Urfaan Azhar
April 13, 2023

Why you need a Security Roadmap and 11 steps to getting one using the Zero Trust approach

Snazzy title I know, but at least if you’re reading this then you know you probably should define your security strategy.


I know you may have several other things that you think are just as important, but please believe me when I say, “THIS SHOULD BE YOUR NUMBER ONE PRIORITY FROM A CYBER SECURITY PERSPECTIVE" (it's caps because I'm shouting this bit to make the point 🤓).


You may have a DR and BC plan, you may have even tested – If you haven't got a DR plan, then read on and let’s get you started with a Security Roadmap.


Here we gooooooo people!!!! (Sorry about the over enthusiasm, but I’m trying my best to make writing a security roadmap less laborious than it is 😁).


1.     Understand why you need a Security Roadmap -

  •  Helps you stop being reactive (nod to all your firefights out there 😉).
  •  Makes sure you define and adopt a security approach (I recommend Zero Trust)
  • Align your security processes to your business goals and objectives - improving your security posture (sorry I used the term security posture in public but it’s the right one to use).
  • Gives you an understanding of where you are today (you think you know but you don't).
  • Sets you on a journey that will help you continually monitor, assess, and improve your cyber security (yes this will be never-ending and relentless because that's what the security threat is never-ending and relentless 😔).


2.     Write something down today – actually, stop reading for a minute, open a word doc and write Security Roadmap at the top. Congrats you have started (the word doc has a creation date so its set-in stone, you’ve started!). Ok, carry-on reading…


3.     Set yourself a timeline - I suggest 12 months and spend half a day, quarterly, to review your progress and update your roadmap (it must be manageable). A working document that is evolving and adapting to the current threat landscape is a powerful tool when it comes to mitigating risk, and just because you followed step 2 you now have one (you’re welcome 👍).


4.     Involve others – You don't want to take this journey on your own, it's like climbing Everest - you need a support team. Get the C-Level/Directors involved – kicking and screaming if you must 👊. Pick another department head to preview, they don’t need to be technical (remember this is more about strategy and operational improvements that specific technology). Also include your reports/team to ensure they buy in to the approach from the start.


5.     Pick your battles - If you decide on a Zero Trust approach (recommended) write that down and commit to it. Explain to key stake holders what it means and then pick some quick wins. Below is an image of the Microsoft Zero Trust Security approach, we are only going to pick 3 of these components to start with to get you going. Your people (Identity), the things they use (Devices/endpoints), and the crown jewels your information/data.

6.     Measure where you are today - This is easier than you think! Use the tools available to you, like the Microsoft Secure and Compliance Score. The TIEVA Security Scoreboard provides a simple overview and a score (feel free to fill it out the form and I will send you a security scorecard result).


Use Microsoft's ZeroTrust maturity Model Assessment Tool that also helps you measure where you are today here... Use these metrics as the starting point, having a bad starting score isn’t necessarily bad - if we plan to improve it.


Here is an example:



7.     Measure yourself against your current compliance requirements - Now you have had a look at some scores TIEVA and Microsoft might have given you, consider what your compliance requirements are e.g., ISO27001, CyberEssentials, internal GDPR and other IT/data policies. Measure yourself against the key elements of these requirements.


8.     Define some key milestones 🕕 – I know some people say don’t eat an elephant but sometimes you have no choice and let me tell you from a lot of experience there is only one way todo it, ONE BITE AT A TIME. Pick 4 or 5 things that are a priority for you or use the example below. To keep it manageable, I would suggest completing the following 5 key steps over the next 12 months, 1 step each quarter and continuously delivering training and awareness throughout the year.


9.     Outline your breach response – Even the calmest and most composed individuals crack under pressure, so create a basic Incident Response Plan.

10.  Record everything you can – If you do something WRITE IT DOWN, if you are planning to do something WRITE IT DOWN, if you even think of something WRITE IT DOWN. It makes sense to keep your first SecurityRoadmap bitesize and manageable, but I suggest you still record everything in a brain dump area (normally entitled Future Plans or Beyond the first 365 days). This is where you can record anything you would like to do in the future, that email the CFO/Finance Director sent you saying, “I read this, is this something we should be doing”. You may also read something useful on LinkedIn 😉 you might want to add.

11.  Get help – I would say this wouldn’t I, but It’s not a pitch, it’s a plea. I have been involved in numerous and significant cyber-attack response planning and response scenarios. Watching the aftermath of an attack is emotional for me, its gut wrenching and heartbreaking. Watching business built over years by fantastic entrepreneurs with loyal and hard-working teams brought to their knees by people who don’t care about the devastation they cause and often only interested in your businesses hard earned cash.


Getting help from people who do this day in day out and can add significant value from planning, documentation, implementation, and systems hardening can be invaluable. Doing it yourself is better than doing nothing, but if you budget for anything next FY then budget to get help from security professionals with your security Roadmap journey. Peace out my friends✌.

Sub-header icon