20 ◾ Security Strategy: From Requirements to Reality
Which Strategic Planning Tools?
Which models and tools, you ask, should you use? e answer is, “It depends.” It depends on where
you work, the organizational culture in which you work, the planning skills and capabilities of your
organization, the speed (time lines) at which you are required to plan, and the current strategic
capacity your organization has developed. It has been our experience from over 50 years of com-
bined consulting, education, and facilitation that organizations employ any number of these tools
and approaches at the same time in diff erent parts of the organization, including within the security
group itself. is is true in business, government, nonprofi t, church, and educational realms.
Perhaps the ideal state is a single approach, uniformly utilized and applied. is should give
an organization a competitive advantage, and in some instances that is true. Dutch/Shell is a
well-known example of a scenario-planning eff ort in the late 1960s and early 1970s that prepared
them well to deal with the oil crisis in the early 1970s. Despite past success, the scenario planning
model may not match an organization’s culture or organizational planning needs; even if it does,
it will still require strong organizational sponsorship and leadership, or it may not be uniformly
adopted. e same can be said for Senge’s Fifth Discipline approach to creating a learning orga-
nization, Belgard and Rayner’s Visualizing the Future approach to creating the future you want
to live in now, or the layered matrix Sherwood’s SABSA Model approach for creating a structured
framework for security planning that works to design an enterprisewide security architecture and
service management.
All models, methods, and philosophies require sponsorship, training, organizational adoption,
and mastery to ever have a chance of working consistently. Regardless of whether your organiza-
tion has one approach or several to strategic planning, elements of strategic planning are the basic
building blocks of any approach. In the next section we will look at the essentials.
What Are Security Plan Essentials? (Analysis,
Planning, and Implementation)
If you boil strategic planning down to its basics, you’ll fi nd that the elements more or less fall into
three distinct buckets or phases:
1. Analysis—Painting the internal and external “big picture” for strategic planning
2. Strategic planning—Setting the desired direction for an organization
3. Implementation plan—Creating the roadmap to realization
Typically in organizations, part of the analysis includes an overall evaluation of the business
environment security must manage its business in. e goal is a thorough understanding of the
greater organizations’ strategic plan. Although the greater organizational strategic planners have
already done an external and internal analysis, the security group must perform its own analysis
as the inputs for the security strategic plan include a number of diff erent or more detailed ele-
ments. at being said, it is important to begin with a clear understanding of the organizational
strategic plan. In organizations that have more than one business unit, security needs to garner
an understanding of each business unit’s strategic plan in which their own plan will reside (much
like the Russian “matryoshka” dolls that nest one inside the other). As a group proceeds through
these three phases of strategic planning (analysis, planning, and implementation), there are several
important things to remember.
TAF-K11348-10-0301-C002.indd 20TAF-K11348-10-0301-C002.indd 20 8/18/10 9:54:47 PM8/18/10 9:54:47 PM