Getting to the Big Picture ◾ 27
growth strategy. First, WaMu acquired a number of small and midsize banks to strengthen its
position in the Northwest. en in the mid-1990s it expanded to California with the purchase of
American Savings, but the acquisition forever changed the home-spun nature of the bank. WaMu
used the mortgage business it acquired in the American Savings deal to fuel its unprecedented
growth, but in the process it abandoned the core values on which it had been founded. WaMu
entered into the Adjustable Rate Mortgage (ARM) business, adopting the “balloon” option that
gave borrowers three to fi ve years of low payments that ballooned into much larger payments that
frequently resulted in defaults. WaMu had always held its own loans, but now it started to bundle
and sell them off . Internal controls for measuring and managing risk were disabled, allowing
increasingly riskier loans. en in 1999 WaMu abandoned the last vestige of its core values when
it acquired Long Beach Mortgage’s subprime mortgage business. e “friend of the family” had
become obsessed with the profi ts it needed to fuel its growth and escalate the value of its stock. In
September 2008, WaMu paid the price for its folly, when federal regulators took over the bank,
putting an end to a 119-year-old Seattle institution, one that had made it through the Great
Depression and the 1980s Savings and Loan crisis.
In the end the bank failed because its leaders abandoned its historical balance between
growth and prudence.
Bill Longbrake
WaMu CFO
We have personally seen billions of dollars lost when an organization in which we worked had
leaders who lost sight of the organization’s core values. e cost to the organization and the per-
sonal cost to the employees were huge and took many years to overcome. It is important to build
continual reminders into day-to-day management activities of what an organization’s core values
are and how they show up at work. It can be as simple as fi nishing a staff meeting with a closing
story, an award, or an example that catches your staff “doing the right thing.”
Core Competencies
Core competencies are the specifi c, extraordinary abilities that give your organization an edge in
the marketplace, service sector, or the like, and cannot be easily imitated. ey deliver value to
customers in the form of technical expertise, customer and supplier relationship, product develop-
ment, organizational culture and/or employee involvement. C. K. Prahad and G. Hamel devel-
oped the main ideas about core competencies in both their series of Harvard Business Review
articles and their follow-on best-selling book Competing for the Future.
Analyzing a company’s core competencies helps determine which strategies, activities, and prac-
tices need improvement. In addition, it is helpful to determine which competencies to develop in-
house and which to outsource. is ca n be done at multiple levels in a company, including the securit y
group. e key questions to use when conducting a core competencies analysis are as follows:
1. Does the activity provide unique or valued potential access to the market?
2. Does the activity add value?
3. Is it diffi cult for competition to imitate the activity?
e advantages of developing a short, refi ned list of core competencies is that it produces a
realistic view of the skill sets, processes, and systems the company is uniquely good at performing.
TAF-K11348-10-0301-C002.indd 27TAF-K11348-10-0301-C002.indd 27 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
28 ◾ Security Strategy: From Requirements to Reality
It helps to generate focus on the value-adding activities. And fi nally, it helps in the decision process
used to determine which activities are candidates for outsourcing.
In our experience, this can be a diffi cult activity within a specifi c organization like security. As
an organization lists the key services and activities it engages in and then begins to sort through
whether they are unique or common, the fi rst tendency is to overstate uniqueness. Upon closer
examination, many activities are not unique. is quality can be determined at an organizational
level by asking, “Can this service be contracted out?” For example, guards who enforce physical
security may be classifi ed as a common service that could potentially be contracted out.
Changing business models can also impact the core competencies needed in an organization.
If, for instance, an organization moves toward a systems integrator model of providing secu-
rity services rather than a proprietary in-house security group, the core competencies will shift.
Previously, service skills may have been core competencies; now, core competencies, such as con-
tract management, may become crucial for career and organizational success.
Communication
e best strategic plans in the world are not likely to be successful if they are not eff ec-
tively communicated to those who must implement them: the employees.
Jake Laban and Jack Green
A strategic plan must be communicated in multiple ways to multiple stakeholders. Secrecy about
strategic plans hamstrings organizations through lack of understanding, absence of ownership,
and insuffi cient input. Strategic plans have to be communicated, and a dialogue of rich informa-
tion must be continued throughout the planning and implementation phases. No strategy remains
static; daily events provide a constant fl ow of information to be reviewed.
Information sharing between the elements of the whole system or value chain is essential
to good strategic planning. at requires forming a team with members from various depart-
ments and equipping them with the communication tools they require for cohesive collaborative
planning.
Leadership in today’s marketplace requires straight talk. By straight talk, we mean talk that is
honest, clear, and sensitive to the moment. In addition, today’s realities require an organizational
environment in which straight talk is not only encouraged but valued. Ask yourself, “Do the
employees in my organization feel that they can speak the truth concerning what they observe
and feel to me or the leadership of this organization?” e key to creating an environment of open
communication is respect—respect both for one another and for the opinions that are voiced.
Jake Laban and Jack Green argue that communication itself may be the strategic framework that
helps make winning strategy. In an article titled “Communicating Your Strategy: e Forgotten
Fundamental of Strategic Implementation,” published in Pepperdine University’s Graziadio
Business Report, Laban and Green outline a strategy for communicating an organization’s business
strategy. In this approach they suggest the following as a winning communications strategy:
1. Build the communications strategy as a STRATEGY. Develop a big-picture communica-
tions strategic goal, clearly defi ne communication objectives and change them as required
over time, and identify critical tactics (which in turn can provide a good metric for feedback
and evaluation of the program).
2. Understand the communication channels chosen. Recognize channel limitations
(e-mail, SharePoint, video, etc.), match the channel to the desired level of interaction and
TAF-K11348-10-0301-C002.indd 28TAF-K11348-10-0301-C002.indd 28 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
Getting to the Big Picture ◾ 29
feedback needed, and remember that multiple channels are often necessary for strategy
implementation.
3. Apply the appropriate packaging technique. Use the language of the consumer/end-user
to aid understanding and execution, use well-constructed communication to disseminate
and reinforce corporate culture, and avoid pandering to the lowest common denominator,
instead challenging laggards to catch up with high performers.
Regardless of your approach to communication, having a communications plan is essential
for getting the word out. In the past, we have found success working with a communications
professional from the enterprise communications group. If available, tapping into communication
professionals can greatly assist your own planning eff orts.
Implementation
I saw that leaders placed too much emphasis on what some call high level strategy, on
intellectualizing and philosophizing, and not enough on implementation.
Larry Bossidy and Ram Charan
A good strategic plan means nothing without implementation. Having a clear implementation
plan is crucial to successful strategy. Integration is key to the successful implementation of stra-
tegic initiatives and objectives. Your implementation plan must be linked to those initiatives and
objectives. Implementation is the enacting plan to integrate security into the organizational system
and often extend it into the supply chain as well. Integration is sometime referred to as security
convergence. Security convergence refers both to the threat side and the solutions side of security. It
takes a sophisticated holistic (systems) model to understand and plan for integration.
Some examples of security convergence are Enterprise Security Risk Management models that
help provide input into strategic planning. An Enterprise Security Risk assessment demands a rollup
or convergence of subject matter expert recommendations of assessing and managing security threats
throughout the entire system, both physical and IT security.
Security convergence is more than integration of security departments throughout an orga-
nization (although that is a start; see Chapter 6 of this book for additional information on this
topic). Developing a holistic view for convergence issues requires a collaborative dialogue between
multiple functions within an organization to better understand the common risk concerns, chal-
lenges, and possible solutions. is includes physical, personnel, and information security, import/
export, business/competitive intelligence, intellectual property and brand protection, privacy,
fraud prevention, ethics, supplier management, legal, investigation and background checks, busi-
ness continuity, disaster recovery, disaster preparedness, emergency services, and safety/OSHA
(Occupational Safety and Health Administration). e focus is on getting security solutions inte-
grated throughout the company’s business architecture from research and development (R&D),
operations, and sales to product and service delivery. Security’s job is to help build value through-
out the value chain of the organization through cost-effi cient risk mitigation.
It is also important to include integration at the tactical level of security planning. As an
organization puts in place core security activities, the right tactics for the people, process, and
technology aspect of security convergence need to be selected. Integration is not easy, nor is it
made easier at the most tactical and concrete level—the processes and architecture put in place by
the strategic plan.
TAF-K11348-10-0301-C002.indd 29TAF-K11348-10-0301-C002.indd 29 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
30 ◾ Security Strategy: From Requirements to Reality
Typically, an implementation plan will include action plans, budget plans, responsibilities,
authority, and accountability guidelines as well as a schedule for implementation, monitoring, and
a communication plan.
Myths about Strategic Planning
One of the major obstacles to implementation is the perceptions that people in the organization
have about strategic planning. Myths about strategic planning can keep a security group in the
dark ages lagging behind their business partners, misunderstood, and regarded as less than profes-
sional by enterprise leadership. Myths about strategic planning abound. Here are just a few of the
most prevalent myths in organizational life.
1. Strategy is just pie in the sky; strategy is diff erent than real jobs. Strategy is a leader’s
job and like any skill requires discipline, practice, and education to master. If you consider
yourself a leader in a security group, strategic thinking is now part of your job description.
Strategic planning is arguably the most important part of your job, as a good strategic plan
will guide all of your organizational eff orts. Without a strategic plan your organization is
just drifting on the tides of fortune with no real destination except extinction.
2. Strategy is a written plan sitting on a shelf or residing in a data fi le somewhere. Long
gone are the days in most organizations when strategic planning was a once-a-year exercise
accomplished at an executive retreat somewhere and then dispensed to the masses. It’s not
the written plan that is the important aspect of planning; it is the mental framework it gives
employees when making everyday tactical decisions in the organization. A strategic plan is
really the way people think about the work they are doing now. A good strategic plan helps
employees change the way they think about their jobs.
3. Strategy belongs to the top of the organization. Although the leaders of organizations
are certainly responsible for strategic direction, other elements of organizational life need
to take part in strategic planning for several reasons. First, these perspectives and inputs are
invaluable to the internal analysis of the organization. Second, they also provide important
information regarding external environmental trends that people’s jobs bring them into con-
tact with and insights into specifi c customer needs. ird, people are much more likely to
commit themselves to a vision and strategic plan if they have a voice in helping to create it.
e fourth and fi nal reason, and perhaps the most important one, is that building the stra-
tegic planning capacity of your organization gives you a competitive advantage.
4. Looking at past trends helps us plan for the future. Power to drive an organization comes
from a compelling vision for the future, not a retrospective view of the past. As strategic
planners, our goal is to connect to the emotional energy of the people in an organization
and move toward a future they want to inhabit. When people are emotionally connected to
a potential future, many of the traditional problems in strategic planning are greatly dimin-
ished (i.e., lack of communication, information, and commitment). ere are things to be
learned from the past, but do not let the constraints and disappointments of yesterday be an
arbiter of the future (i.e., the “We tried that already and it doesn’t work!” syndrome). At the
same time, strategic planning does not attempt to predict the future, although it helps you
work toward a preferred future. Good planning will reduce organization risk but will not
eliminate it. Good planning, through the exploration of alternative futures, helps build an
organization that will be better able to respond as future changes take place.
TAF-K11348-10-0301-C002.indd 30TAF-K11348-10-0301-C002.indd 30 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
Getting to the Big Picture ◾ 31
5. We are in control. Although security leaders certainly have the mantle of leadership and
all the responsibilities that go with that position, they are not in control of all the outcomes,
nor do they have the power to do strategic planning alone. Good strategic planning is col-
laborative in nature and requires people’s willing participation. People in positions of power
routinely overestimate their ability to impact organizational changes. Whether we are talk-
ing about mergers and acquisitions or victory on the competitive battlefi eld, at best, leaders
infl uence and help guide organizational action, not determine it. e actual execution of any
strategic plan occurs only when employees choose to adopt it and change their behaviors to
move toward its vision. Some corporate CEOs have discussed how once they thought that at
the next level of management they would fi nally have enough power to really impact change.
At each new level, however, they consistently found that they did not have suffi cient power
to be in control in the way they had expected.
6. Change is a disruption. Change, as we all know, is seemingly the only constant in organi-
zational life. e pace of it seemingly increases with each passing decade whether in tech-
nology, occupation, or social environments. Security groups that are reluctant to move into
wholesale change will soon fi nd themselves looking for another job.
at being said, there is a balance that must be achieved. Failing to adapt to the modern
realities of the business world moves organizations toward obsolescence; too much change breeds
chaos. Anna Rowley, in her book Leadership erapy: Inside the Mind of Microsoft, names change
as one of the top 10 problems Microsoft managers face. According to Rowley, over the course of
their employment, Microsoft employees experience 13 times the number of change events (e.g.,
reorganizations, new managers, position changes) that someone working in the banking industry
will experience. Major changes are usually short-term disruptions. Continuous change is con-
tinuous disruption; it is unsettling to employees, stressful to work environments, and costly to
companies.
Managing a security group requires both the fl exibility and stability of leadership and the secu-
rity group, especially in a compliance and governance function. Learning to move quickly, while
keeping an organization cool, calm, and collected, takes skillful leadership at every level.
Barriers to Strategic Planning
A good deal of strategic planning…is like a ritual rain dance, it has no eff ect on the
weather that follows, but those who engage in it think it does.
Brian Quinn
quoted in Tom Peters’s article “Strategic Planning, R.I.P.”
Pushing through to the Next Level of Strategic Breakthrough
(Inside/Outside Organizational Input/Output)
Security by its very nature seeks to create a more secure environment for an organization, its assets,
people, and information. Keeping an organization competitive in the marketplace demands new
ways of doing business with increased risk. Not every aspect of a
strategic planning is a “safe bet.” Sometimes thinking requires try-
ing something new that creates organizational disturbance of the
old order or “safe way” of doing things.
Strategy is like sex. When all is said and
done, more is said than done.
Bill Tregoe
TAF-K11348-10-0301-C002.indd 31TAF-K11348-10-0301-C002.indd 31 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.