One of the most important tasks to undertake in the planning phase is creating a Security Roadmap that will guide the implementation of the cybersecurity program. In Stage 1, you assessed your digital infrastructure and performed a Business Impact Assessment (BIA) and a Risk Assessment to identify the components of your infrastructure that require the most security. You concluded by performing a Gap Analysis that measured the current state of your organization's cybersecurity against the baseline state put forth by this framework. The results of the Gap Analysis have provided you with a list of controls that need to be implemented into your organization's cybersecurity program. So far in Phase 2, you have assessed possible infrastructure changes for your environment and created the organizational structure for the eventual implementation of security controls. Now, you will need to create a Security Roadmap that will clearly outline and justify the process of implementing new cybersecurity measures in your business.

The Security Roadmap is a document that outlines the path you will take to reach the desired end state. If you have no clear outline of what steps to take, you can quickly derail the projects and end up with scope creep, misconfigurations, and delays. The Security Roadmap is a strategic document that contains three major phases:

  • Phase 1: Foundations
  • Phase 2: Standardization
  • Phase 3: Optimization

These phases create a top-down approach to creating a security program, meaning major strategic changes like building a new network are done first. Phase 2 involves the Standardization of new technologies, such as getting all employees connected to the new network. Finally, Phase 3 optimizes the smaller aspects of the program, such as adjusting MAC address whitelists and Port Security on the new network equipment.

Your Security Roadmap can be a written report, a series of visualizations, or a combination of both. Regardless of what method of presentation you take, the Security Roadmap needs to be a collaborative creation, with the entire Steering Committee and all other Stakeholders informed of the process. The main goal of the Security Roadmap is to justify the costs that will be required to implement new security controls. Therefore, your roadmap needs to answer the following questions:

  1. What are the projects that are going to be pursued? What new controls are being implemented?
  2. Why do we need to implement them?
  3. What is the scope of the new controls? What systems and users will be covered by them?
  4. Who is going to be responsible for the implementation process?
  5. What are the major requirements for successful implementation?
  6. When are we planning on implementing these projects?
  7. What will improve in the business by pursuing these new security controls?

Risk assessment is such an important component in a cybersecurity program because it helps explain sometimes confusing issues to stakeholders in terms they can understand. It is one thing to tell your business partner that you need to have TLS 3.0 encryption on your E-Commerce website to protect your customers and your own image. To a lot of people, that is just word salad. It's another thing to tell your business partner that unencrypted web traffic on your site has a high likelihood of being sniffed, and will likely result in punishment for you two, including large fines and possible jail time. Bringing these issues home with percentages and risk matrices will better justify the costs. Therefore, you should aim to map as many planned controls as possible to the risks uncovered in your Stage 1 Risk Assessment.

Example Scenario

Example: Susan Mills LLC is a small town accounting firm that handles books for lots of other local small businesses. The company consists of five employees who are using Windows laptops and a variety of local and cloud-based software for their workflows. Susan Mills makes use of a hybrid work environment where employees work in the office space two days a week and from home three day a week. The problem is that the company has no centralized device management strategy. All of the laptops are configured with basic admin user accounts for each employee. Full control of the devices rests with the employees themselves, and there is no way to monitor security. The business owner meets with a local IT consultant and the five employees, and they all decide on implementing a Microsoft Azure solution to better manage device security. They will configure Intune for device management, Entra ID for identities, MFA via Microsoft Authenticator, and Conditional Access for context/risk-based authentication. In addition to this, they plan on setting up 802.1X authentication on the local network, which will use a RADIUS server mapped to Entra ID. This will allow the employees to use their Entra ID credentials to sign into the company Wi-Fi.

After intensive planning for this new cybersecurity program, the following Security Roadmap is created:

Susan Mills Llc – Security RoadmapDownload