1

Semi-Final Technology Strategy Guideline

Marian Chukwudi Odum

MBA, Nexford University

MHY 6750: Final Project

Prof. Nicholas Bucciarelli

July 22nd, 2023

 2

EXECUTIVE SUMMARY

The increasing threat landscape and the critical need for robust cybersecurity measures have prompted

Guinness to prioritize the development of a technology strategy guideline. This executive summary

provides a high-level overview of the Technology Strategy Guideline, summarizing the key points and

objectives of the document. It highlights the importance of developing a comprehensive technology

strategy to address cybersecurity and outlines the approach that will be taken using a combination of the

NIST Framework and the CIS 20 Critical Controls. The executive summary concludes by requesting

approval from the Board of Directors to proceed with the implementation of the technology strategy.

Purpose of the Guideline

The purpose of the Technology Strategy Guideline is to provide a comprehensive roadmap for

Guinness's technology and cybersecurity efforts. The guideline serves as a strategic document that

outlines the organization's vision, goals, and objectives related to technology and cybersecurity. It

provides a framework for assessing the current state, defining the desired future state, and identifying

the necessary steps to bridge the gap. By leveraging the NIST Framework and the CIS 20 Critical

Controls, we will align our cybersecurity efforts with industry best practices and standards, ensuring a

proactive and comprehensive approach to safeguarding our information assets.

ORGANIZATION

a.) Vision, Mission, and Core Values

 Past and Current Vision

In the past, Guinness has focused on technology as an enabler for growth and operational efficiency.

The organization has implemented various cybersecurity measures, including network firewalls,

antivirus software, and user awareness training. While these efforts have provided a certain level of

protection, there is a need to enhance the organization's resilience and response capabilities. The past
 3

vision aimed to establish a secure and reliable technology infrastructure to support business

objectives.

Guinness's future vision for technology and cybersecurity is to become a leader in secure digital

transformation and proactive threat management. The desired state includes a robust and resilient

technology infrastructure leveraging cloud services, advanced threat detection and response

capabilities, and strong security culture. (Bresnahan, 2022). The future vision aligns with the

organization's strategic goals of expanding globally, delivering innovative products, and ensuring

customer trust and data privacy.

 Mission

The future mission of Guinness’s technology and cybersecurity efforts is to safeguard the

organization’s critical assets, ensure business continuity, and enable secure digital transformation.

The technology strategy aims to establish a proactive cybersecurity posture, implement robust

controls, and foster a culture of security awareness and accountability. Specific goals include

achieving compliance with industry regulations, reducing cyber risk exposure, and building trust

with customers through the secure handling of data.

Guinness envisions leveraging technology as a strategic enabler to drive innovation, enhance

operational efficiency, and deliver exceptional experiences to its customers.

 Core Values

Guinness's technology and cybersecurity initiatives are guided by the following core values:

 Innovation – Guinness embraces a culture of innovation, encouraging the exploration of

emerging technologies and creative solutions to drive competitive advantage.

 Collaboration - Guinness promotes collaboration and teamwork among cross-functional

teams, fostering a culture of knowledge sharing and collective problem-solving.

 4

 Customer-Centricity - Guinness places a strong emphasis on understanding and meeting the

evolving needs of its customers, delivering personalized experiences through technology

solutions.

 Integrity - We uphold the highest ethical standards in managing technology and protecting

sensitive information.

 Continuous Improvement - We strive for ongoing improvement through regular risk

assessments, training, and adapting to new threats and vulnerabilities.

GOALS

 Short-term goals (Year One)

 Enhance network security by implementing next-generation firewalls and intrusion detection

and prevention systems.

 Strengthen access controls by implementing multi-factor authentication for critical systems

and privileged accounts.

 Conduct a comprehensive vulnerability assessment and establish a patch management

process to address identified vulnerabilities.

 Develop and deliver cybersecurity awareness training for all employees to promote a culture

of security. (Bleich, 2023).

 Short-term goals (Year Two)

 Implement a Security Information and Event Management (SIEM) system for centralized log

management and real-time threat monitoring.

 Enhance incident response capabilities by establishing an incident response plan, conducting

tabletop exercises, and enhancing coordination with external stakeholders.

 5

 Strengthen data protection by implementing data loss prevention (DLP) controls and

encryption mechanisms for sensitive data.

 Conduct regular penetration testing and security audits to identify and address any

vulnerabilities.

 Short-term goals (Year Three)

 Implement a robust security governance framework to ensure compliance with relevant

regulations and industry standards.

 Enhance security monitoring and threat intelligence capabilities through the implementation

of advanced analytics and threat intelligence platforms.

 Implement a formal vendor risk management program to assess and mitigate risks associated

with third-party suppliers.

 Continuously evaluate and enhance security controls based on lessons learned, industry best

practices, and emerging threats.

 Long-term goals

 Establish a comprehensive risk management program that integrates technology,

cybersecurity, and business risks into the decision-making process.

 Continuously enhance security awareness and training programs to promote a security-

conscious culture throughout the organization.

 Develop and implement a business continuity and disaster recovery plan to ensure the timely

restoration of critical systems in the event of disruptions.

 Foster strategic partnerships with industry peers, government entities, and information-

sharing organizations to enhance threat intelligence and collaboration.

 6

 Maintain compliance with relevant regulations and standards, adapting to new requirements

as they arise.

 Obstacles to Achieving these goals

Obstacles to achieving the technology strategy goals may include limited budgetary allocations for

technology investments and cybersecurity measures, resource constraints in terms of skilled

personnel or subject matter experts, resistance to change within the organizational culture, evolving

regulatory requirements, and the constantly evolving threat landscape. These obstacles need to be

considered when formulating action plans and resource allocation strategies.

 Benchmarks of Success

To measure the success and effectiveness of the strategy, specific benchmarks have been established.

These benchmarks serve as key performance indicators (KPIs) to track progress, evaluate outcomes,

and ensure the strategy's alignment with organizational goals. Regular monitoring and assessment

will be conducted to measure performance against these benchmarks. Some of the benchmarks

include.

 Percentage reduction in cybersecurity incidents and successful attacks.

 Increase in employee cybersecurity awareness and engagement.

 Achievement of compliance with relevant regulations and industry standards.

 Improvement in vulnerability management metrics, such as reduced time to patch

vulnerabilities.

 Positive feedback and satisfaction ratings from internal stakeholders and customers

regarding security measures.

 Successful completion of independent audits and assessments with favorable results.

 Reduction in the overall cybersecurity risk exposure based on periodic risk assessments.
 7

By focusing on these benchmarks, Guinness aims to establish a robust and resilient cybersecurity

posture while leveraging technology to drive innovation and secure its operations. The organization is

committed to continuous improvement and will regularly review and update its technology strategy to

ensure it remains effective and aligned with evolving business needs.

STRATEGY

 Resource Assessment - Resource assessment is a critical component of the Technology Strategy

Guideline as it ensures the availability of the necessary physical, financial, and human resources

to successfully implement the strategy. A comprehensive assessment of resources will help

identify potential gaps, allocate resources effectively, and ensure the strategy's viability and

sustainability. The resource assessment should encompass the following areas:

 Physical Resources - Evaluate the organization's existing physical resources to support the

technology strategy. This includes hardware infrastructure, network components, servers,

data centers, and facilities. Assess the capacity, scalability, and reliability of these resources

and identify any gaps or areas that require upgrades or enhancements. Determine if there is a

need for additional physical resources to support new technology initiatives, such as cloud

computing, IoT devices, or infrastructure expansion.

 Financial Resources - Assess the financial resources needed to implement the technology

strategy effectively. This involves evaluating the budgetary requirements for technology

investments, cybersecurity tools and services, infrastructure upgrades, training programs,

external expertise, and ongoing maintenance costs. Consider the organization's financial

capabilities, projected budget allocation, and potential sources of funding. Develop a detailed

budget that aligns with the strategy's goals and objectives, ensuring adequate financial

resources are available to support the implementation and sustainability of the strategy.
 8

 Human Resources - Evaluate the organization's current workforce and determine if there are

sufficient human resources with the necessary skills and expertise to execute the technology

strategy. Identify gaps in cybersecurity knowledge, technology competencies, and project

management capabilities. Assess the need for additional human resources, such as

cybersecurity professionals, IT staff, subject matter experts, or consultants. Develop a plan to

acquire, train, or hire the required human resources. Consider factors such as recruiting

strategies, training programs, professional development opportunities, and succession

planning to ensure the availability of skilled personnel throughout the strategy's lifecycle.

 Ethical Stakeholder Engagement - Consider the ethical aspects of resource assessment,

recognizing the importance of engaging stakeholders inclusively and transparently. Identify

key stakeholders, including employees, executives, customers, partners, regulators, and the

board of directors. Develop strategies to engage stakeholders, gather feedback, and address

their concerns. Ethical considerations should include respecting privacy, data protection, and

compliance with legal and regulatory requirements. Develop a communication plan to keep

stakeholders informed and involved throughout the implementation of the technology

strategy.

 Risk Management and Incident Response - Incident response is an approach to handling

security breaches. Incident response aims to identify an attack, contain the damage, and

eradicate the root cause of the incident. (Borkar, 2022). Integrating risk management and

incident response considerations into the resource assessment is very crucial. Identify

potential risks, vulnerabilities, and threats associated with the implementation of the

technology strategy. Develop strategies to mitigate these risks, such as implementing

appropriate security controls, conducting regular risk assessments, and establishing an

 9

incident response plan. Allocate resources to ensure timely detection, response, and recovery

in the event of a cybersecurity incident. Consider collaborating with internal and external

stakeholders, such as cybersecurity vendors, law enforcement, and industry groups, to

enhance incident response capabilities.

By conducting a comprehensive resource assessment, Guinness can ensure the availability of physical,

financial, and human resources necessary to support the successful implementation of the technology

strategy. It enables effective resource allocation, minimizes potential gaps or constraints, and ensures the

strategy is implemented within the designated budget and time frame.

 Implementation Plans

The implementation plan will be divided into phases, each spanning a specific period. Key elements of

the implementation plan include:

 Phase 1: Assessment and Planning

 Conduct a comprehensive assessment of the current technology and cybersecurity landscape.

 Identify gaps and prioritize areas for improvement based on risk analysis.

 Develop a detailed project plan, including timelines, milestones, and resource requirements.

 Phase 2: Infrastructure and Security Enhancements

 Implement necessary infrastructure upgrades to support the technology strategy.

 Strengthen network security controls, including firewalls, intrusion detection systems, and

secure remote access.

 Enhance data protection measures, such as encryption and data loss prevention.

 Phase 3: Governance and Compliance

 Establish a governance framework to ensure accountability and compliance with relevant

regulations and standards.

 10

 Develop and implement policies, procedures, and guidelines for technology and

cybersecurity.

 Conduct regular audits and assessments to monitor compliance and identify areas for

improvement.

 Phase 4: Awareness and Training

 Implement a comprehensive cybersecurity awareness and training program for employees.

 Conduct regular security awareness campaigns and provide targeted training sessions for

different roles within the organization.

 Foster a culture of security awareness and accountability across all departments.

 Phase 5: Monitoring and Continuous Improvement

 Implement a security monitoring and incident response system to detect and respond to

cybersecurity threats in real time.

 Conduct regular vulnerability assessments and penetration testing to identify and remediate

vulnerabilities.

 Continuously review and enhance security controls and practices based on emerging threats

and industry best practices.

 Monitoring & Assessment

Some of the monitoring and assessment strategies set aside are.

 Regular Performance Reviews - Conduct periodic reviews of the technology strategy's

performance against established KPIs and metrics.

 Incident and Threat Monitoring - Continuously monitor and analyze security incidents,

threat intelligence, and emerging cyber threats.

 11

 User Feedback and Surveys - Collect feedback from employees and stakeholders regarding

the usability and effectiveness of technology systems and cybersecurity measures.

 Compliance Audits and Assessments - Conduct regular audits and assessments to ensure

compliance with relevant regulations, industry standards, and internal policies.

 Lessons Learned Analysis - Analyze past incidents and near-misses to identify areas for

improvement and implement corrective actions.

 Technology Landscape Analysis - Stay updated on emerging technologies, industry trends,

and evolving threat landscapes to inform innovation and improvement strategies.

 Next Steps

 Board Approval - Present the Technology Strategy Guideline to the Board of Directors for

review and approval. Address any questions or concerns raised during the presentation.

Provide an overview of the guideline's purpose, key components, and recommendations.

 Stakeholder Communication - Communicate the approved strategy to relevant stakeholders,

including department heads, IT teams, and employees, to ensure alignment and

understanding.

 Implementation Kickoff - Initiate the implementation process by establishing project teams,

assigning responsibilities, and developing detailed action plans.

 Resource Allocation - Allocate the necessary physical, financial, and human resources to

support the implementation of the strategy. Review budgetary needs and secure necessary

approvals.

 Implementation Monitoring - Establish mechanisms to monitor and track the progress of the

implementation. Set up regular meetings, reporting channels, and performance reviews.

 12

 Continuous Improvement - Foster a culture of continuous improvement by regularly

reviewing the strategy, collecting feedback, and incorporating lessons learned into future

iterations.

 Review and Update - Schedule periodic reviews of the Technology Strategy Guideline to

assess its effectiveness and relevance. Update the strategy as needed to address evolving

threats and technology advancements.

CONCLUSIONS

In summary, the Technology Strategy Guideline outlines a comprehensive plan to address cybersecurity

challenges, enhance technology infrastructure, and support the long-term success of Guinness. The

document covers key areas such as the organization's past and current vision, future vision and mission,

organizational core values, and goals for the short term and long term. It emphasizes the importance of

resource assessment, ethical stakeholder engagement, risk management, incident response, and ongoing

monitoring and assessment.

By leveraging the NIST Framework and the CIS 20 Critical Controls, we have developed a robust and

adaptable strategy that aligns with Guinness's unique needs and aspirations. This strategy seeks to

establish a proactive and resilient cybersecurity posture, optimize resource allocation, and foster a

culture of security and innovation.

The proposed implementation plan, supported by clear responsibilities, timelines, and budgets, will

guide us in executing the strategy effectively. We will continuously monitor and assess our progress,

using key performance indicators and feedback mechanisms to ensure that we remain on track and make

necessary adjustments.

In conclusion, we are confident that the Technology Strategy Guideline will enable Guinness to

strengthen its technology infrastructure, enhance cybersecurity measures, and position the organization
 13

for future growth and success. We remain committed to continuous improvement and adaptation in the

face of evolving threats and technological advancements. By working together and dedicating the

necessary resources, we will achieve our technology and cybersecurity objectives while safeguarding the

organization and its stakeholders.

APPENDIX

The following matrices outline the semi-complete implementation action plan for the cybersecurity

initiatives and the semi-complete digital strategy implementation action plan matrix detailed in the

guideline. It provides an overview of the key tasks, responsible parties, board role, budget/source,

timelines, and status updates. These matrices serve as a guide for the Board of Directors and

stakeholders of Guinness to understand the broad scope and progress of the implementation efforts.
 14

Cybersecurity Implementation Action Plan Matrix

Ref
Nos Task Year to be completed Responsible Owner Board Role Budget/Source Key Dates Status Next Steps

1.) Analyze assessment findings and identify

key areas of improvement.
Conduct Initial Review and Assumed budget: Assessment Kick-off meeting - 2.) Begin formulating recommendations and
1 Assessment Q3 2023 - Q4 2023 CISO, Cybersecurity Team Approval $50,000 (15/07/2023) Completed action plan.

1.) Gather input from key stakeholders to

determine the priority of systems and
assets. 2.) Define the scope of the
Scope finalized and approved - implementation plan based on risk
2 Prioritize and Scope Q4 2023 CISO, Implementation Team Approval - (14/10/2023) In Progress assessments and business needs.
1.) Refine implementation strategies based
on feedback received.
2.)Collaborate with subject matter experts
Develop Implementation CISO, Implementation Team, Review and Assumed budget: Strategies developed and to ensure comprehensive coverage of
3 Strategies Q4 2023 - Q1 2024 Subject Matter Experts Guidance $100,000 presented - (12/12/2023) In Progress critical areas.

1.) Develop a detailed budget plan

considering technology investments,
training programs, and external resources.
CISO, Finance Department, Assumed budget: Resource allocation plan 2.) Present the budget plan for approval and
4 Allocate Resources Q2 2024 Human Resources Approval $200,000 approved - (04/04/2024) In Progress secure necessary resources.

1.) Define roles and responsibilities within

the governance structure.
2.) Develop policies and procedures to
Establish Governance CISO, Executive Management, IT Review and Assumed budget: Governance structure ensure effective oversight and decision-
5 Structure Q2 2024 Governance Committee Approval $50,000 established - (01/06/2024) In Progress making.
1.) Execute implementation plan according
to defined strategies.
2.) Monitor progress and report on the
implementation status regularly.
Cybersecurity Team, IT 3.) Adjust implementation approach as
Implement Controls and Department, Subject Matter Execution and Assumed budget: Controls implementation necessary based on feedback and emerging
6 Measures Q3 2024 - Q4 2024 Experts Reporting $300,000 started - (01/09/2024) In Progress challenges.
1.) Develop a comprehensive cybersecurity
training program. (Dutta, 2023).
2.)Collaborate with the HR department to
deliver training sessions and awareness
Cybersecurity Team, HR campaigns.
Conduct Training and Department, Security Awareness Oversight and Assumed budget: Training program initiated - 3.)Monitor the effectiveness of the program
7 Awareness Q3 2024 - Q4 2024 Champions Guidance $50,000 (30/10/2024) Not Started and address any gaps identified.

1.) Establish mechanisms for ongoing

monitoring and evaluation of implemented
controls.
2.) Develop a process for periodic
assessments and reporting.
Perform Ongoing 3.) Regularly review and update the
Monitoring and CISO, Cybersecurity Team, IT Review and Assumed budget: Monitoring and evaluation cybersecurity program based on findings and
8 Evaluation Q1 2025 - Q2 2025 Department, Internal Audit Guidance $100,000 plan finalized - (01/01/2025) Not Started recommendations.
 15

Digital Strategy Implementation Action Plan Matrix

Ref
Nos Task Year to be completed Responsible Owner Board Role Budget/Source Key Dates Status Next Steps

Upgrade network
1 infrastructure Year 1 IT Director Approval IT budget: $50,000 Kick-off meeting - (Q2-2023) In Progress Execute hardware procurement process.

Conduct vulnerability Cybersecurity Engage external cybersecurity firm for

2 assessment Year 1 Security Manager Review budget: $150,000 Q3-2023 In Progress assessment.
Strategies for incident plan
Develop incident response meeting reviews - Collaborate with legal and HR departments
3 response plan Year 1 CISO Approval IT budget: $100,000 (Q3-2023) In Progress to define response procedures.

Implement multi-factor Assess available authentication solutions

4 authentication Year 2 IT Director Approval IT budget: $200,000 Q1 - 2024 In Progress and conduct pilot testing.

Conduct cybersecurity Training budget: Training program initiated - Develop training materials and schedule
5 awareness training Year 2 HR Manager Review $50,000 (01/04/2024) In Progress sessions for all employees.
Procurement team meeting
Establish vendor risk with stakeholders - Define assessment criteria and incorporate
6 management program Year 2 Procurement Manager Approval IT budget: $300,000 (01/06/2024) Started into vendor onboarding process.

Review and enhance Cybersecurity Controls implementation Conduct gap analysis and prioritize control
7 security controls Year 3 Security Manager Approval budget: $50,000 started - (30/10/2024) Not Started enhancements.

Conduct regular security Review and Audit budget: Monitoring and evaluation Define audit scope and engage external
8 audits and assessments Year 3 Internal Audit Manager Guidance $100,000 plan finalized - (01/01/2025) Not Started auditors if necessary.
 16

References

Bleich, C. (2023). 4 Things your Cyber security training for beginners must cover. Edge point learning.

https://www.edgepointlearning.com/blog/cyber-security-training-for-beginners/

Borkar, P. (2022). Incident Response: 6 steps, Technologies, and Tips. Exabeam.

https://www.exabeam.com/incident-response/the-three-elements-of-incident-response-plan-

team-and-tools/

Bresnahan, E. (2022). How Digital Transformation impacts IT and Cyber risk programs. Cyber Saint

Security. https://www.cybersaint.io/blog/managing-risk-in-digital-transformation