Strategy: An Introduction ◾ 9
integrate, align, and update the strategic plan come into play. e bottom line for any security
strategic plan is that other parts of the organization must understand it, or it will be diffi cult to
achieve eff ective results protecting the organization’s assets (people, material, and information)
at an acceptable cost.
While a business/organization strategy is aimed at organizational vision, purpose, mission,
strategies, execution, and measurement of success, an IT security strategy often focuses mainly
on information security architecture. It is shaped by the organizational goals, environment,
and technical capabilities the business requires in order to achieve its vision. Corporate (physical/
facilities) security strategy focuses on policies and procedures for loss prevention and the protec-
tion of people and property. Corporate security is also guided by organizational goals, environ-
ment, and technology advances.
Often, issues arise in this natural tension between the organizational business philosophy
(and business architecture) and the more pragmatic aspects of IT architecture. Ralph Whittle
and Conrad Myric, in a white paper titled “Enterprise Business Architecture: e Formal Link
between Strategy and Results,” outline the formal link between architecture and strategy. In their
words, “ ese bold new enterprises are not building some static, rigid new architecture, with a
moat around the castle. Quite the opposite, they are building fl uid, dynamic, integrated architec-
tures capable of evolving with and supporting the corporate strategy. A fundamental requirement
of the integrated architecture is that it must have the capability to evolve, change, and adapt in a
predictive way.” e problem for IT architecture achieving this goal, as Whittle and Myric defi ne
it, is that when it comes to organizational strategic planning and IT strategic planning, most IT
architecture has not been funded or developed to the needed levels. is results in tensions for IT
architecture including, but not limited to:
1. Unclear understanding of business/organizational requirements
2. Infl exible architecture that is unable to respond to environmental challenges
3. Piecemeal local approaches to architecture and security practices rather than integrated
eff orts, including lack of corporate and IT security integration
4. Unclear linkage to organizational strategy and metrics for successful implementation, scal-
ability, and usability of security services
5. Piecemeal tactical eff orts rather than a systemic architectural approach
6. Unmanaged costs or insuffi cient funding
7. Ineff ective risk management eff orts
8. IT security that hobbles the business
Fixing the problems that arise from these tensions is not an eff ort for the faint of heart. One
of the requirements of security leadership is a well-constructed security strategy that aligns the
strategy, vision, and objectives of the enterprise and answers these questions:
What is the business reason for doing this? ◾
What are we trying to achieve? ◾
How do we enable and support the enterprise achieving its strategic objectives? ◾
Explicit answers to these questions help everyone in the organization, including those involved in
security architecture, to make reasoned decisions for their pieces of the strategic puzzle. Without
clear answers to these questions, it is diffi cult to acquire the upper management support needed to
advance security strategy. Without explicit upper management support, security eff orts are seldom
TAF-K11348-10-0301-C001.indd 9TAF-K11348-10-0301-C001.indd 9 8/18/10 3:01:47 PM8/18/10 3:01:47 PM