Five Steps to an Effective Strategic Plan
Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.
By Sarah D. Scalet
July 01, 2005 — CSO —
Stan Gatewood has a litany of reasons why CSOs might not bother with strategic planning. Just ask.
"You have the economy playing against you," says Gatewood, CISO of the University of Georgia. "You have social behavior playing against you. You have technology. You have laws and regulations." And don't bother looking for specialized books or seminars to help you apply business strategic planning principles to security. There aren't any.
Despite all this, Gatewood is here to say that you need to do strategic planning. "If you have no plan, how will you know if you're doing it right?" he asks. "You will be reacting to every little thing that bumps in the night."
After all, that's how most corporate and information security groups have operated for years: Break glass, pull handle. Security departments could hardly control their future, the thinking went, when they were so incident-driven.
But all this is changing, as CSOs and CISOs begin to see the value of using established strategic planning principles to guide their efforts. At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.
[More on strategic planning: A 13-point plan for starting a strategic security group | Organizational models for Enterprise Risk Management]
Sure, many of you have high-level mission statements. And sure, most of you have year-ahead tactical plans tied to your budgets. A truly strategic plan, however, sits in the sweet spot in between those two levels. CSOs who have figured out how to create and implement a tactical plan claim that it helps them spend resources wisely, gather support for security initiatives and gain alignment with the business. No glass broken.
"It's really about putting the big C in CSO," says James Quinnild, a security partner in the advisory practice at PricewaterhouseCoopers. "CSOs are managing a lot more funding, their visibility within the organization is a lot higher, and there are a lot more people asking the CSO, How are you doing? What are you doing? How did you prioritize what you're doing?" A well-thought-out plan helps answer those questions.
Especially in the rapidly changing information security field, planning for the future can be perilous. Technologies change, and new threats emerge. But despite the challenges, the strategic planning process is crucial if you want to get your organization out of crisis mode. Here are five steps to getting started. As you'll see, this isn't an arcane discipline. It's Business 101, applied to security.
1: Begin with the business's big-picture plan
When Gatewood started at the University of Georgia in Athens two years ago, one of the first things he did was read every business plan for the university that he could get his hands on. The most important? A five-year plan written by the president of the university (which has more than 33,000 students). This kind of big-picture approach can help the CSO get out of tactical mode. "I saw where the university wanted to go, and then I commenced creating the security strategic objectives based on that," Gatewood says.
For instance, one of the president's priorities was attracting top-notch professors. Gatewood made sure that his department's initiatives echoed that same goal. "If you step forward and say, 'I need $50,000 for a firewall to protect the research cluster,' that's not enough," Gatewood says. Instead, he positioned his objectives in terms of how they would meet the university's overarching strategy and goals. "I would say, How can you attract a professor to do advanced research if the technology that he or she is going to be using is not trusted?" he says. Sometimes a semantic change can make all the difference.
ESSENTIAL READING
The reactive, event-driven nature of security makes strategic planning more important, not less. Here are practical tips for creating a strategy that is aligned with your organization's business and enterprise risk management goals.
Risk's rewards: Organizing for ERM
Leading companies are coordinating risk management activity, finding efficiencies and better visibility in the process. Here's how they do it.
Beginning ERM in 6 simple steps
ERM look like too big a commitment? Choose one process to improve, create a working group, show progress, and build momentum.
5 steps to an effective strategic plan
Enterprise risk management basics
A simple model for thinking strategically about security services
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Planning For Failure: Incident Management Is A Top Priority
- Application Performance Management: The End User is King
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Secure Managed File Transfer: Bringing Coherence & Control to Compliance
- The TCO of FTP: Hidden Costs of "Free" File Sharing
- Streamline, Speed and Secure the Supply Chain with Managed File Transfer
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
