In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.
This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.
Customer
- Who is the customer?
- What does each customer segment want?
- Customer concentration and power
Company
- Vision, mission and values
- Capabilities and expertise
- Governance
- Organisational structure
- Industry trends
- Budget / Runway / Finances
Product
- Nature of product or service (why would someone buy it?)
- Product or service lifecycle
- Distribution channels
- Roadmap (including prioritisation, inputs and outputs)
- Metrics
People
- Team size and skills
- Diversity and inclusion
- Recruitment and retention
- Communication
- Knowledge management
Risks
- Political
- Economic
- Social
- Technological
- Legal
- Environmental
Technical
- Platform and infrastructure
- IT and operations
- Compliance regime
- Security capabilities
Cyber Security Leadership 
4 Comments