Home » Security Leadership » Strategic Planning

Five Steps to an Effective Strategic Plan

Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.

By Sarah D. Scalet

July 01, 2005 — CSO —

Stan Gatewood has a litany of reasons why CSOs might not bother with strategic planning. Just ask.

"You have the economy playing against you," says Gatewood, CISO of the University of Georgia. "You have social behavior playing against you. You have technology. You have laws and regulations." And don't bother looking for specialized books or seminars to help you apply business strategic planning principles to security. There aren't any.

Despite all this, Gatewood is here to say that you need to do strategic planning. "If you have no plan, how will you know if you're doing it right?" he asks. "You will be reacting to every little thing that bumps in the night."

After all, that's how most corporate and information security groups have operated for years: Break glass, pull handle. Security departments could hardly control their future, the thinking went, when they were so incident-driven.

But all this is changing, as CSOs and CISOs begin to see the value of using established strategic planning principles to guide their efforts. At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.

Sure, many of you have high-level mission statements. And sure, most of you have year-ahead tactical plans tied to your budgets. A truly strategic plan, however, sits in the sweet spot in between those two levels. CSOs who have figured out how to create and implement a tactical plan claim that it helps them spend resources wisely, gather support for security initiatives and gain alignment with the business. No glass broken.

"It's really about putting the big C in CSO," says James Quinnild, a security partner in the advisory practice at PricewaterhouseCoopers. "CSOs are managing a lot more funding, their visibility within the organization is a lot higher, and there are a lot more people asking the CSO, How are you doing? What are you doing? How did you prioritize what you're doing?" A well-thought-out plan helps answer those questions.

Especially in the rapidly changing information security field, planning for the future can be perilous. Technologies change, and new threats emerge. But despite the challenges, the strategic planning process is crucial if you want to get your organization out of crisis mode. Here are five steps to getting started. As you'll see, this isn't an arcane discipline. It's Business 101, applied to security.

1: Begin with the business's big-picture plan