A complete security blueprint includes an assessment of strategy, operations and technology, and can be conducted by understanding seven key elements contributing to an organization’s security and risk posture. Within each of these categories are a number of sub-categories comprised of all elements that need to be considered.

• Network and Systems Security: The Foundation. Have a clear understanding of how the organization’s infrastructure is architected. For example, what is the technology deployed for prevention, detection, and management around the infrastructure systems and the network.
• Application Security: Both Internal and External. In order to maintain an optimal security posture, management should assess both internal applications, as well as those procured by third-parties. A solid understanding of the risks associated with each application will help eliminate potential risk before applications are deployed.
• Data Security: Protecting Critical Assets. Data is considered the most important asset of an organization. Management needs a plan for protecting and recovering data throughout the lifecycle. Data should be kept safe from corruption and also suitably controlled.
• Secure Operations: People Drive Process. Managing and protecting assets includes a method to distribute products and services, and a process created to drive change among people. In many organizations, operations are the weakest link, yet it is also the first and last line of defense.
• Business Continuity: Ensuring Uptime. Understanding an organization’s availability requirements is fundamental to establishing priorities. There should be a clear plan to keep the business up and running, despite any potential threats or outages.
• Security Strategy: Aligning with Business. Security strategy should always be aligned with an organization’s business strategy. To do so, security professionals should ask the following questions: What do I want to protect? How do I want to protect my assets? Finally, what are the metrics to evaluate for success?
• Security Organization: Sharing Risk. Along with security strategy, a security organization should also be aligned with the business goals and objectives. Security professionals should also be able to illustrate how their programs and initiatives will drive the business goals and objectives.

When to Implement a Security Blueprint

There are several scenarios in which a security blueprint can be particularly helpful in balancing an organization’s overall IT risk and security management program. One is when an organization needs to evaluate the current state of their existing program capabilities and define their desired state of program maturity. Applying a blueprint approach against the aforementioned seven core program pillars provides a portfolio model for aligning the value of security with business objectives and associated risk tolerance. For example, when a CIO, CSO, or executive, needs to identify, evaluate and address gaps in their security and IT risk program. The result of this blueprint assessment enables the executive to prioritize their initiatives around program elements which bring the greatest business, security and IT risk management value.


Another security blueprint use case might be during a merger or acquisition. During an acquisition, an organization will examine their maturity level with regard to security and risk. They might plan to use some integration dollars to bolster the acquired company’s security posture to bring it in-line with their desired level. A security blueprint will identify the areas that need the most improvement. It will also give them the insight into what the acquisition company’s strengths are. This way, they can also leverage these strengths and apply them across the board.