In information security, the relationship between concept, goal, strategy, and objective is integral to creating a comprehensive security framework. Concepts serve as the theoretical foundation, providing guiding principles that inform how security is approached. For instance, concepts like the CIA Triad (Confidentiality, Integrity, Availability) or Zero Trust represent core ideas that underpin the security framework of an organisation. These abstract concepts help define the principles and values that an organisation should follow to ensure the protection of its data and systems.
The goal in information security represents the broad, overarching vision of what the organisation aims to achieve. It reflects the organisation's ultimate aspirations, such as protecting sensitive data from unauthorised access or ensuring resilience against cyberattacks. However, goals are often general and cannot be achieved directly without a clear plan. They are the end states organisations aim for, but achieving them requires a structured and organised approach.
To make these broad goals actionable, organisations develop an information security strategy. This strategy is the high-level plan or method that outlines how security objectives will be accomplished. It includes decisions about how resources will be allocated, what technologies will be used, and how risks will be managed. For example, a strategy might include a focus on Defence-in-Depth, employing multiple layers of security controls to safeguard data, or a plan to ensure compliance with relevant regulatory standards. The strategy provides the roadmap for achieving the overall security goals of the organisation.
Finally, objectives should be specific with measurable actions that organisations undertake, to realise their strategic plans and move towards their security goals. Objectives break down the high-level strategy into concrete tasks, with clear timelines and measurable outcomes. For instance, an objective could be to implement, multi-factor authentication for all users by a certain date or to encrypt all sensitive data stored on company servers. These objectives ensure that the theoretical concepts of information security are translated into real, tangible outcomes, aligning with the broader organisational goals and strategies.