When is the right time to develop a security strategy?

When should I revise my security strategy?

_A common trigger is an “aha moment” affecting multiple stakeholders—such as surprising audit results, whether from a penetration test or a certification audit. New business requirements can also necessitate a strategic reassessment— for example, when especially sensitive data is newly processed or when processes are being automated.

Examples of such triggers include:

• Automation of processes with new IT and OT systems

• Use of artificial intelligence in decision-making processes

• Handling of sensitive data such as health or location information

• New business area or business model

• Change in leadership

• Mergers and acquisitions

Are there also external factors?

_Yes, significant events in the company’s environment are also reasons to reassess—such as:

• Media reports about cyberattacks on competitors

• New regulatory frameworks (e.g., nDSG, ISG, NIS2, CRA)

• External threats like terrorist attacks, pandemics, or supply chain disruptions

• Major cyber incidents (e.g., ransomware, data breaches)

And last but not least: technological progress.

How does technological progress affect the strategy?

_Some strategies simply become outdated. New technologies or paradigms fundamentally change the requirements for security architecture. Examples from recent years include:

• The rise of AI-powered tools

• Zero Trust Enterprise Architecture

• Consolidation towards SASE

• Advances in quantum computing

But attackers also use new technologies. This calls for strategic responses such as:

• Phishing-resistant authentication methods

• Privileged Access Management

• Security for OT and IoT environments

• Business Continuity Planning

Many IT leaders say they have a strategy “in their heads”. Isn’t that enough?

_As a CISO or CIO, of course, I have a vision for the next three to five years. But strategies that exist only in people’s heads rarely work in practice, because they’re not aligned across the team. The firewall expert has different priorities than the backup specialist, and executive management or the board have yet other expectations.

A formal, documented, and approved information and ICT security strategy brings everyone to the table. It fosters consensus, enables coordinated action, and prevents conflicting goals. A good strategy prioritizes measures based on legal requirements, risks, technical dependencies, as well as time and budget constraints—and places them on a realistic timeline.

What time frame should a security strategy cover?

_There’s no fixed time frame—a good strategy should be dynamic and adaptable. But planning for just one year is usually not enough.

In practice, a planning horizon of 3 to 7 years has proven effective. Strategic goals are set for this period, along with an annual action plan. Detailed planning then takes place each year, aligned with the specific project streams to be implemented.