Strategy: An Introduction ◾ 13
of e Creative Brain, puts it this way: “In the corporation of the future, new leaders will not
be masters, but maestros. e leadership task will not be masters, but maestros. e leader-
ship task will be to anticipate the signs of coming change, to inspire creativity.” Lou Gertsner,
former chairman of IBM, also referred to the need to be adaptive in strategic planning when
he stated, “You have to be fast on your feet and adaptive or else a strategy is useless.”
It is in that spirit that we approach strategic thinking. Every brain in an organization is part
of the solution; yet, when asked, most managers estimate they were only tapping 20% of avail-
able creativity. (In some organizations that might be a little optimistic.) In a strategy jam session,
each instrument has an input. Participants, like musicians in a musical jam session (blues, jazz,
orchestra etc.), need to know the basics of strategic planning (i.e., the notes, chording, and frets of
music), and, at the same time, they must be able to listen to the other musicians, pick up on what
they are playing, and blend into a new creation, while responding to the audience (customers/
stakeholders). So it is in a strategy jam: e players come with an understanding of the basic struc-
tures and components of strategic planning, listen to the other players, and create a new direction
for the organization. Our goal for this book is to provide you with the scales and notes of strategic
planning. e artistry and creativity with which those components are applied depend on you and
on your approach to the art of strategy formation and execution and the requirements that match
the organization in which you work. Whether your strategy jam is in the form of jazz, blues, or a
more formal orchestra, it is our hope that you will be engaged, learning, curious, and optimistic.
Somehow I can’t believe that there are any heights that can’t be scaled by a man who
knows the secrets of making dreams come true. is special secret, it seems to me, can
be summarized in four Cs. ey are curiosity, confi dence, courage, and constancy,
and the greatest of all is confi dence. When you believe in a thing, believe in it all the
way, implicitly and unquestionably.
Walt Disney
Strategic Planning as a Process
One of the key paradigms or mental models that should be established early in any strategic plan-
ning process is that strategic planning is NOT an event; rather, it is a process (ongoing, year round).
Security managers have to know the strategic planning process, take it seriously, and be involved in
integrating the plan into the day-to day activities of the security group. Remember, the process has to
be linked to next year’s budget as well. ere are many processes for approaching strategic planning,
and while they may have diff erent steps, stages, or phases, the goal is still to produce a strategic plan
that moves the organization forward in the right direction. For a basic understanding of strategic
planning, perhaps the most widely known model of strategic planning is John Bryson and Farnum
Alston’s Strategic Planning for Public and Nonprofi t Organizations: A Guide to Strengthening and
Sustaining Organizational Achievement and the companion workbook Creating and Implementing
Your Strategic Plan. In their workbook, the authors outline the following basic process:
1. Identify a strategic planning process that the organization will use.
2. Identify organizational mandates.
3. Clarify the organizational mission and values.
4. Assess the organization’s external and internal environments to identify strengths, weak-
nesses, opportunities, and threats.
TAF-K11348-10-0301-C001.indd 13TAF-K11348-10-0301-C001.indd 13 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
14 ◾ Security Strategy: From Requirements to Reality
5. Identify the strategic issues facing the organization.
6. Formulate strategies to manage these issues.
7. Review and adopt the strategic plan or plans.
8. Establish an eff ective organizational vision.
9. Develop an eff ective implementation process.
10. Reassess strategies and the strategic planning process.
Bryson and Alston’s description of the strategic process is diff erent from and, at the same time,
similar to the process we covered in the fi rst part of this chapter. In the stages we discussed earlier,
there are preparations to plan, big picture renewal, focusing the plan, implementation schedule, met-
rics, communication and completion. By considering diff erent ways of approaching strategic plan-
ning, organizations defi ne their own approach. What the process used in your organization will look
like depends on the methodology you choose. In the next several chapters on strategic planning, we
will discuss some of the methods currently available in the marketplace and consider how to integrate
them into planning based on your organizational culture.
Requirements for Successful Strategic Plans
For any security strategic plan to be successful, several conditions are required.
Organizational stakeholders (not just internal to security) are involved, and their support is ◾
garnered for the strategic plan. Inclusion of stakeholders in planning takes time and patience
to gather.
Prioritizing goals is essential for organizational focus and resource deployment. ◾
A clear plan should be developed with a limited number of strategic initiatives. Overly com- ◾
plex strategic plans with too many goals overwhelm every part of the strategic planning
process from data collection to analysis, plan development, and implementation. Strategic
plans should be succinct and easy to translate into tactical goals.
Completed goals for confl icting mandates or goals should be reviewed, and one should ◾
watch for unintended consequences during implementation; this can be a real issue when
business drivers for the enterprise are in confl ict with business drivers for security.
Typical Example
Goal: Become a business enabler by meeting business expectations for security
Measure security performance. ◾
Manage resources. ◾
Mitigate risk. ◾
Make sure that security understands and aligns activities with the strategic ◾
direction of the enterprise.
At a high enough level, this strategic goal makes perfect sense, but as the overall goal is put into
organizational specifi cs, the specifi c drivers for the enterprise and security compliance require-
ments may come into direct confl ict. If the sales and marketing components of the organization are
competing in global economies, while ignoring or minimizing national or international security
requirements, not only can organizational departments be at odds strategically, but audit fi ndings
may bring fi nes, government sanctions, and loss of business opportunities, as well as damaging
TAF-K11348-10-0301-C001.indd 14TAF-K11348-10-0301-C001.indd 14 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
Strategy: An Introduction ◾ 15
the corporate brand and/or reputation. A more collaborative approach to strategic planning at the
onset of planning can help reduce these confl icting pinch points in planning. is leads us to our
next assertion about security and the organizations that security functions in.
Creating a Security Culture
We fi rmly believe that the only way organizations can achieve their security goals is to create a
corporate security culture. Organizations cannot simply focus on technical solutions to security
issues. e majority of these issues come from people and their interactions with technology. In
order to move an organization forward, one can learn from the lessons of past major changes that
aff ected the cultural identity of the organization and integrated themselves into the very fabric of
daily work. Good examples are the quality movement, the productivity (LEAN, process manage-
ment, etc.) movement, safety programs, and the more recent GREEN movement. Our belief is
that organizations will ultimately benefi t from creating an organizational security culture.
ere are a couple of challenges to directing an organization toward a more holistic view
regarding security. Most of the people inhabiting a security group are technical professionals.
Moving an organization toward a culture shift requires both interpersonal and organizational
skills. One solution to creating a plan for organizational change is to bring in outside consultants
who specialize in change. Again, there are many examples of this from quality, Six Sigma, LEAN,
and diversity programs that signifi cantly changed organizational culture. While outside consul-
tants can help craft a strategic plan for moving an organization forward, they should augment and
NOT be the focus of any eff ort. Change should be led from the inside. Often many organizational
resources are already present that can help security move in the direction of impacting organiza-
tional culture for the benefi t of the enterprise. In the past, we have found help in the marketing,
training, communications, and HR departments for planning and moving organizational change
forward. Customer service-oriented people usually have good data regarding customer percep-
tions of an organization and can help build information security into an organizational brand.
A security group can sometimes fi nd internal consultants in the larger organization in which they
function to help build both a strategic plan and strategic planning skills in the organization.
Security Continuum (Moving toward a Security Culture)
In a past project, Eric worked with outside consultants William Belgard and Steven Raymer
(authors of Shaping the Future: A Dynamic Process for Creating and Achieving Your Company’s
Strategic Vision). A security continuum was developed between the security group and other busi-
ness units to move organizational thinking from a compliance-based security framework (mental
model) to a commitment-based security framework. e model utilized was from the American
Center for Strategic Transformation. It depicts the transformation as a series of stages one might
work through as security is integrated into a company. e process is similar to how the notion
of quality and productivity were moved in the past decade from functional ownership (i.e., the
Quality Assurance department) to an across-the-board organizational competency.
e transformational stages an organization goes through were labeled Functional Focus,
Integration Focus, Communication Focus, Commitment Focus, and Systemic Focus. Within
each stage, there are several components that demonstrate how the evolving notions of security
will look in the arenas of technology, process, people, and organization.
TAF-K11348-10-0301-C001.indd 15TAF-K11348-10-0301-C001.indd 15 8/18/10 3:01:47 PM8/18/10 3:01:47 PM
16 ◾ Security Strategy: From Requirements to Reality
e transformational stages basically track an organization as it moves from a compliance-
based to a commitment-based security framework. In the compliance-based model, security is
viewed as a necessary inconvenience (i.e., evil) and the security group as primarily an access con-
trol and emergency response-oriented function. e compliance model is technology driven and
enforced by management. Security is seen as constantly restricting the fl ow of information neces-
sary for organizational operation, while operating largely behind a curtain of secrecy.
e desired state of this continuum moves an organization toward a commitment-based secu-
rity framework in which security is viewed as a competitive advantage. All employees now have a
responsibility for security with adequate training and understanding of what constitutes security
risk. e primary focus is systemic as the security system serves the extended enterprise, including
partners, suppliers, and, in some cases, even customers. e core security principles in place are
seen as a key competitive advantage that allows strategic partners to do business in a highly inte-
grated way while protecting intellectual property and proprietary technologies and information.
Conclusion
Strategy is a long-term plan of action designed to achieve a goal that includes what work will be
done and by whom. Strategic planning encourages long-term thinking and creative choices for
future actions. It utilizes a structured process to create a formal, integrated enterprise plan. e
security management program strategy must be directly linked to the organizational strategy or
big picture. Producing an actionable strategy requires solid leadership throughout the develop-
ment and implementation phases. Strategic planning is essentially gathering information, analyz-
ing it, and deciding what you are going to do going forward. Metaphors provide an excellent way
to gather data and analyze organizational cultures. e “strategy jam” metaphor is responsive,
collaborative, creative, and intuitive, giving participants a sense of ownership in the plan and its
success.
Strategic planning is an ongoing process; it is a journey. It demands leadership that under-
stands not only the basics of strategic planning and the nuances of security, but also the art of
working within the organizational culture. We believe that cultural change is the key to a success-
ful security management program. Like the quality and productivity transformation of the past
decade, security needs to take its place as an across-the-board organizational competency.
For any security strategic plan to be successful, organizational stakeholders must be involved
and supportive, goals must be prioritized, scope must be limited and clear, and confl icting mandates
must be resolved. Now is the time to prepare your security strategic plan. Build your vision and
drive it forward with passion. Create an organization that truly is a key enabler of the business.
TAF-K11348-10-0301-C001.indd 16TAF-K11348-10-0301-C001.indd 16 8/18/10 3:01:48 PM8/18/10 3:01:48 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.