Library Header Image Library Header Image

Building a Robust Security Strategy A Leader's Guide


Posted on by Tatyana Sanchez

Organizations that lack a comprehensive security plan or defined roles for security responsibilities are at a higher risk for cyberattacks. This blog will discuss how to establish the foundation of a security strategy and architecture and define roles and responsibilities.

As the cybersecurity landscape evolves, organizations need to move beyond a checklist of tools to a holistic risk-based approach. In an RSACTM half day virtual seminar, Jenny Menna, Chief Security Officer at Sallie Mae, stated “As the business landscape changes, partners want to use new tools and strategies, and organizations need to collaborate with the business, partners, third parties, and look at applications to create a true risk-based approach.” By collaborating with different internal and external teams, an organization can make informed, joint decisions, and everyone will be aware of how to reduce risk. As Menna emphasized, organizations need to start defining security with a risk-based approach, meaning that a security strategy should be directly tied to business goals and risks.

The Strategic Security Roadmap

In order to build a strategic security roadmap, organizations need to collaborate with both internal and external partners to find out their goals and risk tolerance. In the discussion with Menna, Roya Gordon, Interim Chief Information Security Officer at ENGIE North America, said, "We need to collaborate with external partners, HR, finance, legal, board of directors, CEO, and more—not just cyber teams as security is everyone’s responsibility."

The CISOs agree that the first step should be to find out what the business cares about, what its goals, and objectives are. From there, an organization should assess the risk based on the business processes, goals, and objectives to make recommendations of the security strategy and what tools and practices to invest in based on those risks.

To create a multi-year plan for security initiatives that are important to the business, organizations need buy-in from the board of directors and leadership, and the panel of CISOs identified communication as one of the biggest challenges. Business leaders may not know technical cybersecurity terms, and every board is different. Menna explained the first step to overcoming this challenge is to understand the board of directors and leaders so that the CISO can present a security plan using risk or monetary terms rather than technical jargon so that the language resonates with them. Doing this allows the board to understand the direct correlation between investments in security tools and reducing risks .

Cybersecurity teams shouldn’t be the only ones to plan a roadmap for security initiatives, and everyone should be responsible for cyber risks, including leadership, as Dave Reudger, VP of Product Security and BISO at Precisely, stated, "We can’t do security in a silo."

Once an organization develops a security strategy plan, they should measure business-focused Key Performance Indicators (KPIs) based on their 'crown jewels' and the specific risks and threats identified in their risk assessment. Once they determine their KPIs, they should measure their progress by tracking key metrics and operational data such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to gauge how resilient and effective their security program is.

Navigating Roles and Responsibilities

To ensure an organization is complying with security regulations and with their own security initiatives, leadership must create governance structures with clear roles and responsibilities.

It’s crucial for organizations to understand that anyone can impact security risks. Mark Simos, Lead Cybersecurity Architect at Microsoft, a seminar speaker, stated “An organization must first analyze how the business works and the risk implications that come out of it, as that drives security requirements and roles.” This step is important as there are currently more than 70 roles identified in the cybersecurity landscape (Figure 1), and in order to pick the right roles for an organization, it's key to understand what security requirements and skills are needed to achieve business goals.

Simos explained the roles marked in green are the accountable parties. While many aren't considered cybersecurity roles, they own risk, which means they own security risks to businesses and must maintain security adherence and be accountable for any risks that come out of the assets they own.

While the ones marked in blue are security jobs, which are the responsible party, these security employees must make sure they're doing their job right. Caught in the middle of both accountability and responsibility parties are access, identity, and network, as they live in both worlds.

Sept Content Brief Strategy and Architecture guide Defining roles

Source: RSAC 2025 Security Strategy and Architecture Half Day Seminar

Defining Job Duties

But how can the employees who fill these roles make sure they’re following their responsibilities and roles accurately to reduce risks? Simos explained that CEOs or top executives must list each of the job duties and responsibilities, and then for each job function, the leaders must determine the risk of neglect (if this is not being done, how does security risk go up), what assets they’re responsible for, and what are the required knowledge, skills, and abilities of the job function in order to protect assets and perform the duties. This process is called security organizational planning to define roles.

Then, organizations should set up a security education and awareness plan for all roles in an organization, so it’s clearly defined and communicated who owns what and who is responsible for business risks.

While Simos and the team at Microsoft were building a framework to define roles and responsibilities, they found  that most leaders are repeatedly making the same mistake , known as antipatterns. Simos said one reason organizations aren’t improving in cybesecurity posture is that they are handicapped by technology-centric thinking and the 'silver bullet' mindset: the idea that buying a single solution could 100% solve a complex, continuous problem, like assuming everything behind a firewall is safe..

We need to move away from this thinking to a more risk-based, proactive approach. A strategic, risk-based approach is essential for effective cybersecurity, requiring organizations to move beyond mere tools. This involves building a strategic roadmap tied directly to business goals, securing leadership buy-in through clear communication, and establishing governance structures that define clear accountability (asset ownership) and responsibility (task execution) across all roles, ensuring security is treated as a collaborative team sport.

To find out more about how to define roles and responsibilities and build out a strategic roadmap for security initiatives, we invite you to visit our library where you’ll find an array education content related to Security Strategy & Architecture.

Contributors
Tatyana Sanchez

Senior Coordinator, Content & Programming, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs