Information Security Today Home

New Books

he CISO Handbook: A Practical Guide to Securing Your Company
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World
Security Strategy: From Requirements to Reality
Adaptive Security Management Architecture
CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives

Six Keys to Successful Security Strategic Planning

Bill Stackpole and Eric Oksendahl

The following six elements of strategic planning are the keys to successful strategic planning:

  1. Simplicity
  2. Passion (emotional energy)/Speed of Planning and Adapting
  3. Connection to Core Values
  4. Core Competencies
  5. Communication
  6. Implementation

Regardless of the methodology and tools employed, a strategic direction must be simple enough to be understood by not only the strategic planning committee, but every stakeholder in an organization. One good metric for assessing the clarity of your strategy is an "elevator speech." An elevator speech is a 60-second summary of your strategy that presents a compelling overview of strategic direction. The speech should be short, easily understood, and motivating.

If you can't easily build an elevator speech, it's time to simplify. Organizational vision comes from understanding the current realities of the organization, possessing a keen sense of where the organization needs to go, as well as having a plan for bridging the gap between the present reality and the desired future.

We've watched corporate CEOs deliver a compelling version of company vision and strategic direction over and over again for years to different audiences. Each time it sounded new and fresh and always generated great questions from audiences ranging from Wall Street to employees to customers and shareholders. It was the questions from the audience that created the dialogue and forged a deeper understanding of the direction of the company as well as provided insight into what various elements of the extended enterprise thought about the direction. A CSO, CIO, and other security leaders should develop the same ability to speak with energy, conviction, and clarity about security and its role in enterprise success. They should also be ready to listen and respond to questions from employees, customers, suppliers, or other extended enterprise stakeholders.

Our approach utilizes a holistic view of security; this isn't the traditional view of security. Holistic security seeks to understand the impact of security issues on the entire enterprise. Holistic security functions as a fully integrated part of an organizational system. The assumption is that systems have to be understood as wholes rather than as a sum of their parts. This includes technology, processes, information, and, most importantly, people. A holistic approach takes into account the entire organization as it makes decisions. A holistic approach to security starts with bringing together different security silos into a single functional team that works collaboratively to support the organization's security needs. The benefits of using a holistic framework are a better understanding of the organization's security requirements, the impact of security issues on organizational performance, and the best way to optimize the dollars spent to mitigate those issues. A whole systems view of security seeks to understand:

  • Who security stakeholders are and how they work together to produce value in an organization
  • The future security impacts of current industry trends
  • The real (accurate) security state of the organization as it exists today
  • The competitiveness factors driving security changes
  • The unique contributions security makes to the world around them

The goal is a complete understanding of the most important elements of the infrastructure and how we can make the future of our organization more secure. From understanding, the security group can begin to form a more cohesive organization with one strategic mission and one set of consistent goals designed to promote collaboration between the different security functions and the other service groups security works with. The second goal is to understand the security culture of the security group-not only how the people working in security treat and interact with each other and their customers, but also how the organizational culture perceives security as a whole.

By creating a "whole picture" understanding of organizational risk, security groups can better assist organizational leaders in understanding security issues, identifying strategies to mitigate risk, implementing policies to manage risk, and deciding which risks to simply accept. A "whole picture" understanding of organizational security issues also helps identify and eliminate redundancies within an organization. Eliminating wasteful repetitions such as the multiple-user identities and utilizing economies of scale by converging systems with common functionality across an enterprise can help reduce overall operating costs. Think we're dreaming? Many security leadership articles of late discuss "holistic security" as a fundamental requirement of staying relevant, whether you are working at IBM, BWX Technologies, the U.S. Department of Energy, Wells Fargo, or a U.S. Department of Defense contractor.

Strategic efforts based on simplicity facilitate organizational adoption, promote a holistic understanding of security, and produce cost-effective results. Simplicity must be part of all our security endeavors.

Passion (Emotional Energy) and Speed of Planning and Adapting
If a strategic direction has no emotional connection for those who are charged with moving, implementing, selling, telling, living, breathing, and executing the strategy, the strategic direction is DOA. Strategic planning is a marathon, not a sprint. It takes emotional stamina for an organization to move toward a vision. It takes speed and passion to win in today's environment: speed to get good data from the frontlines of an organization into the planning process; speed to analyze the data; speed to react to it; and speed to move in an altered direction when necessary. Once a year planning cycles for strategic planning are DEAD; they are too slow, too ponderous, and too removed from today's business cycles. Current practices spend too much time looking at the past to predict future trends or trying to explain what went wrong in previous planning cycles. Many tend to focus on year-long market research cycles, big glossy pictures, and graphs instead of considering inputs that will drive the organization into the future.

Recent research from Korean academic W. Chan Kim and from Renée Mauborgne has found that the key difference between companies that achieve high growth and those that don't is the way that they approach strategy. According to Kim and Mauborgne, value innovators challenge competitive thinking; they identify new market space and position themselves to exploit it, even if that means moving beyond the traditional boundaries of their business. Security can be part of an organizational "value proposition," but in order to accomplish that end security practitioners will have to challenge current thinking, identify new ways of providing organizational security, and position themselves to exploit it. Our experience with security professionals is that there is often a strong sense of core values in those who choose to work in the security field. Strategic planning efforts need to leverage that passion, make those values explicit, and link them clearly into strategic plans.

Connection to Core Values
Core values are the emotional engine that drives people and organizations forward. Being explicit about a strategic direction and how it links to the organization's core values and competencies helps everyone understand why the energy, focus, and costs are worth it. Values are the "how" an organization expects to conduct business. Values that are understood, communicated, and made part of an organization's vision help guide the daily activities of those who work within that organization. When people understand the values that are at the heart of an organization, they have a better understanding of how to move toward realization of that vision.

In light of the recent lapse of sound ethical strategic planning in many sectors of business and government, we would suggest centering any strategic planning process soundly around an examination and planning from the core values of your organization. A regular reexamination of strategic direction to assure it is holding true to the core values of an organization is as fundamental to organizational health as a regular medical exam is to physical health. One only has to examine recent headlines to discover strategic planning gone awry. They are prime examples of leadership abandoned once sound organizational values to further goals become more aligned with corporate avarice, greed, pride, recklessness and worse. When organizations fixate on a single arbiter of fiscal health such as stock price or competitive advantage, it often leads them down the path of compromise, causing them to shed core values in pursuit of wealth, status, power, and prestige. Abandoning an organization's core values can quickly end in the crippling or ultimate demise of a once thriving, successful organization.

The failure of Washington Mutual Savings and Loan (WaMu) is a great example. WaMu was a well-run Seattle-based bank that was ripe for acquisition by one of the larger banks. Instead of being acquired, however, WaMu executives decided that they would acquire and adopt a rapid growth strategy. First, WaMu acquired a number of small and midsize banks to strengthen its position in the Northwest. Then in the mid-1990s it expanded to California with the purchase of American Savings, but the acquisition forever changed the home-spun nature of the bank. WaMu used the mortgage business it acquired in the American Savings deal to fuel its unprecedented growth, but in the process it abandoned the core values on which it had been founded. WaMu entered into the Adjustable Rate Mortgage (ARM) business, adopting the "balloon" option that gave borrowers three to five years of low payments that ballooned into much larger payments that frequently resulted in defaults. WaMu had always held its own loans, but now it started to bundle and sell them off . Internal controls for measuring and managing risk were disabled, allowing increasingly riskier loans. Then in 1999 WaMu abandoned the last vestige of its core values when it acquired Long Beach Mortgage's subprime mortgage business. The "friend of the family" had become obsessed with the profits it needed to fuel its growth and escalate the value of its stock. In September 2008, WaMu paid the price for its folly, when federal regulators took over the bank, putting an end to a 119-year-old Seattle institution, one that had made it through the Great Depression and the 1980s Savings and Loan crisis.

We have personally seen billions of dollars lost when an organization in which we worked had leaders who lost sight of the organization's core values. The cost to the organization and the personal cost to the employees were huge and took many years to overcome. It is important to build continual reminders into day-to-day management activities of what an organization's core values are and how they show up at work. It can be as simple as finishing a staff meeting with a closing story, an award, or an example that catches your staff "doing the right thing."

Core Competencies
Core competencies are the specific, extraordinary abilities that give your organization an edge in the marketplace, service sector, or the like, and cannot be easily imitated. They deliver value to customers in the form of technical expertise, customer and supplier relationship, product development, organizational culture and/or employee involvement. C. K. Prahad and G. Hamel developed the main ideas about core competencies in both their series of Harvard Business Review articles and their follow-on best-selling book Competing for the Future.

Analyzing a company's core competencies helps determine which strategies, activities, and practices need improvement. In addition, it is helpful to determine which competencies to develop in-house and which to outsource. This can be done at multiple levels in a company, including the security group. The key questions to use when conducting a core competencies analysis are as follows:

  1. Does the activity provide unique or valued potential access to the market?
  2. Does the activity add value?
  3. Is it difficult for competition to imitate the activity?

The advantages of developing a short, refined list of core competencies is that it produces a realistic view of the skill sets, processes, and systems the company is uniquely good at performing. It helps to generate focus on the value-adding activities. And finally, it helps in the decision process used to determine which activities are candidates for outsourcing.

In our experience, this can be a difficult activity within a specific organization like security. As an organization lists the key services and activities it engages in and then begins to sort through whether they are unique or common, the first tendency is to overstate uniqueness. Upon closer examination, many activities are not unique. This quality can be determined at an organizational level by asking, "Can this service be contracted out?" For example, guards who enforce physical security may be classified as a common service that could potentially be contracted out.

Changing business models can also impact the core competencies needed in an organization. If, for instance, an organization moves toward a systems integrator model of providing security services rather than a proprietary in-house security group, the core competencies will shift. Previously, service skills may have been core competencies; now, core competencies, such as contract management, may become crucial for career and organizational success.

A strategic plan must be communicated in multiple ways to multiple stakeholders. Secrecy about strategic plans hamstrings organizations through lack of understanding, absence of ownership, and insufficient input. Strategic plans have to be communicated, and a dialogue of rich information must be continued throughout the planning and implementation phases. No strategy remains static; daily events provide a constant flow of information to be reviewed.

Information sharing between the elements of the whole system or value chain is essential to good strategic planning. That requires forming a team with members from various departments and equipping them with the communication tools they require for cohesive collaborative planning.

Leadership in today's marketplace requires straight talk. By straight talk, we mean talk that is honest, clear, and sensitive to the moment. In addition, today's realities require an organizational environment in which straight talk is not only encouraged but valued. Ask yourself, "Do the employees in my organization feel that they can speak the truth concerning what they observe and feel to me or the leadership of this organization?" The key to creating an environment of open communication is respect-respect both for one another and for the opinions that are voiced.

Jake Laban and Jack Green argue that communication itself may be the strategic framework that helps make winning strategy. In an article titled "Communicating Your Strategy: The Forgotten Fundamental of Strategic Implementation," published in Pepperdine University's Graziadio Business Report, Laban and Green outline a strategy for communicating an organization's business strategy. In this approach they suggest the following as a winning communications strategy:

  1. Build the communications strategy as a STRATEGY. Develop a big-picture communications strategic goal, clearly define communication objectives and change them as required over time, and identify critical tactics, which in turn can provide a good metric for feedback and evaluation of the program.
  2. Understand the communication channels chosen. Recognize channel limitations (e-mail, SharePoint, video, etc.), match the channel to the desired level of interaction and feedback needed, and remember that multiple channels are often necessary for strategy implementation.
  3. Apply the appropriate packaging technique. Use the language of the consumer/end-user to aid understanding and execution, use well-constructed communication to disseminate and reinforce corporate culture, and avoid pandering to the lowest common denominator, instead challenging laggards to catch up with high performers.

Regardless of your approach to communication, having a communications plan is essential for getting the word out. In the past, we have found success working with a communications professional from the enterprise communications group. If available, tapping into communication professionals can greatly assist your own planning efforts.

A good strategic plan means nothing without implementation. Having a clear implementation plan is crucial to successful strategy. Integration is key to the successful implementation of strategic initiatives and objectives. Your implementation plan must be linked to those initiatives and objectives. Implementation is the enacting plan to integrate security into the organizational system and often extend it into the supply chain as well. Integration is sometime referred to as security convergence. Security convergence refers both to the threat side and the solutions side of security. It takes a sophisticated holistic (systems) model to understand and plan for integration.

Some examples of security convergence are Enterprise Security Risk Management models that help provide input into strategic planning. An Enterprise Security Risk assessment demands a rollup or convergence of subject matter expert recommendations of assessing and managing security threats throughout the entire system, both physical and IT security.

Security convergence is more than integration of security departments throughout an organization, although that is a start. (See Chapter 6 of this book for additional information on this topic.) Developing a holistic view for convergence issues requires a collaborative dialogue between multiple functions within an organization to better understand the common risk concerns, challenges, and possible solutions. This includes physical, personnel, and information security, import/export, business/competitive intelligence, intellectual property and brand protection, privacy, fraud prevention, ethics, supplier management, legal, investigation and background checks, business continuity, disaster recovery, disaster preparedness, emergency services, and safety/OSHA. The focus is on getting security solutions integrated throughout the company's business architecture from R&D, operations, and sales to product and service delivery. Security's job is to help build value throughout the value chain of the organization through cost-efficient risk mitigation.

It is also important to include integration at the tactical level of security planning. As an organization puts in place core security activities, the right tactics for the people, process, and technology aspect of security convergence need to be selected. Integration is not easy, nor is it made easier at the most tactical and concrete level-the processes and architecture put in place by the strategic plan.

Typically, an implementation plan includes action plans, budget plans, responsibilities, authority, and accountability guidelines as well as a schedule for implementation, monitoring, and a communication plan.

About the Author

From Security Strategy: From Requirements to Reality by Bill Stackpole and Eric Oksendahl. New York: Auerbach Publications, 2011.

Read Ben Rothke's review of Security Strategy.

Subscribe to Information Security Today

Powered by VerticalResponse

© Copyright 2010 Auerbach Publications