Home » Security Leadership » Strategic Planning

Five Steps to an Effective Strategic Plan

Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.

Starting in June, regional security leaders send out forms for Avon business leaders around the world to use to evaluate the risks they face—from natural disasters to political and social unrest. The business leaders are asked to estimate the likelihood of each event occurring and its potential impact on the company, which has operations in 145 countries. In August, that risk assessment is followed by a client survey about how the business leaders view the security and enterprise risk processes already in place: What's working? What's not? What are their top concerns?

Then the regional security directors go over the risk assessment carefully to validate it, making changes or additions as necessary. For instance, Littlejohn recalls that last year, a business leader for Moldova indicated that there was a high risk of that country's government being overthrown. The regional security director for Europe went to the U.S. embassy in Moldova, sat down with the embassy's regional security officer and political officer, and determined that the country was more stable than the business manager had indicated.

All of which is to say that even though business leaders need to be involved in the planning process, sometimes it takes a security expert to really nail a risk assessment.

This expertise, by the way, can come in handy outside of the security department's strategic planning. It can make the CSO invaluable during businesswide strategic planning too. Paul Laudicina, an A.T. Kearney vice president and managing director of the consultancy's Global Business Policy Council who wrote World Out of Balance: Navigating Global Risks to Seize Competitive Advantage, believes that companies that want to be successful in the global marketplace need to be savvier about managing all kinds of risks—from military coups to epidemics to, yes, computer viruses. A CSO can be critical in this process. Or not.

"Whether or not [managing these risks] is the responsibility of the chief security officer or someone else will be a function of how well the chief security officer is able to step up to the plate," Laudicina says.

3: Set measurable goals for your team, to keep your plan grounded

Once you've done your homework, it's time to start marrying the business's risks and goals. You need your own strategy.

At the top level are your objectives. They can be as simple as you'd like. At Avon, Littlejohn has a straightforward mission: protect Avon's people, products, profits, property, processes and reputation. At AT&T, CISO Ed Amoroso's objectives are equally simple: improve security, reduce costs, and use security to establish competitive advantage. (Just try to imagine the CEO of AT&T arguing with any of those, no matter how drastically the telecom giant's overall strategy may be changing.)