ABSTRACT
This chapter focuses on the top-down or bottom-up strategy development approach as viable alternatives for developing an information security strategy. When developing any information security strategy, it is important to understand that the common view of individuals within the organization may be that the security staff's role is limited to the issuance of user IDs and granting access. Before developing the security strategy, the person responsible for developing the strategy needs to understand the organization’s past experiences with information security. The company external environment is clearly important to information security strategies, as they represent how the world is interacting with our organizations. Companies work within the context of a much larger environment and are subject to external circumstances beyond what is created by them. These include the regulatory environment, strategies of the competitors, being aware of the emerging threats, knowing the cost structures, and leveraging the external independent research that is available.
