53
4Chapter
Strategic Framework (Inputs
to Strategic Planning)
ere is a slightly odd notion in business today that things are moving so fast that
strategy becomes an obsolete idea. at all you need is to be fl exible or adaptable.
Or as the current vocabulary puts it “agile.” is is a mistake. You cannot substitute
agility for strategy. If you do not develop a strategy of your own, you become a part of
someone else’s strategy. You, in fact, become reactive to external circumstances. e
absence of strategy is fi ne, if you don’t care where you’re going.
Alvin Toffl er
Introduction
In Chapter 3 we discussed the tools and methods used for gathering, analyzing, and reporting data
from security consumers or customers. In this chapter we consider how the information gathered
from our consumers should be integrated into a commonly understood framework for strategic
planners. Often that framework is created by conducting an overall environmental scan.
is chapter is about identifying and understanding the basic inputs that are critical to creating
the mental framework for strategic planning. e inputs we discuss help ensure that your future
security program will meet the needs and expectations of the organization you support. ese
inputs are the elements of organizational planning and the principal inputs for all strategic activity.
A typical security strategy is a plan to mitigate risks while complying with legal, statutory, contrac-
tual, and internally developed requirements. But a security strategy resides inside an organizational
strategy that may have very diff erent drivers than a security strategic plan. In order for the two
strategic plans to align and work well together, there must be a clear understanding of both plans
and clear links between them that are well understood throughout the greater enterprise.
Learning to conduct external and internal environmental analysis helps prepare a security
group for strategic planning. From our perspective, security is an organizational problem that
TAF-K11348-10-0301-C004.indd 53TAF-K11348-10-0301-C004.indd 53 8/18/10 3:03:55 PM8/18/10 3:03:55 PM
54 ◾ Security Strategy: From Requirements to Reality
must be framed and solved in the context of the enterprise’s strategic drivers, which are derived
from a thorough environmental scan. From the combination of internal and external analysis, the
prioritized data can be fi ltered through a SWOT matrix to further refi ne the potential strategic
direction.
In this chapter, we will review the environmental scan (see Figure 4.1) and the following inputs:
Regulatory and legal infl uences ◾
Industry standards ◾
Marketplace and customer base ◾
Organizational culture ◾
National and international requirements (political and economic) ◾
Competitive intelligence ◾
Business intelligence ◾
Technology environment and culture ◾
Determination of business drivers ◾
As the environmental scan considers each arena, prioritized business drivers will emerge that
help determine an organization’s future direction. We will also discuss the need to be future ori-
ented in day-to-day security operations.
Environmental Scan
What business strategy is all about (what distinguishes it from all other kinds of busi-
ness planning) is, in a word, competitive advantage. Without competitors there would
be no need for strategy, for the sole purpose of strategic planning is to enable the com-
pany to gain, as effi ciently as possible, a sustainable edge over its competitors.
Kenichi Ohmae
An environmental scan is basically collecting information about environmental characteris-
tics. Organizational scanning is crucial to organizational survival. Good environmental scanning
Environmental scan
Internal analysis
Strengths Weaknesses Opportunities
SWOT Matrix
reats
External analysis
Figure 4.1 Environmental scan.
TAF-K11348-10-0301-C004.indd 54TAF-K11348-10-0301-C004.indd 54 8/18/10 3:03:55 PM8/18/10 3:03:55 PM
Strategic Framework (Inputs to Strategic Planning) ◾ 55
practices help an organization adapt to its environment. In terms of organizations and strategic
planning, an environmental scan involves considering the factors that will infl uence the direction
and goals of the organization. An environmental scan includes consideration of both present and
future factors that might aff ect the organization since strategic planning is for the future, not just
the present. Environmental scanning often refers just to the macro environment, but we will con-
sider it from its broader perspective and include industry, competitor analysis, marketing research
(consumer analysis), technology trends including new product development (product innovations),
and the company’s internal environment.
e importance of environmental information depends on
the degree to which the success of the organization is dependent
on its environment. In the business literature, the organization’s
dependency on its environment is referred to as perceived envi-
ronmental uncertainty (PEU). Gordon and Narayanan (1984)
identifi ed factors that determine PEU. ese factors include the
nature of the society, economic stability, legal stability, political constraints, and the nature of the
industry, the customer base, and the organization. We will consider several elements of PEU later
in this chapter.
An environmental scan is the gathering and analysis of factors impacting the strategic direc-
tion and goals of the organization in which you work. is includes both the current as-is condi-
tions and the possible future states of the environment. e environmental scan should include
external factors such as markets (both current and potential), demographics, technology trends,
market trends and predictions, government regulations, or pending legislation likely to impact
your organization, as well as elements from the internal environment such as current architec-
ture, infrastructure, personnel, organizational structure, and assets. e scan should include what,
if anything, is needed to accomplish proposed strategic plans and objectives (see the Technical
Environment and Culture section of this chapter). Business drivers can be determined and priori-
tized after conducting a thorough environmental scan.
Environmental scans should be conducted by groups or individuals over a specifi ed period of
time prior to strategic planning work. Scans can take many diff erent forms ranging from Bill Gates’s
ensconcing himself in a secluded hideaway to review white papers written throughout the year by
Microsoft employees to a dedicated team that performs a thorough environmental scan, generates a
market trend report, creates future (vision) white papers, does scenarios planning, and so on.
An element or subset of an environmental scan may be a competitive analysis that looks at
your organization’s strengths and weaknesses in relation to those of the competitors in that mar-
ket space. e ultimate goal is to leverage your strengths and minimize your weaknesses to more
eff ectively compete in your selected market space. is information should be included in a typical
SWOT analysis for the organization. Although an environmental scan helps gather the informa-
tion needed, a SWOT analysis sorts the information and prioritizes it for inclusion in strategic
planning. In the following segments of this chapter, we examine the major arenas security groups
should include when conducting an environmental scan.
Regulations and Legal Environment
In some ways, with the security challenges this country has faced, we have had to put in
rules and regulations for business to be able to sustain their growth and create jobs.
Wayne Allard
Look for what’s missing. Many advisors can
tell a president how to improve what is pro-
posed or what’s going amiss. Few are able to
see what isn’t there.
Donald Rumsfeld
TAF-K11348-10-0301-C004.indd 55TAF-K11348-10-0301-C004.indd 55 8/18/10 3:03:55 PM8/18/10 3:03:55 PM
56 ◾ Security Strategy: From Requirements to Reality
Obviously, this arena is tremendously important for anyone working in the security sector.
e legal and regulatory arena is usually one of the primary business drivers for security groups
engaged in strategic planning, as exemplifi ed by Microsoft’s troubles early on in this arena in both
the United States and Europe or Google’s more recent issues within China. e hand of regulation
has grown heavier each year as lawmakers continue to underscore the importance of security by
enacting new laws and regulations. A security group is bound to uphold and abide by the policies,
laws, and regulations found in this arena. In many organizations, tracking this constantly chang-
ing set of compliance requirements is a full-time job for the legal department, IT security, physical
security, and organizational leadership.
In the past decade, worldwide governmental changes in data security, privacy, and information
management statutes and regulations have been continuous. Enforcement has become a major
challenge for compliance and security operations. Many security groups are subject to an increas-
ing number of audits from numerous external agencies without any additional budget to support
those eff orts. Outsourcing is also impacting compliance requirements. Keeping current with pro-
posed legislation that will impact your industry and having strategic plans in place to absorb those
impacts are critical to the responsiveness and fl exibility of a security group.
A close examination of your organization’s internal audit process can also help provide
needed corrections in internal processes and procedures that regulate compliance. In order to
leverage internal audit processes for needed corrections to security controls and processes, it
is necessary to be able to defi ne for the internal audit team what constitutes an eff ective secu-
rity control or process, and to determine which controls and processes are under security’s
governance. Too often, we have seen audit fi ndings relayed to security for correction where
the control or process in question is outside the purview of the security group (i.e., rightly
belonging in another organization). To fully understand the drivers for internal audit, be sure
to analyze the statutory, regulatory, industry, business partner, and external audit require-
ments as well. ese will give you additional insight into the components of your organization
that are shaped or infl uenced by compliance. A thorough understanding of the regulatory and
legal environment will provide better data for analysis and the determination of the business
drivers for security. Another important arena for consideration in an environmental scan is
that of industry standards.
Industry Standards
Any time you sincerely want to make a change, the fi rst thing you must do is to raise
your standards.
Anthony Robbins
Customer demands create standards in every industry. ere seems to be a perpetual fl ow of
changing industry standards. One of the fi elds where standards are changing rapidly is, of course,
the IT industry. We now have higher standards for bandwidth, power, performance, reliability,
fl exibility, integration, connectivity, real-time solutions, energy effi ciency, and security. Standards
in industry after industry are changing at increasing speeds
driven largely by the development of new technology. Even so,
standards typically lag technology developments by at least a
generation.
Hold yourself responsible for a higher stan-
dard than anybody else expects of you.
Henry Ward Beecher
TAF-K11348-10-0301-C004.indd 56TAF-K11348-10-0301-C004.indd 56 8/18/10 3:03:55 PM8/18/10 3:03:55 PM
Strategic Framework (Inputs to Strategic Planning) ◾ 57
We need to include industry or business partner regulations as potential inputs to environ-
mental scans as well. Many organizations are subject to industry-specifi c regulations, for example,
health care and Health Insurance Portability and Accountability Act (HIPAA) or fi nancials and
12 CFR 208.61 (Code of Federal Regulations for banks in the U.S. Federal Reserve System). Some
business partnerships may also be subject to specifi c regulations; for example, if you supply com-
ponents to a partner that manufactures military equipment, your organization may be subject to
International Traffi c in Arms Regulations (ITAR). If you are a global supplier, perhaps ISO 27001
is a required standard. e International Standards Organization’s (ISO) 27001 is an example of
a widely recognized security standard that sets the international standards in business continuity
planning, system access control, system development and maintenance, physical and environmen-
tal security, compliance, personnel, security group, computer and network management, asset
classifi cation, and control and security policy. e American National Standards Institute (ANSI)
is an example of a national nonprofi t organization that oversees the creation, promulgation, and
use of thousands of norms and guidelines that directly impact businesses in nearly every sector.
ere are similar standards groups that shape, create, and enforce standards for each type of
security discipline from IT to every aspect of physical security. As in government regulation, all of
these elements must be considered in order to build an eff ective security strategy. Most industries
have external associations and other support organizations you can use (e.g., the American Bankers
Association) to identify existing standards and the minimum requirements for the industry.
ere are also benchmarking standards that may drive strategic security initiatives for com-
petitive reasons. It is important to determine the business-sensitive processes in the industry value
chain in order to better understand which industry standards are most relevant for the enterprise.
Business-sensitive processes are where the organization you support generates revenue and value
to your customers. By understanding these processes, the security group will be able to better
identify the security requirements and vulnerabilities associated with each business process. If
you don’t understand your industry’s value chain, or even know what a value chain is, then you
defi nitely need to get a handle on the value chain concept because it is a major part of the business
environment you are supporting.
A value chain is a basic analysis of an industry or business to identify the activities the organi-
zation engages in to develop competitive advantage and create value for the organization. ose
value-generating activities are what are defi ned as a value chain. Michael Porter in his seminal
work, Competitive Advantage: Creating and Sustaining Superior Performance, introduced a generic
value chain model (Figure 4.2) that captures a sequence of activities that are common across a
broad range of fi rms.
e value chain model is used as an analysis tool to determine the core competencies that
enable an organization to achieve a competitive advantage. A competitive advantage can be
achieved through effi ciency, diff erentiation, and/or market focus. Organizations use this tool to
analyze business unit interrelationships and fi nd opportunities for synergy, process improvements,
and cost reduction. Once core competencies are determined, many fi rms will source other activi-
ties in the value chain and focus on the core competencies that provide a competitive advantage.
As fi rms streamline their own value chain, they often begin to look at additional opportunities in
Inbound
logistics
Operations
Outbound
logistics
Marketing
and sales
Service Margin
Figure 4.2 Value chain.
TAF-K11348-10-0301-C004.indd 57TAF-K11348-10-0301-C004.indd 57 8/18/10 3:03:55 PM8/18/10 3:03:55 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.