Five Steps to an Effective Strategic Plan

Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.

1 2 Page 2
Page 2 of 2

Conclusion: Plan out as long as you can, and don't sweat the rest.

5: Stay flexible

Actually, what's more important than how far out your plan stretches is how flexible you can be in implementing it.

Take phishing. Or spyware. Or (the latest) Google hacking, in which attackers use the popular search engine to do a vulnerability analysis of a company. None of this would have been included in planning done three years ago. It might not even show up in a strategic plan done now (except maybe under the rubric of, say, protecting the brand). But a good plan will help you deal with these new threats more elegantly. You'll have an organized way of approaching them, because you'll be able to see how they fit in with existing risks and priorities. Good planning might even prevent a new threat from affecting your organization in the first place.

"Let's say you've got an enterprise that uses passwords for remote access to e-mail," AT&T's Amoroso says. "I can't tell you that tomorrow, next week, that's going to be hacked. But I can tell you that if you added two-factor authentication, there's a whole broad class of possible problems that you will render dead by making that change. Your decision is not based on, hey, a year from now something happens. Rather, this is a sound decision [so] that a year from now when a worm is guessing passwords, it's not going to work with my users."

Sure, it can be hard to make those initial steps to get a plan really off the ground, when you're trying to keep on top of everything. But over time, the strategic planning process will get easier. Once you get it going, the plan only has to be updated, not formulated. "It's just part of the job," says Craig Shumard, CISO and senior vice president of Cigna. He says his whole department is structured such that information that feeds his strategy is constantly bubbling up to him—be it from people whose responsibilities include doing risk assessments, creating scorecards or anything else. He can't even define how much of his time he spends on strategy versus operations. "It's not something that's an add-on."

And the more you move into a strategic mode, the more you buy yourself time to focus on what's really important: building business value. "There's always going to be some response" aspect of the job, Quinnild of PricewaterhouseCoopers says. "But by doing more planning up front, [CSOs are] going to free up time to help the business and do some of the things that they want to do but they can't because they're always fighting fires. We have a lot of clients who say, 'We're great at heroic recovery.' That's somewhat endemic to not having a strategy. My response is, 'Wouldn't it be better not to have to fix the problem?'"

Oh, and one other thing: This is a chance for the security department to gain some business cred too. Without strategic planning, "what we're doing is lurching from challenge to challenge, from crisis to crisis," says British American Tobacco's Burrill (the 10-year planner). "If we do that, the security function is always going to remain something which lacks real substance in the eyes of the other functions. Security is almost the baby when it comes to true, accepted credibility.

"We have something to prove."


Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies