Home » Security Leadership » Strategic Planning

Five Steps to an Effective Strategic Plan

Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.

The strategy is simply the way you will fulfill those missions over the coming years. The further out the plan goes, the less specific it becomes. Also, you may choose to share a less-specific plan with the board of directors and have a more detailed plan that you circulate within the security department. The trick is looking beyond your tactics for the next year and planning out your goals for the coming years.

For instance, a tactical plan might include how the security department will handle software patches for the immediate future. But the strategic component of patch management is much different, hinging on how long the CISO anticipates that intensive patch management will be necessary.

"If we thought that the software industry in the next two or three months was not going to have any more bugs in their software, then we wouldn't make a decision to invest in a patch infrastructure," Amoroso says. "My gut tells me that in the next couple months, you won't see it getting better. But the question is, when will it?" If the CISO expects that his team will continue having to install lots of patches for the next five years, he might decide it does make financial sense to invest in streamlining the way those patches get installed. But if he thinks patches are a short-term solution and that eventually vendors will create better products from the get-go, he might make a strategic decision to keep doing patches manually.

No matter how you frame it, however, there are two keys to making strategy work. One is that eventually, you make sure every dollar you are spending ties in with one of your objectives (which then ties in with a business objective). "It all comes down to a budget and a set of priorities and lining up the program that you're going to execute in a given year," Amoroso says.

The other key is that you find metrics that can measure how well you meet those objectives over time. Littlejohn, for instance, has started assigning a numeric value to everything in his country assessment reports: 1 for not implemented, 2 for partially implemented, and 3 for solidly implemented. That allows him to map how well he's accomplishing his goals, year to year. He has his strategy—and a way to demonstrate his progress.

"Business leaders don't scare as easily as they used to," says Georgia's Gatewood, who has been working in information security since the 1970s. "If you simply show up and say, 'The sky is falling, cluck cluck cluck,' they're going to say, 'I heard that last week, last year.' They want hard, cold facts and numbers. They want something that is measurable, doable and repeatable."