Organisational information security strategy is an area that examines the security of information at the organisational level for strategic purposes. Selection of an information security strategy from a set of four generic strategies puts control back in the hands of the governing body.
Generally, information security strategy has been defined as an organisation-level construct, that takes direction from organisational goals, integrating resources and capabilities for securing information to support the achievement of those goals. One specific definition for information security strategy is: “Information security strategy guides the achievement of organisational goals and objectives using IT infrastructure and information resources to achieve them, is motivated by antecedent conditions that balance internal information needs and external environmental factors to yield information security benefits to the organisation, and is selected from a small set of generic strategies to guide decision-making when implementing operationally.” (Horne, Maynard, & Ahmad, 2017, pp. 12).
Selection of an information security strategy begins with an assessment of the type of information that an organisation holds, along with an examination of the environment within which it operates including regulatory and industrial pressures that might apply.
The benefits of selecting a strategy include increasing the probability of preservation of public reputation, customer trust, and competitive advantage, as well as security of trade secrets, personally identifiable information, and other valuable information such as health records and credit card data.