1. Home
  2. Training Library
  3. Security strategy and legislation [CISMP]

Stakeholder involvement

Stakeholder involvement

Project workstreams

You're now going to take a closer look at the project management process with a special eye on the stakeholders and their role in implementing the plan.

There are several essential steps to this project management process. These are to create:

  1. Project workstream.
  2. Stakeholder map.
  3. Delegation of authority model.
  4. Work packages.
  5. Security working group.

A project workstream needs to be identified for each component of the plan. In this phase, tasks are given to individual teams to work on. Each workstream needs to be managed individually, with resources allocated to complete them on time and budget. 

In order to allocate the tasks to the most appropriate teams you need to create a stakeholder map of the people who have an interest in the outcome. This also helps you get maximum buy-in from the most relevant people. 

You then need a delegation of authority model – or DOA – to ensure people with appropriate authority and responsibility are working in the right roles. This should be publicised to ensure all stakeholders are clear on their duty. 

You then assign work packages to each of the workstreams so that the deliverables can be managed. For example, a network security workstream might include delivery of firewalls, routers, and switches. This workstream will deliver work packages for each component and will be resourced from technical teams and non-technical personnel like auditors and team leaders. 

Finally, a security working group or steering committee should be established to report on progress to senior management. This tracks the success of the security programme and shows the implementation progress being made. The project manager should manage expectations and ensure that there are no surprises for the stakeholders. 

Decorative image: Graphic showing elements of Implementing information security: Stakeholder map; DOA; Work packages Security working group.

What do you think?

Before you go on to look at them, what positive benefits do you think will result from implementing the plan? 

Think of at least three. 

Classification schemes: Positive benefits

There are multiple benefits of executing such a plan. Risk reduction leads to service improvements.

Positive outcomes of operating with the information assurance implementation programme.

Tangible benefits should be communicated to stakeholders in a meaningful way.

Present clear business case to the CEO: 

  • Cost 
  • Competitive advantage 
  • Impact 
  • Risk 
  • ROI calculation 

The benefits of the implementation programme should be pitched to management stakeholders in a meaningful way. For example, the finance director will be interested in the monetary value of the risk reduction programme, whilst the COO will be interested in improvements in the network. 

Classification schemes: Security strategy 

In security terms, a strategy refers to high-level plans that illustrates a considerable improvement in security posture over a three to five-year time frame. 

The information security strategy needs to be ambitious enough to influence the organisation to invest in short-term actions on the basis that they help them achieve the strategic objectives. For example, an organisation might run three iterations of an information assurance implementation programme in a three-year period, each successively building on the output of the previous programme. 

To gain universal buy-in and acceptance from the organisation, the security strategy should: 

  • State the high-level objectives
  • Explain how the risk profile of the organisation will improve
  • State how the organisation will benefit from implementing the strategy
  • Discuss trends in relation to threats and vulnerabilities
  • Support the organisation strategy
  • Support the technical strategy
  • Focus on cost savings

The information security strategy is a visionary document that shows the organisation’s maturity and its depth of understanding of information assurance requirements. It should be written using non-technical language and state the goals of the business in a simple way. This document can also form part of the organisation’s marketing collateral to outline their goals and objectives. This helps display the true direction the organisation is heading in.

What's next?

You've seen how important it is to get stakeholder buy-in, next you're going to delve into security architecture and different types of frameworks.  

Difficulty
Beginner
Duration
20m
Students
28
Ratings
5/5
starstarstarstarstar
Description

This module focuses on the shareholders, personnel and documentation that go into implementing the organisation’s information assurance programme

About the Author
Students
23767
Labs
113
Courses
902
Learning Paths
43

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.