Five Steps to an Effective Strategic Plan
Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.
July 01, 2005 — CSO —
Stan Gatewood has a litany of reasons why CSOs might not bother with strategic planning. Just ask.
"You have the economy playing against you," says Gatewood, CISO of the University of Georgia. "You have social behavior playing against you. You have technology. You have laws and regulations." And don't bother looking for specialized books or seminars to help you apply business strategic planning principles to security. There aren't any.
Despite all this, Gatewood is here to say that you need to do strategic planning. "If you have no plan, how will you know if you're doing it right?" he asks. "You will be reacting to every little thing that bumps in the night."
After all, that's how most corporate and information security groups have operated for years: Break glass, pull handle. Security departments could hardly control their future, the thinking went, when they were so incident-driven.
But all this is changing, as CSOs and CISOs begin to see the value of using established strategic planning principles to guide their efforts. At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.
[More on strategic planning: A 13-point plan for starting a strategic security group | Organizational models for Enterprise Risk Management]
Sure, many of you have high-level mission statements. And sure, most of you have year-ahead tactical plans tied to your budgets. A truly strategic plan, however, sits in the sweet spot in between those two levels. CSOs who have figured out how to create and implement a tactical plan claim that it helps them spend resources wisely, gather support for security initiatives and gain alignment with the business. No glass broken.
"It's really about putting the big C in CSO," says James Quinnild, a security partner in the advisory practice at PricewaterhouseCoopers. "CSOs are managing a lot more funding, their visibility within the organization is a lot higher, and there are a lot more people asking the CSO, How are you doing? What are you doing? How did you prioritize what you're doing?" A well-thought-out plan helps answer those questions.
Especially in the rapidly changing information security field, planning for the future can be perilous. Technologies change, and new threats emerge. But despite the challenges, the strategic planning process is crucial if you want to get your organization out of crisis mode. Here are five steps to getting started. As you'll see, this isn't an arcane discipline. It's Business 101, applied to security.
1: Begin with the business's big-picture plan
When Gatewood started at the University of Georgia in Athens two years ago, one of the first things he did was read every business plan for the university that he could get his hands on. The most important? A five-year plan written by the president of the university (which has more than 33,000 students). This kind of big-picture approach can help the CSO get out of tactical mode. "I saw where the university wanted to go, and then I commenced creating the security strategic objectives based on that," Gatewood says.
For instance, one of the president's priorities was attracting top-notch professors. Gatewood made sure that his department's initiatives echoed that same goal. "If you step forward and say, 'I need $50,000 for a firewall to protect the research cluster,' that's not enough," Gatewood says. Instead, he positioned his objectives in terms of how they would meet the university's overarching strategy and goals. "I would say, How can you attract a professor to do advanced research if the technology that he or she is going to be using is not trusted?" he says. Sometimes a semantic change can make all the difference.