In Depth
Five Steps to an Effective Strategic Plan
Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.
By Sarah D. Scalet
4: Recognize that there is no "correct" time frame
Speaking of year-to-year goals, there's always been teeth gnashing about how far out a strategic plan should look. We're here to tell you the answer once and for all: It depends. Sure, the traditional B-school thinking is that planning isn't really "strategic" unless it looks out more than a year. But the reality is that for CISOs at least, two years may be the outer limits of clear vision, especially during the initial phase of getting out of reaction mode.
"All this junk that you hear in business schools about five-year plans," says Ann Garrett, CISO of the state of North Carolina—well, let's just say she doesn't think it works for infosec.
"You have to have high-level goals, but you can't get too detailed on plans much more than 14 months out," says Garrett, who has an MBA from Meredith College in Raleigh, N.C. "Technology is constantly changing. It's difficult to anticipate where certain things are going."
New threats can emerge. Regulations can change your legal requirements. Key vendors could be acquired. You can't plan for everything. To cope, Garrett's approach is to set as much of a plan as possible for the next two years. (The state operates on a two-year budget cycle, so she doesn't have much choice in the matter.) Her two-year outlook contains specific goals and ways to achieve them. She also keeps in mind the two-to-four-year time frame. Beyond that, though, she has only the most high-level goals in mind. Anything more, she feels, would be a waste of time.
At the other end of the spectrum is David Burrill, head of group security for British American Tobacco. Burrill is working on a 10-year plan (that's right, double digits) for corporate security at the London-based tobacco company. And despite the seeming pretentiousness of a plan that spans a decade, Burrill insists that what he's laying out now isn't so different from what he had in his head 13 years ago when he joined the company.
"Previously, lots of the forward-thinking has been forward-thinking in my own mind," Burrill explains. "What has happened is, as we've grown the [security] function, it's no longer adequate to have something driven by one champion. Now I've got lots of other, very high-quality people around me, and so instead of being one man's vision with a broad backing, there now has to be a team discussion, arguing and then jointly coming to conclusions about what we must be doing in the future."
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
