40 ◾ Security Strategy: From Requirements to Reality
Learning to discover and recognize your own mental models and explore them will also help
you develop mental fl exibility. Mind-sets can be like blinders that prevent you from seeing opportu-
nities. A signal that you have just found an infl exible mental model occurs when something that is
said stirs a strong emotional reaction in you. Learn to breathe deeply, and then examine the assump-
tions you are making about what was just said, the inferences you are making about the person who
said it, and your usual reactions. When you listen well to what others think, feel, and observe—
when you stretch past your own comfort zones—you begin to learn something new. Security can
sometimes be about the infl exibility of requirements, strategic thinking, and imagination, and great
communication requires the fl exibility in ways of learning about yourself and others.
Conclusion
In this chapter we examined why strategic planning is essential for security groups, what strategic
planning tools, models, and methods are available, when to do strategic planning, and what keys,
myths, and barriers to strategic planning exist. In the following chapters we will examine more
specifi cally what strategic elements should be considered in detail. When a strategic plan has been
completed, the plan documentation typically contains the following elements:
Defi nition of security (taking into consideration current and expected legal, regulatory, and ◾
business information security requirements)
Explanation of why security is important and how security enables the business/organiza- ◾
tional objectives (business strategy)
Specifi c and clear benefi ts of an eff ective security management system ◾
Security objectives (goals) that are linked to primary business objectives ◾
A clear (or vivid) description of the desired security framework for integrating security into ◾
the organization in the future (one to fi ve years)
A description of how security objectives will be accomplished, who has the RAA (respon- ◾
sibilities, authority, and accountability) for each objective and how progress will be tracked
and measured
A brief description of overall information security risk posture and a brief overview of risk ◾
assessment results (and the major risks)
Risk management strategy (risk tolerance) ◾
A description of known problems and issues regarding security management (and the cur- ◾
rent obstacles to eff ective security management)
A description of trends in security and how they will impact the organization (and how the ◾
organization should adjust itself)
Security outsourcing strategy (what should be kept in, what should be outsourced based on ◾
analysis of commodity versus unique current in-house processes)
Implementation plan ◾
Communication plan ◾
Security awareness and training strategy for the organization ◾
Measures (metrics) or key performance indicators for monitoring the strategic plan ◾
Strategic plan review schedule ◾
A documented process for maintaining and updating strategic plans ◾
In the next chapter we will look at methods for including the consumer voice in your strategic
plans.
TAF-K11348-10-0301-C002.indd 40TAF-K11348-10-0301-C002.indd 40 8/18/10 9:54:48 PM8/18/10 9:54:48 PM