17
2Chapter
Getting to the Big Picture
Many are so caught up in their own problems that they cannot see the big picture.
Often, seeing the big picture can give one the perspective that makes illusive solutions
suddenly easy to visualize. One form of hope can be accessed through stepping outside
of yourself and seeing the bigger picture.
e Path
Real-life problems in business today require security managers to be able to see the big picture in
order to solve them. Strategic planning is all about understanding the big picture in which you
operate. Learning to see the big picture requires time and skill. By understanding the big picture,
security managers can better lead their security function from a reactive posture to a more proac-
tive posture in organizational life. In this chapter we discuss why strategic planning is essential for
security groups; some of the strategic planning tools; models and methods that are available; and
when to do strategic planning. We also examine keys, myths, and barriers to strategic planning.
Background (Why Should Security Bother
with Strategic Planning?)
We have conducted and participated in many strategic planning sessions over the past 30 years.
Like many other internal and external consultants or staff ers, we have worked with groups to
feverishly produce a strategic plan that inspired and invigorated the strategic planning group,
only to see day-to-day operations overcome any sense of strategic direction and once dynamic and
invigorative strategic plans become bookshelf relics to be dusted off and revisited when the next
planning cycle came around.
Working within security, it is easy to dismiss strategic planning
as something the upper echelon of an organization does, and secu-
rity is simply positioned to react to the strategic plan and whatever
unplanned exogenous shocks reality brings (e.g., newly passed reg-
ulations, security breaches, or unexpected organizational changes).
Without a strategic plan your organiza-
tion is just drifting on the tides of for-
tune with no real destination except
extinction.
Eric Oksendahl
TAF-K11348-10-0301-C002.indd 17TAF-K11348-10-0301-C002.indd 17 8/18/10 9:54:47 PM8/18/10 9:54:47 PM
18 ◾ Security Strategy: From Requirements to Reality
ere is also precious little out there in terms of resources to guide you through a thoughtful
strategic planning process for security.
Without a strategic plan in place, a CSO comes to the enterprise leadership table lacking solid
answers to the questions any good leader should be contemplating on a regular basis.
Where is your organization going? ◾
What are you doing? ◾
How do you know how well you are doing? ◾
What are your priorities in the near term? e long term? ◾
Where would you suggest your dollar allocation go in case of an economic downturn or ◾
upturn?
A solid strategic plan helps provide thoughtful responses to those questions and brings cred-
ibility and direction to an organization. When other organizational leaders don’t need to worry
about security issues in their business because security leadership is able to understand and plan
for those concerns, you are helping your organization achieve its business goals. A strong strategic
plan will also move a security group out of a crisis model of operation into a more proactive model
of operation.
Developing a solid strategic plan is applying basic business principles to the business of secu-
rity. Security is part of the business, and if you want to be recognized as a business partner, you
need to master this discipline. Creating a preferred future is not just for top managers in an orga-
nization. Organizations have to integrate quality, productivity, and customer service into every
aspect of their business. Perhaps the next wave of integration will be creating a security culture in
which security is everyone’s business, not just the intimidating or mysterious work of a chosen few
in the security group.
e menu of strategic planning methods to choose from grows each year. e strategic planning
methodologies employed in an organization will depend on the organizational leadership, size of
the organization, type of organization, culture and complexity of the organization, and expertise
of its planners. A formal strategic planning process helps get the organization’s leaders on the same
page and moving forward in the same direction. Next are discussed just a few approaches and tools
you have available to help you with your strategic planning process.
Menu of Strategic Planning Methods and Models
Let’s be honest. If you bought this book to fi nd a perfect method to make a perfect strategic plan,
you won’t fi nd one. ere is no perfect method for strategic planning. However, by examining
various methods, models, and tools, you can glean what works in your organization. Table 2.1
presents some of the approaches, philosophies, tools, and techniques that have proven useful in
strategic planning.
You’ll have to admit this is quite the laundry list and it’s only partial! Time does not permit
us the luxury of expounding on the methods and merits in each of these models; at best, all we
can do is provide guidance on how to pick the model or models that best fi t your organizational
needs. A basic guideline for any method chosen is that strategic plans are meant to be guides for
the general direction in which an organization moves, NOT detailed roadmaps or blueprints for
managerial daily work. Strategic planning is more about creating an informed and a shared frame
of reference for daily decision makers, and is NOT a specifi c set of steps for each manager. Strategy
TAF-K11348-10-0301-C002.indd 18TAF-K11348-10-0301-C002.indd 18 8/18/10 9:54:47 PM8/18/10 9:54:47 PM
Getting to the Big Picture ◾ 19
is about corporate interpretation and reinterpretation of how best to proceed forward based on
emerging possibilities.
Strategy cannot be a linear progression of steps, as the problems faced in organizational life
are much too complex to ever be totally understood. Constant learning is required for organi-
zational survival. ere remains uncertainty and vagueness in any strategic plan. Strategic plan-
ning is a collaboration determining the best path to get us from where we are now to where we
want to go.
Table 2.1 Planning Methods and Models
Strategic Planning Methods, Models,
and Tools
Strategic Planning Methods, Models,
and Tools
Values-Based Strategic Planning (Center for
Strategic Planning)
Force Field Analysis
(Porter’s Five Force Analysis Model)
Situation-Target-Proposal (STP Model) Draw-See-Think Model
See-Think-Draw Model Systems Thinking Disciplines
(Peter Senge’s Shared Values Model)
Environmental Analysis SWOT Analysis (Strengths, Weaknesses,
Opportunities, and Threats)
PEST Analysis (Political, Economic, Social,
and Technological)
Balanced Scorecard
Process-Based Strategic Planning Team-Based Strategic Planning
Rapid Strategic Planning The Viable System Model of Strategic Planning
Dialogue/Storytelling/Making Storyboarding
Gap Analysis Game Theory
PDCA (Plan-Do-Check-Act) Scenario Planning
Stakeholder Analysis Strategic Options
Story Maps Chaos Theory
Shaping the Future Visualizing the Future
Blue Ocean Strategy Change Management (creating a wave of
change via strategic planning)
Basic Model of Strategic Planning Issues-Based or Goal Model
Alignment Model Self-Organizing Model
Risk Management Model Process Management Model
SABSA (Sherwood Applied Business
Security Architecture) Model
Strategy Activation
Simplifi ed Strategic Planning Model Preferred Future
TAF-K11348-10-0301-C002.indd 19TAF-K11348-10-0301-C002.indd 19 8/18/10 9:54:47 PM8/18/10 9:54:47 PM
20 ◾ Security Strategy: From Requirements to Reality
Which Strategic Planning Tools?
Which models and tools, you ask, should you use? e answer is, “It depends.” It depends on where
you work, the organizational culture in which you work, the planning skills and capabilities of your
organization, the speed (time lines) at which you are required to plan, and the current strategic
capacity your organization has developed. It has been our experience from over 50 years of com-
bined consulting, education, and facilitation that organizations employ any number of these tools
and approaches at the same time in diff erent parts of the organization, including within the security
group itself. is is true in business, government, nonprofi t, church, and educational realms.
Perhaps the ideal state is a single approach, uniformly utilized and applied. is should give
an organization a competitive advantage, and in some instances that is true. Dutch/Shell is a
well-known example of a scenario-planning eff ort in the late 1960s and early 1970s that prepared
them well to deal with the oil crisis in the early 1970s. Despite past success, the scenario planning
model may not match an organization’s culture or organizational planning needs; even if it does,
it will still require strong organizational sponsorship and leadership, or it may not be uniformly
adopted. e same can be said for Senge’s Fifth Discipline approach to creating a learning orga-
nization, Belgard and Rayner’s Visualizing the Future approach to creating the future you want
to live in now, or the layered matrix Sherwood’s SABSA Model approach for creating a structured
framework for security planning that works to design an enterprisewide security architecture and
service management.
All models, methods, and philosophies require sponsorship, training, organizational adoption,
and mastery to ever have a chance of working consistently. Regardless of whether your organiza-
tion has one approach or several to strategic planning, elements of strategic planning are the basic
building blocks of any approach. In the next section we will look at the essentials.
What Are Security Plan Essentials? (Analysis,
Planning, and Implementation)
If you boil strategic planning down to its basics, you’ll fi nd that the elements more or less fall into
three distinct buckets or phases:
1. Analysis—Painting the internal and external “big picture” for strategic planning
2. Strategic planning—Setting the desired direction for an organization
3. Implementation plan—Creating the roadmap to realization
Typically in organizations, part of the analysis includes an overall evaluation of the business
environment security must manage its business in. e goal is a thorough understanding of the
greater organizations’ strategic plan. Although the greater organizational strategic planners have
already done an external and internal analysis, the security group must perform its own analysis
as the inputs for the security strategic plan include a number of diff erent or more detailed ele-
ments. at being said, it is important to begin with a clear understanding of the organizational
strategic plan. In organizations that have more than one business unit, security needs to garner
an understanding of each business unit’s strategic plan in which their own plan will reside (much
like the Russian “matryoshka” dolls that nest one inside the other). As a group proceeds through
these three phases of strategic planning (analysis, planning, and implementation), there are several
important things to remember.
TAF-K11348-10-0301-C002.indd 20TAF-K11348-10-0301-C002.indd 20 8/18/10 9:54:47 PM8/18/10 9:54:47 PM
Getting to the Big Picture ◾ 21
Learn the Big Picture of the Extended Enterprise
If you are not already part of the overall strategic planning process (or the organization you are
part of isn’t), then get your hands on your enterprise organizational strategic plan and study it
carefully. As you start to develop your own strategic plans, be sure other parts of your organiza-
tion’s leadership (outside your organization) have a chance for input and review of those portions
of your security strategic plan that are applicable to their organizations.
Many organizations try to shortcut the analysis phase and end up failing to include business
drivers, business unit direction, environmental scans, or big-picture input into their planning cycles.
When not enough time has been spent gathering big-picture probabilities, the likelihood increases
that the organization will be more reactive to the environment than proactively helping shape
the environment. In marketing jargon, this would be called market-shaping activities instead of
market-reacting activities. Market-shaping activities involve the identifi cation of the drivers shaping
demand, a survey of what existing products and services might be supplied to meet that demand,
which in turn helps identify gaps in the market and the development of a strategy for market-
shaping activities. A similar approach can be used to plan a proactive security strategy. First gather
the information needed to identify the issues aff ecting organizational security (now and into the
future), then compare existing and future requirements to your current capabilities to identify gaps
in security functionality. Next build a strategic plan to fi ll those gaps. Figure 2.1 charts some of the
basic domains within an enterprise that a security group must consider as it develops strategy.
Include a High-Level Risk Assessment as Input
Your part of the business is security; risk assessments are a common part of security management.
Get your hands on the best risk assessments you can fi nd, including anything generated by the enter-
prise risk management group, and use them as part of the input for your own strategic plan. Risk
assessments help quantify and thus prioritize where the organization may need to develop or refi ne
strategies to manage risks aff ecting the organization’s ability to accomplish its goals. We have found
that as security groups grow and mature they also tend to create internal risk assessment measures
(such as risk ratings for individual geographic sites) that are quite useful in strategic planning.
Business
strategy
Enterprise strategic alignment
Technology
strategy
Technology
capabilities
Operational
capabilities
rough
alignment of
strategies and
capabilities
comes business
improvement.
Security has
to consider
each domain
for strategic
planning
requirements.
Security strategy
Figure 2.1 Enterprise strategic alignment.
TAF-K11348-10-0301-C002.indd 21TAF-K11348-10-0301-C002.indd 21 8/18/10 9:54:47 PM8/18/10 9:54:47 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.