8Security Strategy: From Requirements to Reality
EXERCISE 1.2
If you haven’t already read every organizational strategic plan you can get your hands on, get started
now! If you are going to build a successful security strategy, you need to get a sense of the big picture
in which your organization functions.
Value Proposition
From a systemic perspective, a secure workforce, secure facilities, and well-protected information
resources are actually part of the organizational brand, both product and service. e security of prod-
ucts and services is now part of the organizations promise to the marketplace, enterprise stakehold-
ers, and shareholders. It is imperative that organizations deliver on that promise, or they will soon
become irrelevant. Organizational strategic planning can readily benefi t from the security practitio-
ner’s viewpoint. Whether security is part of the organizational brand or has developed its own brand,
it must be part and partner in the organizations strategic discussions. Brand is critical to security
because the process of building a brand helps to convey important fundamentals that link security
explicitly to the intent and promise an organization makes to its internal and external customers.
In the authors’ experience, often other organizational functions view security as a roadblock
to effi cient business practices. However, leaving the security group out of the strategic planning
process can result in a number of unintended consequences. One example of these unintended
consequences is, perhaps, the decision to outsource back-offi ce types of transactions to sourced
companies in another country without including security in a strategic conversation. While eco-
nomically that may be the right strategy, several important elements may be overlooked such as
creating vulnerabilities to Personally Identi able Information (PII) data or providing industrial
espionage opportunities for data mining.  ere may be easy solutions, at a lesser cost, if security is
included in the original planning, than managing these risks after the fact.
Conversely, if security wants a place at the strategic planning table, it will need to examine the
strengths of its own leadership and answer these two fundamental questions:
1. “How can security help the organization achieve strategic goals?” In other words, “What
will it take from security to enable the business/organization to get where it wants to go?”
2. “How can the security strategic plan be a living document updated periodically to refl ect
changes in organizational priorities based on industry trends, marketplace, or emerging
technologies?”
e advantages of including security in organizational strategic planning and the Enterprise
Risk Management (ERM) components of strategic planning are:
Better understanding of potential risks in any strategic direction
More accurate planning for budget allocations to manage those risks
Quicker movement in strategic objectives for security integration into product, infrastruc-
ture, desktop, and business continuity processes
Other Challenges for Security and Strategic Planning
Another crucial issue for the security group in any organization is: “How is the strategic plan (or
portions of an organizational strategic plan) to be developed, updated, and what groups will partici-
pate?” After the strategic plan is drafted, the fundamental questions of how to communicate,
TAF-K11348-10-0301-C001.indd 8TAF-K11348-10-0301-C001.indd 8 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
Strategy: An Introduction9
integrate, align, and update the strategic plan come into play.  e bottom line for any security
strategic plan is that other parts of the organization must understand it, or it will be diffi cult to
achieve eff ective results protecting the organizations assets (people, material, and information)
at an acceptable cost.
While a business/organization strategy is aimed at organizational vision, purpose, mission,
strategies, execution, and measurement of success, an IT security strategy often focuses mainly
on information security architecture. It is shaped by the organizational goals, environment,
and technical capabilities the business requires in order to achieve its vision. Corporate (physical/
facilities) security strategy focuses on policies and procedures for loss prevention and the protec-
tion of people and property. Corporate security is also guided by organizational goals, environ-
ment, and technology advances.
Often, issues arise in this natural tension between the organizational business philosophy
(and business architecture) and the more pragmatic aspects of IT architecture. Ralph Whittle
and Conrad Myric, in a white paper titled “Enterprise Business Architecture:  e Formal Link
between Strategy and Results,” outline the formal link between architecture and strategy. In their
words, “ ese bold new enterprises are not building some static, rigid new architecture, with a
moat around the castle. Quite the opposite, they are building fl uid, dynamic, integrated architec-
tures capable of evolving with and supporting the corporate strategy. A fundamental requirement
of the integrated architecture is that it must have the capability to evolve, change, and adapt in a
predictive way.”  e problem for IT architecture achieving this goal, as Whittle and Myric de ne
it, is that when it comes to organizational strategic planning and IT strategic planning, most IT
architecture has not been funded or developed to the needed levels.  is results in tensions for IT
architecture including, but not limited to:
1. Unclear understanding of business/organizational requirements
2. Infl exible architecture that is unable to respond to environmental challenges
3. Piecemeal local approaches to architecture and security practices rather than integrated
eff orts, including lack of corporate and IT security integration
4. Unclear linkage to organizational strategy and metrics for successful implementation, scal-
ability, and usability of security services
5. Piecemeal tactical e orts rather than a systemic architectural approach
6. Unmanaged costs or insu cient funding
7. Ine ective risk management eff orts
8. IT security that hobbles the business
Fixing the problems that arise from these tensions is not an eff ort for the faint of heart. One
of the requirements of security leadership is a well-constructed security strategy that aligns the
strategy, vision, and objectives of the enterprise and answers these questions:
What is the business reason for doing this?
What are we trying to achieve?
How do we enable and support the enterprise achieving its strategic objectives?
Explicit answers to these questions help everyone in the organization, including those involved in
security architecture, to make reasoned decisions for their pieces of the strategic puzzle. Without
clear answers to these questions, it is diffi cult to acquire the upper management support needed to
advance security strategy. Without explicit upper management support, security eff orts are seldom
TAF-K11348-10-0301-C001.indd 9TAF-K11348-10-0301-C001.indd 9 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
10Security Strategy: From Requirements to Reality
successful. Gaining this support for strategic eff orts is not only a critical success factor, but is often
one of the most diffi cult things a security leader will do.
When Strategic Planning Should Be Conducted
Strategic planning should be part of organizational planning in the following situations:
When an organization is newly formed.
When reenvisioning is required.
Before and during mergers or acquisitions.
In preparation for a new venture, product(s), or service(s).
When exogenous or outside shocks to your organizational environment require adaptation
or re nement of a potential strategic scenario. (Scenario planning creates more than one
option for an organization to pursue based on future impacts and may require more explora-
tion when an unexpected event drastically changes the environment.)
At the very least strategy should be conducted on an annual basis to fi t within your organiza-
tions business planning cycle, before monies are allocated for a given year in order to fund organi-
zational requirements for accomplishing strategic goals and objectives.  roughout the year there
should be organizational reviews of the strategic planning inputs, adjustments, updated action
plans, and metrics. Strategic planning should be a planned part of organizational life throughout
the calendar year, not as a “once-a-year, put-a-plan-in-a-binder and put-it-on-a-shelf until next
year” activity. Security leadership should formally conduct a quarterly review.
Regardless of when your organization is engaged in strategic planning, paying attention to the
language that is used in strategic planning can often help planners understand the organization
and by utilizing new language, transform the organization.
Metaphor Analysis and Strategic Planning
Metaphors reveal how organizations think of themselves and are a window into organizational
culture, attitudes, and beliefs. Metaphors can also be an important tool in transforming organiza-
tions and will often appear in the communication strategies for strategic change. A whole litera-
ture has evolved around analyzing organizational culture by the metaphors found in the everyday
conversation on how organizations conduct business; an example is Donald Schons concept of a
generative metaphor. A generative metaphor is an “implicit metaphor that can cast a kind of spell
on a community.” In an implicit metaphor, the full subject is not explained, but is implied from
the context of the sentence. Much of our daily communication in organizational life contains
implicit metaphoric language. A branch of this literature assumes that ones approach to strategy
is best caught by the metaphors employed in strategic planning sessions.
David Sibbit, president and founder of Grove Consultants International, has worked on strategic
planning with organizations for many years by utilizing “story maps” that he and his consultants gener-
ate from the conversations held among strategic planning groups. Sibbit, in an article titled “Strategizing
with Visual Metaphors,” made the following observations about the power of metaphors:
I serendipitously picked up a 2005 article I’d clipped from the Harvard Business Review
calledHow Strategists Really ink: Tapping the Power of Analogy.” (It’s available
for $6.50 through the HBR website.)
TAF-K11348-10-0301-C001.indd 10TAF-K11348-10-0301-C001.indd 10 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
Strategy: An Introduction11
Gavetti and Rivkin argue that there is a middle ground between formal, deduc-
tive analysis, which works well in information-rich, more mature industries, and trial
and error, almost a necessity in very dynamic, untested emergent industries. “Many,
perhaps, most strategic problems are neither so novel and complex that they require
trial and error nor so familiar and modular that they permit deduction. Much of the
time, managers have only enough cues to see a resemblance to a past experience.  ey
can see how an industry they’re thinking about entering looks like one they already
understand, for example. It is in this large middle ground that analogical reasoning
has its greatest power.
e frame of “strategy by analogy” is diff erent from “visual thinking.”  ese labels
are metaphors that provide a framing context that directly a ects what a viewer or listener
pays attention to. And within the visual work the choices of what to illustrate, and most
critically, the organizing graphic metaphor and its emphasis, open and close opportu-
nities for engagement, discussion and interpretation.
Over the years we have heard many such metaphors, similes, and strategy analogies in our
work with strategy groups, consultants, and educators. Metaphors can help employees look at
old issues with a new lens or become a compelling new image of how an organization sees itself.
During our careers, we have heard the following metaphors for strategy:
A battle (and other military metaphors)
A revolution
A chess match
Sailing a ship
Sports strategy
A game metaphor
e solving of a puzzle
A city-state, kingdom, domain, or enclave
An organic system
Conducting a symphony
Part of the value chain or system
Sailing a blue ocean, red ocean, purple ocean
BBQ sauce
Pizza
Organizations themselves can also be described by metaphors such as running a tight ship,
part of a family, a dynasty, or parts of the body (e.g., IT is described as the nervous system, man-
agement as the brain, etc.). Learning to examine anything through a variety of metaphors often
helps bring new insight and clarity to participants. A strong use of metaphor can galvanize quick
understanding and provide diff erent mental models with which to examine a topic.
Security strategy lends itself particularly well to these metaphors, and we use several in our
own approaches. Bill Stackpole will frame the tactics chapters of this book in the metaphors of
military tactics and enclaves (a distinct political geography, territorial culture, or social unit) and
will discuss the principles behind his use of them. Eric’s own favorite metaphor for conducting
strategy sessions remains a “strategy jam” (see Figure 1.1). In fact, a musical jam can get cook-
ing as well when ideas are being generated and integrated. A consulting colleague at Boeing,
Andrew Moskowitz, and Eric conducted several “strategy jam” sessions for a newly formed group
TAF-K11348-10-0301-C001.indd 11TAF-K11348-10-0301-C001.indd 11 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
12Security Strategy: From Requirements to Reality
of support organizations.Strategy jam as a metaphor became very useful for conducting stra-
tegic planning for several reasons. Let’s now examine three of the relevant principles behind the
metaphor “strategy jam.
Need for ResponsivenessIn today’s environment, older methodologies for conducting
strategy sessions are top heavy, have long lead times, and usually exclude inputs from the
people who have the information and creativity needed for successful strategic planning.
Consequently, these approaches may have little buy-in from employees and usually just end
up as pieces of inert information bound in glossy folders or stored in a database somewhere.
Employees have little knowledge of what’s in the strategic plans and even less interest. Next
year when the next round of planning begins, someone will blow the dust off the old plans,
and the process will repeat itself.
Need for CollaborationOur industries and organizations have been permanently
impacted by Total Quality Management and Productivity-LEAN systems, Process
Management rollouts, and Enterprise Risk Management integration, and we are currently
trying to understand and assess the impact of Security Convergence on our industry. Never
has there been a greater need to engage every ounce of creativity available in our organiza-
tions. And yet, for too many organizations, strategic planning remains the providence of execu-
tives or senior management.  e problem is one of participation. When you try to tell or sell
an organizational plan to employees who have had no opportunity to provide their thoughts
and ideas, you get little buy-in, commitment, follow-through, or impact. A strategy jam, on the
other hand, is an ongoing strategic conversation that is fl exible, collaborative, and focused.
Need for Adaptive Skills—Creativity and intuition are the main focus when people and
organizations need to adapt their organizational tactics to a “Big
Picture Vision” and/or changing business model. Adapting and
changing directions with continuous adjustments while executing
are important aspects of jamming.  is type of strategic jam ses-
sion most often occurs in business in new product creation, new
divisions, and start-ups. But even in more traditional strategic planning, there is still an
ongoing requirement for these skills in a more orchestrated context. Ned Herrmann, author
Life is like a band. We need not all play
the same part, but we MUST all play in
harmony.
Unknown author
Figure 1.1 Strategy jam.
TAF-K11348-10-0301-C001.indd 12TAF-K11348-10-0301-C001.indd 12 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset