Home » Security Leadership » Strategic Planning

Five Steps to an Effective Strategic Plan

Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.

When Gatewood started at the University of Georgia in Athens two years ago, one of the first things he did was read every business plan for the university that he could get his hands on. The most important? A five-year plan written by the president of the university (which has more than 33,000 students). This kind of big-picture approach can help the CSO get out of tactical mode. "I saw where the university wanted to go, and then I commenced creating the security strategic objectives based on that," Gatewood says.

For instance, one of the president's priorities was attracting top-notch professors. Gatewood made sure that his department's initiatives echoed that same goal. "If you step forward and say, 'I need $50,000 for a firewall to protect the research cluster,' that's not enough," Gatewood says. Instead, he positioned his objectives in terms of how they would meet the university's overarching strategy and goals. "I would say, How can you attract a professor to do advanced research if the technology that he or she is going to be using is not trusted?" he says. Sometimes a semantic change can make all the difference.

Just reading the business's strategy isn't enough, however. Having businesspeople involved in your planning process ensures that security is headed in the right direction and also helps you get support for your program. "Businesses have tight budgets and restrictions on what they can and cannot do," says Bobby Gillham, the former head of security for ConocoPhillips who is now a consultant. "You have to convince these folks that a security enhancement is really in the best interest of the business, and that they're agreeing to pay for it."

By looking at improvements you want to make over the next three years or so rather than just the current budget cycle, Gillham says, you may be able to get business leaders to make a longer-term commitment to a specific project. If a particular department doesn't have money in the budget for your project during the next fiscal year, you may be able to get the group to fit it in for the following year. Heck, you might even find a way to spread the cost over several years. Taking the long view can often help accomplish goals that can't be crammed into one year's budget.

2: Always do a risk assessment

Once you know what the business priorities are, the next step is figuring out which security risks might keep the business from meeting its goals. This is done with a risk assessment. At Avon Products (yes, that Avon), the process starts a full four months before Robert Littlejohn, vice president for global security, brings together his top directors for an annual two-day strategy meeting.