No matter of where you work, the reality is that technology advances, threats emerge, and security adapts -- wash, rinse, repeat. Regardless, strategic planning is a critical part of information security that can transform an organization from being reactive to becoming proactive.
There are countless resources available to teach us about strategic planning methodologies. Unfortunately, something that these resources cannot teach is how to implement a strategic plan in the real world. To have a truly successful implementation means we have to go beyond processes, experiences, or skills and look at how we as security professionals can turn plans into results.
Your own worst enemy
Before actually starting down the path of strategic planning, it is critical that we know the role we will play throughout the process. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution.
I think it’s fair to say that every security professional has an origin story, and (whether we like it or not) there were moments that influenced how we will execute our strategic planning. In terms of knowing what you are, for the most part, those of us who are performing strategic planning will most likely be security professionals with experience across multiple information security domains. Being a “jack of all trades” means that we have the know-how to approach strategic planning more holistically because we have a greater understanding of core security values and how to apply them accordingly.
So if we know what it takes to be successful, how exactly can we become our own worst enemy? This can be attributed to our in-depth understanding of information security values, which can subconsciously escalate our way of thinking from being passionate to being obsessed. Truly, it can be viewed as a good thing to be obsessed with information security values, but there’s a danger of that obsession turning into a road block to success and limiting our ability to innovate.
Think inside the box
One misconception about strategic planning is that creativity and innovation come primarily from “thinking outside the box.” In reality, this kind of unstructured methodology has a tendency to produce outcomes that have no relevance to the plan’s end goal(s). A better approach to information security is to go back to thinking inside the box.
Security professionals with a strong sense of core values tend to be more creative when focused on specific issues and constraints rather than working with vague directions and multiple agendas. To get to this point, it’s important that we look at information security as an entire ecosystem instead of smaller groupings of protection. When an organization has a complete view of its information security program, it can identify and evaluate unnecessary redundancies and provide better support for its risk management framework.
This is not to say to we should eliminate defense-in-depth strategies. Instead we need to work towards developing a set of consistent security goals throughout the organization that reduce operating costs and enhance the capabilities of core security systems.
Every security professional wants to see his hard work become a reality, but the truth is that only a few of the strategies we work on will actually succeed. Why is this? Have you ever been told that the reason we perform strategic planning is "to reduce risk?" The lack of detail in this explanation is what leaves us struggling to define how we measure what success looks like.
Running vs. changing security
Much like "thinking inside the box," another element of strategic planning can be attributed to focusing on actually doing something instead of merely thinking that we should be doing something. This can be rather difficult to accomplish given how we’ve all been conditioned to feel that running security operations supersedes changing security operations.
Roadmaps are an excellent way for organizations to support their strategic plans. But what we should be cautious of is that these roadmaps don’t dictate exactly what we need to do to reach our goals. Wouldn’t it be better if we could instead leverage the motivation within our operational security teams to provide us with a vision of what the finish line should look like?
This is a proven ideology that has produced information technologies that have integrated and simplified information security values without becoming too disturbing for users. The key component, as stated by Steve Jobs, is that you've got to start with the customer experience and work back toward the technology -- not the other way around.
The evolution of information security is often a reaction to the advancement of the data and technology it protects. Having established roadmaps that illustrate what the finish line is, the execution of a strategic plan can be driven by those who are thinking inside the box and motivated to achieve success.
However, as professionals we must keep in mind how quickly being passionate can change to being obsessed and that this can influence the overall implementation of strategic security solutions. If we work backwards from where we want to be, we will be able to better integrate and simplify information security regardless of technology.