Stan Gatewood has a litany of reasons why CSOs might not bother with strategic planning. Just ask.
"You have the economy playing against you," says Gatewood, CISO of the University of Georgia. "You have social behavior playing against you. You have technology. You have laws and regulations." And don't bother looking for specialized books or seminars to help you apply business strategic planning principles to security. There aren't any.
Despite all this, Gatewood is here to say that you need to do strategic planning. "If you have no plan, how will you know if you're doing it right?" he asks. "You will be reacting to every little thing that bumps in the night."
After all, that's how most corporate and information security groups have operated for years: Break glass, pull handle. Security departments could hardly control their future, the thinking went, when they were so incident-driven.
But all this is changing, as CSOs and CISOs begin to see the value of using established strategic planning principles to guide their efforts. At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.
[More on strategic planning: A 13-point plan for starting a strategic security group | Organizational models for Enterprise Risk Management]
Sure, many of you have high-level mission statements. And sure, most of you have year-ahead tactical plans tied to your budgets. A truly strategic plan, however, sits in the sweet spot in between those two levels. CSOs who have figured out how to create and implement a tactical plan claim that it helps them spend resources wisely, gather support for security initiatives and gain alignment with the business. No glass broken.
"It's really about putting the big C in CSO," says James Quinnild, a security partner in the advisory practice at PricewaterhouseCoopers. "CSOs are managing a lot more funding, their visibility within the organization is a lot higher, and there are a lot more people asking the CSO, How are you doing? What are you doing? How did you prioritize what you're doing?" A well-thought-out plan helps answer those questions.
Especially in the rapidly changing information security field, planning for the future can be perilous. Technologies change, and new threats emerge. But despite the challenges, the strategic planning process is crucial if you want to get your organization out of crisis mode. Here are five steps to getting started. As you'll see, this isn't an arcane discipline. It's Business 101, applied to security.
1: Begin with the business's big-picture plan
When Gatewood started at the University of Georgia in Athens two years ago, one of the first things he did was read every business plan for the university that he could get his hands on. The most important? A five-year plan written by the president of the university (which has more than 33,000 students). This kind of big-picture approach can help the CSO get out of tactical mode. "I saw where the university wanted to go, and then I commenced creating the security strategic objectives based on that," Gatewood says.
For instance, one of the president's priorities was attracting top-notch professors. Gatewood made sure that his department's initiatives echoed that same goal. "If you step forward and say, 'I need $50,000 for a firewall to protect the research cluster,' that's not enough," Gatewood says. Instead, he positioned his objectives in terms of how they would meet the university's overarching strategy and goals. "I would say, How can you attract a professor to do advanced research if the technology that he or she is going to be using is not trusted?" he says. Sometimes a semantic change can make all the difference.
Just reading the business's strategy isn't enough, however. Having businesspeople involved in your planning process ensures that security is headed in the right direction and also helps you get support for your program. "Businesses have tight budgets and restrictions on what they can and cannot do," says Bobby Gillham, the former head of security for ConocoPhillips who is now a consultant. "You have to convince these folks that a security enhancement is really in the best interest of the business, and that they're agreeing to pay for it."
By looking at improvements you want to make over the next three years or so rather than just the current budget cycle, Gillham says, you may be able to get business leaders to make a longer-term commitment to a specific project. If a particular department doesn't have money in the budget for your project during the next fiscal year, you may be able to get the group to fit it in for the following year. Heck, you might even find a way to spread the cost over several years. Taking the long view can often help accomplish goals that can't be crammed into one year's budget.
2: Always do a risk assessment
Once you know what the business priorities are, the next step is figuring out which security risks might keep the business from meeting its goals. This is done with a risk assessment. At Avon Products (yes, that Avon), the process starts a full four months before Robert Littlejohn, vice president for global security, brings together his top directors for an annual two-day strategy meeting.
[Get more practical tips in our exclusive 68 Great Ideas for Running a Security Department (7pp PDF - free Insider registration required)]
Starting in June, regional security leaders send out forms for Avon business leaders around the world to use to evaluate the risks they face—from natural disasters to political and social unrest. The business leaders are asked to estimate the likelihood of each event occurring and its potential impact on the company, which has operations in 145 countries. In August, that risk assessment is followed by a client survey about how the business leaders view the security and enterprise risk processes already in place: What's working? What's not? What are their top concerns?
Then the regional security directors go over the risk assessment carefully to validate it, making changes or additions as necessary. For instance, Littlejohn recalls that last year, a business leader for Moldova indicated that there was a high risk of that country's government being overthrown. The regional security director for Europe went to the U.S. embassy in Moldova, sat down with the embassy's regional security officer and political officer, and determined that the country was more stable than the business manager had indicated.
All of which is to say that even though business leaders need to be involved in the planning process, sometimes it takes a security expert to really nail a risk assessment.
This expertise, by the way, can come in handy outside of the security department's strategic planning. It can make the CSO invaluable during businesswide strategic planning too. Paul Laudicina, an A.T. Kearney vice president and managing director of the consultancy's Global Business Policy Council who wrote World Out of Balance: Navigating Global Risks to Seize Competitive Advantage, believes that companies that want to be successful in the global marketplace need to be savvier about managing all kinds of risks—from military coups to epidemics to, yes, computer viruses. A CSO can be critical in this process. Or not.
"Whether or not [managing these risks] is the responsibility of the chief security officer or someone else will be a function of how well the chief security officer is able to step up to the plate," Laudicina says.
3: Set measurable goals for your team, to keep your plan grounded
Once you've done your homework, it's time to start marrying the business's risks and goals. You need your own strategy.
At the top level are your objectives. They can be as simple as you'd like. At Avon, Littlejohn has a straightforward mission: protect Avon's people, products, profits, property, processes and reputation. At AT&T, CISO Ed Amoroso's objectives are equally simple: improve security, reduce costs, and use security to establish competitive advantage. (Just try to imagine the CEO of AT&T arguing with any of those, no matter how drastically the telecom giant's overall strategy may be changing.)
The strategy is simply the way you will fulfill those missions over the coming years. The further out the plan goes, the less specific it becomes. Also, you may choose to share a less-specific plan with the board of directors and have a more detailed plan that you circulate within the security department. The trick is looking beyond your tactics for the next year and planning out your goals for the coming years.
For instance, a tactical plan might include how the security department will handle software patches for the immediate future. But the strategic component of patch management is much different, hinging on how long the CISO anticipates that intensive patch management will be necessary.
"If we thought that the software industry in the next two or three months was not going to have any more bugs in their software, then we wouldn't make a decision to invest in a patch infrastructure," Amoroso says. "My gut tells me that in the next couple months, you won't see it getting better. But the question is, when will it?" If the CISO expects that his team will continue having to install lots of patches for the next five years, he might decide it does make financial sense to invest in streamlining the way those patches get installed. But if he thinks patches are a short-term solution and that eventually vendors will create better products from the get-go, he might make a strategic decision to keep doing patches manually.
No matter how you frame it, however, there are two keys to making strategy work. One is that eventually, you make sure every dollar you are spending ties in with one of your objectives (which then ties in with a business objective). "It all comes down to a budget and a set of priorities and lining up the program that you're going to execute in a given year," Amoroso says.
The other key is that you find metrics that can measure how well you meet those objectives over time. Littlejohn, for instance, has started assigning a numeric value to everything in his country assessment reports: 1 for not implemented, 2 for partially implemented, and 3 for solidly implemented. That allows him to map how well he's accomplishing his goals, year to year. He has his strategy—and a way to demonstrate his progress.
"Business leaders don't scare as easily as they used to," says Georgia's Gatewood, who has been working in information security since the 1970s. "If you simply show up and say, 'The sky is falling, cluck cluck cluck,' they're going to say, 'I heard that last week, last year.' They want hard, cold facts and numbers. They want something that is measurable, doable and repeatable."
4: Recognize that there is no "correct" time frame
Speaking of year-to-year goals, there's always been teeth gnashing about how far out a strategic plan should look. We're here to tell you the answer once and for all: It depends. Sure, the traditional B-school thinking is that planning isn't really "strategic" unless it looks out more than a year. But the reality is that for CISOs at least, two years may be the outer limits of clear vision, especially during the initial phase of getting out of reaction mode.
"All this junk that you hear in business schools about five-year plans," says Ann Garrett, CISO of the state of North Carolina—well, let's just say she doesn't think it works for infosec.
"You have to have high-level goals, but you can't get too detailed on plans much more than 14 months out," says Garrett, who has an MBA from Meredith College in Raleigh, N.C. "Technology is constantly changing. It's difficult to anticipate where certain things are going."
New threats can emerge. Regulations can change your legal requirements. Key vendors could be acquired. You can't plan for everything. To cope, Garrett's approach is to set as much of a plan as possible for the next two years. (The state operates on a two-year budget cycle, so she doesn't have much choice in the matter.) Her two-year outlook contains specific goals and ways to achieve them. She also keeps in mind the two-to-four-year time frame. Beyond that, though, she has only the most high-level goals in mind. Anything more, she feels, would be a waste of time.
At the other end of the spectrum is David Burrill, head of group security for British American Tobacco. Burrill is working on a 10-year plan (that's right, double digits) for corporate security at the London-based tobacco company. And despite the seeming pretentiousness of a plan that spans a decade, Burrill insists that what he's laying out now isn't so different from what he had in his head 13 years ago when he joined the company.
"Previously, lots of the forward-thinking has been forward-thinking in my own mind," Burrill explains. "What has happened is, as we've grown the [security] function, it's no longer adequate to have something driven by one champion. Now I've got lots of other, very high-quality people around me, and so instead of being one man's vision with a broad backing, there now has to be a team discussion, arguing and then jointly coming to conclusions about what we must be doing in the future."
Conclusion: Plan out as long as you can, and don't sweat the rest.
5: Stay flexible
Actually, what's more important than how far out your plan stretches is how flexible you can be in implementing it.
Take phishing. Or spyware. Or (the latest) Google hacking, in which attackers use the popular search engine to do a vulnerability analysis of a company. None of this would have been included in planning done three years ago. It might not even show up in a strategic plan done now (except maybe under the rubric of, say, protecting the brand). But a good plan will help you deal with these new threats more elegantly. You'll have an organized way of approaching them, because you'll be able to see how they fit in with existing risks and priorities. Good planning might even prevent a new threat from affecting your organization in the first place.
"Let's say you've got an enterprise that uses passwords for remote access to e-mail," AT&T's Amoroso says. "I can't tell you that tomorrow, next week, that's going to be hacked. But I can tell you that if you added two-factor authentication, there's a whole broad class of possible problems that you will render dead by making that change. Your decision is not based on, hey, a year from now something happens. Rather, this is a sound decision [so] that a year from now when a worm is guessing passwords, it's not going to work with my users."
Sure, it can be hard to make those initial steps to get a plan really off the ground, when you're trying to keep on top of everything. But over time, the strategic planning process will get easier. Once you get it going, the plan only has to be updated, not formulated. "It's just part of the job," says Craig Shumard, CISO and senior vice president of Cigna. He says his whole department is structured such that information that feeds his strategy is constantly bubbling up to him—be it from people whose responsibilities include doing risk assessments, creating scorecards or anything else. He can't even define how much of his time he spends on strategy versus operations. "It's not something that's an add-on."
And the more you move into a strategic mode, the more you buy yourself time to focus on what's really important: building business value. "There's always going to be some response" aspect of the job, Quinnild of PricewaterhouseCoopers says. "But by doing more planning up front, [CSOs are] going to free up time to help the business and do some of the things that they want to do but they can't because they're always fighting fires. We have a lot of clients who say, 'We're great at heroic recovery.' That's somewhat endemic to not having a strategy. My response is, 'Wouldn't it be better not to have to fix the problem?'"
Oh, and one other thing: This is a chance for the security department to gain some business cred too. Without strategic planning, "what we're doing is lurching from challenge to challenge, from crisis to crisis," says British American Tobacco's Burrill (the 10-year planner). "If we do that, the security function is always going to remain something which lacks real substance in the eyes of the other functions. Security is almost the baby when it comes to true, accepted credibility.
"We have something to prove."