Getting to the Big Picture ◾ 37
strategic planners of any stripe. Scanning and reading books, magazines, and online resources,
and attending conferences all help develop critical thinking and critical reading. It is also impor-
tant to read materials that are outside of your discipline so that you can develop wide-angle views
and thinking.
Inquire
Appreciative Inquiry was the catalyst for a positive step change in customer service at
British Airways in North America. e use of Appreciative Inquiry transformed the
entire organization in ways that we could not have imagined.
Dave Erich
Executive Vice President, British Airways
Curiosity about people, why they think the way they do, how things work, and what perspectives
others bring can be most helpful in identifying your personal blind spots and learning new infor-
mation to help in your planning. Peter Senge has well outlined how to develop inquiry skills in his
seminal work, Fifth Discipline: e Art and Practice of the Learning Organization. Learning to use
inquiry skills promotes your own personal development as well as facilitates your understanding of
your own and others’ mental models, which in turn help examine both the assumptions stemming
from those mental models and the unintended consequences of those assumptions. Inquiry is a
great skill to develop for precision questioning, for getting to the “5 Whys” of cause and eff ect for
a given problem. e “5 Whys” are a basic problem-solving technique that was developed by the
Toyota Production system in the 1970s. e strategy looks at any problem and asks “Why?” and
“What caused the problem?” e fi rst “why” often promotes a second “why,” the second “why” a
third, and so on, hence the technique’s name. e focus of the technique is determining the root
cause of a problem.
Another technique is Appreciative Inquiry, which has been defi ned by Cooperrider and
Whitney as the cooperative search for the best in people, their organizations, and the world
around them. It involves systematic discovery of what gives a system “life” when it is most eff ec-
tive and capable in economic, ecological, and human terms. Appreciative Inquiry involves the art
and practice of asking questions that strengthen a system’s capacity to heighten positive potential.
It mobilizes inquiry through crafting an “unconditional positive question” often involving hun-
dreds or sometimes thousands of people. Appeciative Inquiry is a way to fi nd out what works in
your organization. It is both a process and a philosophy. It’s part of how leaders think in a “learn-
ing organization.” Entire organizations like British Airways have used Appreciative Inquiry to
transform the customer service aspects of their organization. It can be a great tool to stimulate
change, galvanize employees, and discover “sacred organizational cows” that are impeding prog-
ress. Inquiry used well helps build communication throughout an organization.
Focus Long Distance/Practice Short Distance
Perception is strong and sight weak. In strategy it is important to see distant things as
if they were close and to take a distanced view of close things.
Miyamoto Musashi
legendary Japanese swordsman
TAF-K11348-10-0301-C002.indd 37TAF-K11348-10-0301-C002.indd 37 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
38 ◾ Security Strategy: From Requirements to Reality
Learn to see the future and imagine the changes required now to get there. A security leader needs
the ability to look long and at the same time focus close. Typically, an organization’s “global”
strategic plan demands a security leader who can translate that
global plan into implementation plans for the short term. Long-
term strategic planning now has to turn into short-term strategic
objectives that fi t in budget categories; require disciplined execu-
tion, sound fi scal decision making, customer-focused solutions, a
superior corporate culture; and maximize employee contributions,
consistent service and product quality, and accurate talent acquisition and growth to support a
long-term strategic direction. We will consider several diff erent resources that help develop these
skills as we review scenario planning and discuss futurist experts and others who help organiza-
tions bring future thinking into today’s planning.
Anticipate
Only those who can see the invisible can accomplish the impossible!
Patrick Snow
In a customer-facing organization, it is important that all learn to anticipate customer needs. By
doing that better than the competition, companies win contracts; by doing that with employees,
leaders win productivity. If you want to grow a business, much less stay in business, you have to
create a culture that learns to anticipate customer needs. Whether you call those customers clients,
end users, consumers, internal customers, or something else, the bottom line is that security has
customers. Determine who uses your products and services and learn to provide them better than
anyone else by anticipating what your customers want from your organization. en supply prod-
ucts and services with humility. It’s easy to lose sight of the customer side of organizational life
when part of what you supply is an enforcement function regarding security issues.
Communicate
e fi rst key of communication is to practice open communication. Strategy requires collabora-
tion. In turn, collaboration requires strong communication skills, listening skills, inquiry skills,
and expressive skills. To have good strategy, every level of an organization must have the ability
to be heard. Security leadership must model that behavior daily if you wish to get the best from
your organization. Practice daily honest and open communication with employees. As in inquiry,
the key is engaging employees at every level of your organization. Excellence can be happening
anywhere in your organization; communication helps you fi nd it, develop it, and keep it.
Security leadership must also be good at communicating with other business leaders in order
to convey security priorities. Understanding and using the language of business is as important
as understanding the business of security or the emerging technologies that impact the realm of
security.
Evaluate
For every complex problem, there is a simple solution that is wrong.
George Bernard Shaw
You see things; and you say “Why?” But
I dream things that never were; and I say
“Why not?”
George Bernard Shaw
TAF-K11348-10-0301-C002.indd 38TAF-K11348-10-0301-C002.indd 38 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
Getting to the Big Picture ◾ 39
You can have the best technology in the
world, but without education, policy and
ongoing testing, you haven’t even started.
Dave Juitt
CTO Bluesocket, Inc.
Strategic planning requires continuous evaluation from cross-functional decisions, organizational
performance to plan, to the overall eff ectiveness of a strategic plan. e Johnson and Sholes mode
for evaluation is one method of performing evaluation. In this model, strategic options are mea-
sured against three criteria:
Suitability (Would it work?) ◾ Does this strategy make sense
economically, organizationally, and environmentally? Can
we leverage economies of scale, our experience, our capabili-
ties, and our core competencies?
Feasibility (Can it be made to work?) ◾ What resources will we
need to get or develop?
Acceptability (Will organizational members work it?) ◾ What are the expectations of our
stakeholders (employees, customers, suppliers, shareholders, etc.)? What is the potential
risk involved? What are the consequences if we fail? What is the potential return? What
will stakeholders gain? What will customers get? What will employees get? What will
shareholders get? What is the possible range or reaction from stakeholders? What will
customers think? What will employees think? What will shareholders think?
Each of the three criteria has a number of analysis tools that can be helpful in evaluating stra-
tegic options. Table 2.2 presents a sampling of possible evaluation tools.
Evaluation is a critical thinking skill for strategy. Creative thinking and critical thinking
are both part of strategic planning. Often, leaders are predisposed to many types of critical
thinking and are less familiar with creative thinking, but in order to play to win you must use
them both.
Practice Flexibility
Do not repeat the tactics which have gained you one victory, but let your methods be
regulated by the infi nite variety of circumstances.
Sun Tsu
Strategic thinking about the future is not a straight line of planning from now until some point
in the future. Learning to anticipate large shifts in future environments and potential responses
will help keep you agile when the unexpected arises. Many formalized strategic models build mul-
tiple possibilities into strategic thinking such as scenario planning.
Table 2.2 Analysis Tool Criteria
Suitability Feasibility Acceptability
Prioritization or ranking of
strategic options
Cash fl ow analysis What-if analysis
Decision-trees Forecasting Stakeholder mapping
What-if analysis Breakeven analysis
Resource deployment analysis
TAF-K11348-10-0301-C002.indd 39TAF-K11348-10-0301-C002.indd 39 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
40 ◾ Security Strategy: From Requirements to Reality
Learning to discover and recognize your own mental models and explore them will also help
you develop mental fl exibility. Mind-sets can be like blinders that prevent you from seeing opportu-
nities. A signal that you have just found an infl exible mental model occurs when something that is
said stirs a strong emotional reaction in you. Learn to breathe deeply, and then examine the assump-
tions you are making about what was just said, the inferences you are making about the person who
said it, and your usual reactions. When you listen well to what others think, feel, and observe—
when you stretch past your own comfort zones—you begin to learn something new. Security can
sometimes be about the infl exibility of requirements, strategic thinking, and imagination, and great
communication requires the fl exibility in ways of learning about yourself and others.
Conclusion
In this chapter we examined why strategic planning is essential for security groups, what strategic
planning tools, models, and methods are available, when to do strategic planning, and what keys,
myths, and barriers to strategic planning exist. In the following chapters we will examine more
specifi cally what strategic elements should be considered in detail. When a strategic plan has been
completed, the plan documentation typically contains the following elements:
Defi nition of security (taking into consideration current and expected legal, regulatory, and ◾
business information security requirements)
Explanation of why security is important and how security enables the business/organiza- ◾
tional objectives (business strategy)
Specifi c and clear benefi ts of an eff ective security management system ◾
Security objectives (goals) that are linked to primary business objectives ◾
A clear (or vivid) description of the desired security framework for integrating security into ◾
the organization in the future (one to fi ve years)
A description of how security objectives will be accomplished, who has the RAA (respon- ◾
sibilities, authority, and accountability) for each objective and how progress will be tracked
and measured
A brief description of overall information security risk posture and a brief overview of risk ◾
assessment results (and the major risks)
Risk management strategy (risk tolerance) ◾
A description of known problems and issues regarding security management (and the cur- ◾
rent obstacles to eff ective security management)
A description of trends in security and how they will impact the organization (and how the ◾
organization should adjust itself)
Security outsourcing strategy (what should be kept in, what should be outsourced based on ◾
analysis of commodity versus unique current in-house processes)
Implementation plan ◾
Communication plan ◾
Security awareness and training strategy for the organization ◾
Measures (metrics) or key performance indicators for monitoring the strategic plan ◾
Strategic plan review schedule ◾
A documented process for maintaining and updating strategic plans ◾
In the next chapter we will look at methods for including the consumer voice in your strategic
plans.
TAF-K11348-10-0301-C002.indd 40TAF-K11348-10-0301-C002.indd 40 8/18/10 9:54:48 PM8/18/10 9:54:48 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.