collaboration, improved customer loyalty, and a strong third-party value chain. Dont look at the
road map as a one-time project to lead you into each new year. As business priorities may change
in response to financial and market conditions, you should have a way to incorporate potential
changes to security efforts to accommodate these shifts in priority as well.

ENDNOTES
The mobile mind shift is an expectation that an individual can get what she wants in her immediate context
and moments of need. The shift is a global phenomenon that is happening now, not only with powerful
customers who have incredibly high expectations, but with the empowered employees of your enterprise
who demand to use any mobile app or cloud service to better serve them. Unfortunately, many security and
risk (S&R) leaders are unprepared to support their enterprises mobile strategy for customers or employees.
See the June 12, 2014, Secure And Protect Mobile Moments report.

Forresters review of security and risk spending for 2013 showed that budgets are still lean and that many
security leaders still have to pick and choose their investments. Some more forward-thinking CISOs,
however, are building business cases and securing significant investment capital. See the January 10, 2013,
Understand Security And Risk Budgeting For 2013 report.

The information security threat landscape is changing rapidly, and many security organizations are
struggling to keep up with the changing nature, complexity, and scale of attacks. Not only is it important
for security managers to keep up with this changing landscape and develop capabilities to handle this new
paradigm, but its also essential to learn from past mistakes. Security managers must devise new ways to
detect potential breaches and maximize the impact of their security controls. See the January 15, 2013,
Five Steps To Build An Effective Threat Intelligence Capability report.

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

FOR SECURITY & RISK PROFESSIONALS

Define A Road Map To Accelerate Your Security Program

The image of the security officer as a policeman is now incredibly dated. Unfortunately, this type of CISO
can still be found. To help drive the continuing maturity of the CISO function, Forrester has published a
model for a modern CISO role. It outlines the key tenets of the most senior security and risk role, the skills
needed to succeed, and two significant threats to realizing the long-held ambition of the CISO to become
a trusted business advisor. For more, see the March 5, 2012, Role Job Description: Chief Information
Security Officer report.

Forresters surveys indicate that North American and European enterprise technology decision-makers IT
security groups have greater responsibility for the majority of activities we asked about in 2014 compared
with 2012. The data shows increases from 2012 to 2014 in the percentage who answered security is
fully responsible or security is mostly responsible for identity and access management (66% to 70%),
application security (59% to 71%), business continuity and disaster recovery (46% to 62%), physical
security (31% to 57%), and fraud management (35% to 62%). Source: Forresters Business Technographics
Global Security Survey, 2014 and Forresters Forrsights Security Survey, Q2 2012.

Its not a question of if but when your organization will experience a serious security breach.
Cybercriminals are using more sophisticated and targeted attacks to steal everything from valuable
intellectual property to the sensitive personal and financial information of your customers, partners, and
employees. Their motivations run the gamut from financial to political to retaliatory. With enough time
and money, they can breach the security defenses of even the largest enterprises. You cant stop every
cyberattack. However, your key stakeholders, clients, and other observers do expect you to take reasonable
measures to prevent breaches in the first place and, when that fails, to respond quickly and appropriately. A
poorly contained breach and botched response have the potential to cost you millions in lost business and
opportunity, ruin your reputation, and perhaps even drive you out of business. See the November 9, 2011,
Planning For Failure report.

Forrester believes that security operations centers will evolve and be replaced with an enterprisewide,
distributed, virtualized information resource that allows security and risk professionals insight into
incidents and activities wherever and whenever they need it. See the April 20, 2010, SOC 2.0: Virtualizing
Security Operations report.

Security groups continue to struggle with achieving appropriate visibility at senior levels and with securing
appropriate funding. To increase visibility, run security as a business, by creating and managing a marketing
and communications plan that addresses all key constituents and includes multiple visibility-increasing
activities. See the January 12, 2011, How To Market Security To Gain Influence And Secure Budget report.

Formalizing risk management, which includes establishing the internal context, the external context, the
risk management context, and the risk criteria, will likely mean the difference between a risk program that
adds value by meeting expectations and one that fails to garner widespread support and ultimately collapses.
Refer to the series of reports entitled The Risk Managers Handbook. Specifically, see the April 25, 2011,
The Risk Managers Handbook: How To Explain The Role Of Risk Management report.

As information security matures into a formal discipline, it needs formal governance mechanisms. Forrester
noted increased interest and activity in this area in 2010. See the October 4, 2010, CISO Handbook: Ten
Tips For Building A Successful Security Steering Committee report.

10

2015, Forrester Research, Inc. Reproduction Prohibited

January 16, 2015

About Forrester
A global research and advisory firm, Forrester inspires leaders,
informs better decisions, and helps the worlds top companies turn
the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to
lead more successfully within IT and extend their impact beyond
the traditional IT organization. Tailored to your individual role, our
resources allow you to focus on important business issues
margin, speed, growth first, technology second.
FOR MORE INFORMATION
To find out how Forrester Research can help you be successful every day, please
contact the office nearest you, or visit us at www.forrester.com. For a complete list
of worldwide locations, visit www.forrester.com/about.
CLIENT SUPPORT
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer
quantity discounts and special pricing for academic and nonprofit institutions.

Forrester Focuses On
Security & Risk Professionals
To help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forresters subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.

SEAN RHODES, client persona representing Security & Risk Professionals

Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client
segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act
upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and
online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology
industry through independent fact-based insight, ensuring their business success today and tomorrow.
56663