58Security Strategy: From Requirements to Reality
coordinating upstream and downstream value chains with suppliers, partners, distribution chan-
nels, and customers into what Porter called a value system. Many retailers, automakers, petrochem-
ical companies, and others have become masters at managing large value chains and systems.
Value chain analysis has been used to create dynamic systemic change in industry after indus-
try over the past few decades.  is analysis is typically part of an organizational strategic plan
that can aff ect many organizational strategic initiatives that the security group must subsequently
support. It is essential for security professionals to understand the value chains and systems that
their organizations support. You must be able to recognize and plan for the security challenges
that may arise as your organization moves into or expands its extended enterprise or value system.
Understanding external agency industry standards (such as auditing functions) and how they
impact the organizational value chain is equally important. Often, industry benchmarks have
already been established and these often become metric targets for the success of one or more
strategic security initiatives.
An industry benchmark, for instance, may be the average length of time that it takes a
security clearance to make it through a government clearance process. If the industry standard
is 18 months between clearance application and the granting of a clearance, and a competitor
has found a consistent methodology that moves that average cycle time to 6 to 8 months, a
security group must well consider making a 6- to 8-month cycle time their new benchmark for
a strategic initiative.  e obvious reasoning behind moving beyond the industry standard in
this case is the productivity effi ciency goals of the business unit the clearance process is serving.
e reduction of cycle time for a clearance by almost by two-thirds is a signi cant increase in
productivity.
Another example of industry standards that impact a security group are changes to statutory
and regulatory requirements for suppliers. Security procedures may have to become more inte-
grated throughout the industry global value chain as various legislative bodies change require-
ments in certain industries. An example is the requirements regarding controlled technical data
for any supplier that provides services for the U.S. (or any other country’s) defense industry.
Staying abreast of the regulations and fi nding creative solutions to conduct business across mul-
tiple cultures, legal systems, and businesses grows ever more challenging. As fi rms continually
move into global systems, the challenges for security to think globally and systemically also
increase. Many industry groups, alliances, and vendors help craft solutions for increasingly com-
plex requirements.
Industry standards often lag behind what is occurring in the marketplace, as we have often
seen in the past with e-commerce standards, cloud computing, and social networking site, to
name just a few. When this occurs, security groups must use their own resourcefulness to fi nd
answers to emerging technology questions such as, “What do I need to make my system su -
ciently reliable and secure?” “Who can I trust to tell me what standards are required?” “What are
the minimum security requirements?” “Where are the current best-practice benchmarks?” As time
passes, industry standard security metrics become more available as various groups and agencies
begin to provide increasingly speci c requirements.
In any security groups strategic plan, industry standards are an important arena for consider-
ation.  e tensions between enterprise business drivers and security business drivers will become
more explicit as they are examined in light of regulations and legal environments, industry stan-
dards, and the expectations of the marketplace. For instance, there have been “brutal standardiza-
tion” requirements for cloud-based IT infrastructure and management for companies that either
work in the government sector or supply information to it.  e tension is driven by user expecta-
tions of governmental organizations to provide timely service and information, while enterprise
TAF-K11348-10-0301-C004.indd 58TAF-K11348-10-0301-C004.indd 58 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
Strategic Framework (Inputs to Strategic Planning)59
architecture and confl icting governmental standards and requirements lag behind consumer
demand.  orough investigation will help you better form your strategic plan to support the
enterprise environment in which your security group operates. Next, we will examine an impor-
tant part of the overall value chain system, the marketplacecustomer base of an organization.
Marketplace–Customer Base
e most bene cial type of partnering you can engage in is partnering with your cus-
tomers.  e bene ts are compelling. You use it to gain customers, protect them from
predation by competitors, and to protect your profi t margins.
Curtis E. Sahakian
Managing Director, Corporate Partnering Institute
Security services have both internal and external customers. In the past, security often was regarded
as a compliance or governance organization, and its organizational life took place behind closed
doors.  e demands of organizational life in the 21st century have pretty much ended that role
except for some still very cloistered domains such as investigations and executive protection.
Today security groups face the same fi nancial targets as other members of the organization:
pressure to reduce costs, outsource functions, and do a better job managing their business. Internal
customers are starting to ask the hard questions, “What have you done for me lately?” “Are you
managing your service like a well-run business function?” “Do the benefi ts you provide compel
me into partnership?”
e question facing security is the same one facing many other organizational functions. “Are
we a prime deliverer of security services, or are we moving toward a security services-integrator
business model for the delivery of security services and products?” Organizations have answered
this question in three di erent ways.
1. In-house security model
2. Security services-integrator
3. All security services outsourced
You retain the responsibility for all security services if you operate in the in-house model
for security services.  is, of course includes maintaining customer satisfaction. As a security
services-integrator, an organization provides some security services and manages all contracted
security services for the enterprise. A security services-integrator has responsibility for establish-
ing contract terms and conditions, as well as establishing and tracking all the performance metrics
required to monitor and supervise contractors. Finally, all security services may be outsourced to
obtain greater expertise and a greater range of services, or to decrease cost. Should security services
be outsourced, the institution retains the same responsibilities for security as if those services were
performed in-house.
e outsourcing of some or all security services can be a very painful change for a security
group, involving a number of major paradigm shifts, process reengineering, risk reassessments,
loss of in-house expertise, and so on. Once internal security functions are outsourced, security
leadership must carefully manage the transition with good communication about the reasons for
TAF-K11348-10-0301-C004.indd 59TAF-K11348-10-0301-C004.indd 59 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
60Security Strategy: From Requirements to Reality
the change, the future skills sets that will be needed (and those that won’t), changes to policies and
standards, and any new processes (e.g., a new security help desk).
By reviewing customer data and determining who your customers are, what they value, and
what their needs are, you can better position your group to meet or exceed those customer needs.
is helps you focus on business drivers and strategic objectives that matter.
We only have two sources of competitive advantage:
1. e ability to learn more about our customers than our competition.
2. e ability to turn learning into action faster than our competition.
Jack Welch
former CEO, General Electric
Organizational Culture
e greatest change in corporate cultureand the way business is being conducted
may be the accelerated growth of relationships based…on partnership.
Peter F. Drucker
Determining the organizational culture in a security group, the business units it serves, and the
greater organization as a whole can be quite helpful in every phase of strategic planning. Carefully
analyzing cultural norms can help provide clues to successful deployment of strategic planning.
Cultures can vary widely from group to group in an organization. For instance, a security group
may serve one group that has a very structured, process-driven, in exible, hierarchical risk-averse
organization, while another group is loose knit, entrepreneurial, globally savvy, fl exible, informal,
and cutting edge. Moving forward with successful security implementation is going to require
diff erent strategies in each culture, as a one-size- ts-all approach will seldom be successful. By
analyzing and understanding the ways the constituents of the organization interact and how they
engage each other, the security program can be tapered to gain acceptance in an organization and
thereby function more eff ectively.
is particular input to strategic planning is especially crucial for newly arrived security lead-
ers to an organization, even more so if they come from an entirely di erent sector, for example,
from the federal government to commercial business. Learning to understand an organizational
culture that is in place is absolutely essential in providing strategic direction and leadership, espe-
cially if that direction is going to be new and di erent. We have personally witnessed newly hired
executives quickly lose traction in a new organization because they did not take the time to under-
stand the new culture, and it was never long before they moved on or retired.
Another organizational nexus important for learning about a groups culture is in mergers,
acquisitions, and/or reorganizations that now include the resulting mix of di erent organiza-
tions as part of the same group. Even with seasoned leadership in place, many missteps can
occur when a strategic plan is put into action without the leaders fi rst garnering a keen cultural
understanding.
Another pivot point for understanding cultural diff erences may involve plumbing or delving
into an existing organization for employee descriptors of their current culture. Security leadership
can also benefi t from soliciting from employees descriptors of the organizational culture that the
employees would like to be part of.  e organizational values held, behaviors exhibited, and shared
TAF-K11348-10-0301-C004.indd 60TAF-K11348-10-0301-C004.indd 60 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
Strategic Framework (Inputs to Strategic Planning)61
mental models and beliefs are key to understanding a groups culture. We have found individual
and group surveys and interviews to be helpful in gathering this kind of information. To get an
idea about corporate culture, listen to what people both inside
and outside say about the culture. Corporate culture is created
by the way people speak to each other and treat each other and
their customers.
Of course, we would be remiss if we did not mention know-
ing the culture of potential competitors and other signifi cant
organizational threats such as the forces of industrial espionage,
cyber criminals, and hackers in general. Understanding the cul-
ture and ways of potential threats is imperative for good strategy.
e reader will fi nd many examples of utilizing cultural knowl-
edge of potential threats in the tactical chapters of this book.
National and International Requirements (Political and Economic)
Indeed, to some extent it has always been necessary and proper for man, in his
thinking, to divide things up; if we tried to deal with the whole of reality at once,
we would be swamped. However when this mode of thought is applied more
broadly to man’s notion of himself and the whole world in which he lives (i.e., in
his world-view) then man ceases to regard the resultant divisions as merely useful
or convenient and begins to see and experience himself and this world as actually
constituted of separately existing fragments. What is needed is a relativistic theory,
to give up altogether the notion that the world is constituted of basic objects or
building blocks. Rather one has to view the world in terms of universal fl ux of
events and processes.
David Bohm
Many business drivers for security are the product of national and international requirements. It is
critical to identify and understand the inputs relevant to your industry in order to build a strategy
and security program properly balanced between risk reduction and effi cient operations. Much
of the external regulatory environment, external audit environment, and political climate of your
organization must be factored into your determinations in this arena.
e security requirements that arise from national and international requirements are tre-
mendously varied and in various states of fl ux depending on the industry and global regions in
which you function. Some industry groups like aerospace have long-standing organizations in
both national and international segments that provide guidelines, requirements, and regulations
that will be input into security strategic plans.
Some international standards have been evolving in place for some time and have created
well-recognized standards for organizations such as ISO, which was discussed in the Industry
Standards portion of this chapter as well. Other arenas have emerging voices such as a new forum
for multi-stakeholder new policy dialogue, the Internet Governance Forum (IGF), or the World
Wide Web Consortium (W3W), which is the international standards organization for the World
Wide Web, or the nonpro t public benefi t corporation, the Internet Corporation for Assigned
Names and Numbers (ICANN). ICANN is a not-for-profi t public-benefi t corporation with par-
ticipants from all over the world dedicated to keeping the Internet secure, stable, and interoperable.
We cannot enter into informed alliances
until we are acquainted with the designs of
our neighbors and the plans of our adver-
saries. When entering enemy territory, in
order to lead your army, you must know the
face of the country—its mountains and for-
ests, its pitfalls and precipices, its marshes
and swamps. Without local guides, you are
unable to turn to your account the natural
advantages to be obtained from the land.
Without local guides, your enemy employs
the land as a weapon against you.
Sun Tzu
TAF-K11348-10-0301-C004.indd 61TAF-K11348-10-0301-C004.indd 61 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
62Security Strategy: From Requirements to Reality
Often, the key to newly emerging standards groups that may impact an organization is early par-
ticipation to aff ect informed change within that standards organization.
Another nexus point for strategic planning is taking into account changing international secu-
rity standards as a national organization moves into additional international domains for distri-
bution of their products and/or services. Depending on the scope of the service or product that
will become internationally distributed and supported, the international requirements complexity
factor can be exponentially increased to the point of taking years to decipher all the additional
requirements.
In each of these instances, keeping abreast of potential changing national and international
policy dynamics, participating in the policy dialogue where possible, and including potential and
emerging requirements in the input for strategic planning are important considerations for any
strategic eff ort.
Competitive Intelligence
It is now absolutely possible to decide to abandon traditional sources of information
like subscriptions, journals, closed databases and the like, and focus entirely on getting
all of your information for free from the Internet, all of the time from the Internet.
Marydee Ojala
Social Media for Competitive Intelligence Seminar
Another rich arena for data that may be included in an environmental scan is competitive
intelligence (CI). e Society of Competitive Intelligence Professionals (SCIP) defi nes competi-
tive intelligence as
a systematic and ethical program for gathering, analyzing, and managing external
information that can a ect your company’s plans, decisions, and operations.
Put another way, CI is the process of enhancing marketplace competitiveness
through a greater—yet unequivocally ethical—understanding of a fi rms competitors
and the competitive environment.
Speci cally, it is the legal collection and analysis of information regarding the
capabilities, vulnerabilities, and intentions of business competitors, conducted by
using information databases and other “open sources” and through ethical inquiry.
SCIPs members conduct CI for large and small companies, providing management
with early warning of changes in the competitive landscape. CI enables senior manag-
ers in companies of all sizes to make informed decisions about everything from mar-
keting, R&D, and investing tactics, to long-term business strategies. Eff ective CI is a
continuous process involving the legal and ethical collection of information, analysis
that doesnt avoid unwelcome conclusions, and controlled dissemination of actionable
intelligence to decision makers.
In essence, CI is the disciplined process of gathering and analyzing data in order to help busi-
ness leaders make more informed business decisions. CI is gathered to determine the risks and
opportunities within a marketplace before they are obvious to the average observer.
Many multinational and global companies have been engaged in CI gathering now for
decades. Petrochemical companies, pharmaceutical companies, and manufacturing groups have
TAF-K11348-10-0301-C004.indd 62TAF-K11348-10-0301-C004.indd 62 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset