Essential Guide

Browse Sections
This content is part of the Essential Guide: Managing information security amid new threats: A guide for CIOs
Get started Bring yourself up to speed with our introductory content.

How to build a security roadmap with a cascade approach

An organization's security roadmap is often presented to upper-level board members via a lengthy PowerPoint presentation in "geek speak" that's foreign to the business-minded audience. Elliott Franklin, information security manager at San Antonio, Texas-based Whataburger Restaurants LLC, sat down with SearchCIO Assistant Site Editor Emily McLaughlin at the 2013 ISSA International Conference in Nashville, Tenn., to discuss how a cascade approach to security projects can help communicate the value of these initiatives.

Security professionals can use a cascade approach and provide business executives with a one-page plan, perhaps represented by a flowchart. In their plan presentation, they can take one of at least two approaches: demonstrate what the organization's current capabilities and how to build up a security plan from there, or work top-down, starting with a vision and then explaining how different projects map into that company objective.

Franklin will head up SearchCIO's cybersecurity-themed tweet jam Wed., Oct. 30, 2013, at 3 p.m. EST. Please plan to join us on Twitter to chat about effective security planning. Until then, read how a one-page plan could reinvent how your organization plans for security projects.

Why did you need to build a security roadmap at Whataburger Restaurants, and what did you have in place before that?

Elliot Franklin: Prior, I think it was just one or two approaches: We'd just come in, try to attack anything we could and there wasn't really a strategy around it. [The strategy] was read the roadmaps and read the white papers. What does Gartner say? What do all the different research analysts say? Let's just try to do that.

That wasn't working. It wasn't providing benefit to the business. Building a roadmap was a very easy way to show [top management] how the security projects map to the business, and being able to bring them value in the security projects. Everyone says security is a cost center and it doesn't provide value; it actually slows down projects. That's really why we built a roadmap.

You've talked a little bit about a cascade approach. Can you explain what a cascade approach is?

Franklin: It's a flow chart, really. It's very simple. Instead of coming in with 100 PowerPoint slides, it is building swim lanes; it is another way of approaching it. What is your vision? What are you high-level objectives? Then what strategies, goals and projects will lead that? If it's cascading, I can start at the bottom and show them what capabilities we have and build up, or I can show them the vision at the top and the objectives, and how the projects map into that. That's why we did a cascading approach. It's very simple, very easy to explain: one page that all the executives can understand instead of doing PowerPoint slide after PowerPoint slide and trying to sell them on this 'geek speak' they don't understand.

How did you present the cascade approach in a business sense so that the business-oriented minds understood?

Franklin: The real benefit to doing the cascading approach is capabilities -- new capabilities that the business probably didn't even know existed and some we already had, but it just had never been presented that way. Saying, 'By doing this roadmap, by having these projects and objectives, now we have new capabilities from an information security perspective that provided value to the business that we would otherwise have to go purchase from somewhere -- either a third-party contractor or consultant to be compliant -- or just to do what's right and do best practices for security.' Showing them the capabilities that we have -- and again, that's value. What am I paying for? Was I more secure last year than this year? I'm giving you all this money; what's the benefit to me as the business? Now they can clearly see that on one page. We can track back in our quarterly updates and show them the progress we're making, new capabilities, improved capabilities. That's really been a great win for the business.

How did this roadmap approach lead to a quick buy-in for enterprise-wide security projects?

More on strategic planning

Tweet jam participants plan virtual projects

CIO plan for Managing endpoint security

Franklin: I was able to use that to explain to the executives and compare the security projects to enterprise projects, or to business projects. The same way that we have someone guarding our front entrance, we have the security company that guards our front entrance, that checks our guests in. I could show them now we need a network access control system to protect our network the same way when somebody plugs into the network. Just trying to show them, 'Here're our high-level objectives. We want to protect our network? Of course we do. Here's how.' Being able to explain that to them, in business terms, leads to quick buy-in where they said, 'Yeah, we'll spend the money on that. We see the value.'

Can you give me an example of an enterprise-wide project that you're working on currently?

Franklin: Absolutely. One of those I mentioned is network access control (NAC). I think with BYOD [bring your own device] and some other initiatives that are coming down, we need to have visibility into who's on our network and what they're doing on our network. We're working through a network access control project right now, trying to determine how that technology can help us in that area, being able to identify who's on the network, what are they doing? That's one enterprise project that we're working on right now.

Let us know what you think of this story; email [email protected].

View All Videos