Strategic Framework (Inputs to Strategic Planning)63
long created their own CI units to protect against threats and market changes, as well as look for
opportunities.  e question for an organization that engages in this type of intelligence gathering
is, “Do we perform this in-house, hire consultants, or do a combination?”
Both large and small businesses engage in regular and ongoing CI in order to make the right
market decisions, have viewer surprises, and help put competitive data in context. Small business
that cant aff ord to hire outside consultants or dont have full-time sta devoted to CI analysis will
often collect data informally from media such as newspapers, television, and the Internet, other
businesspeople, competitors’ sta , and competitors’ customers or clients.
Security groups are often required to focus protection eff orts on thwarting illegal attempts
at CI like industrial espionage or theft of intellectual property. However, legal CI gathering and
analysis have become a cornerstone of strategic planning.
Business Intelligence
Collecting information about customers is relatively easy. Analyzing customer infor-
mation for potential cross-sells, increased revenue streams, and improved service is
more challenging. But getting the information to the front line in a timely manner
and thus providing further competitive edge is proving increasingly di cult for many
corporations.
Gerry Davis
Business intelligence (BI) is another term used for a similar type of information gathering
from a eld of industry, and it may even be considered a core competency in some companies.
BI is the systemic analysis of historical, present, and predictive trends of business operations
of your own organization, whereas competitive intelligence focuses more on external data
from other companies and doesn’t necessarily rely on the same type of rigorous technology-
based analytical processes used in BI. BI helps organizations obtain a better view and under-
standing of potential business trends to determine whether they are opportunities or threats.
A good BI system helps an organization to take action from a systemic data context. Many
consulting companies, Microsoft, SAS, IBM, Business Intelligence.com, and others, have
existing products and services that can assist organizations who wish to apply business intel-
ligence analytics.
Technical Environment and Culture
If you think technology can solve your security problems, then you dont understand
the problems and you dont understand the technology.
Bruce Schneier
Increasingly, security is seen as a technology-driven function in
many organizations. Technology solutions are one of the “silver
bullets” from which many security promises are made. Many
security groups have a natural a nity for technology and have
spent their careers mastering the ability to ride the next wave of
Technology is dominated by two types of
people: those who understand what they
do not manage and those who manage what
they do not understand.
Archibald Putt
TAF-K11348-10-0301-C004.indd 63TAF-K11348-10-0301-C004.indd 63 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
64Security Strategy: From Requirements to Reality
technological solutions. Yet, security professionals are well aware that organizational security does
not result from technical infrastructure alone.  e security of an organization’s assets requires that
all organizational employees work together to ensure a secure organization. Security issues are
business issues, not just technology issues, and should be framed as such. Moving an organization
from a compliance-based security model to a holistic model requires changes not only in technol-
ogy, but also in the processes, people, and organization itself.
at being said, it is still important to review the technology arena for input into an environ-
mental scan.  e key is to not overemphasize the importance of technology in how the rest of the
organization perceives security problems. ere are two major areas to consider in looking at the
technology arena: the technical environment (present and future) and the technical culture(s) of an
organization.  e technical environment of the present is a survey of the infrastructure of deployed
technologies in place organizationally. A survey helps identify what systems are in place, the level
of sophistication of those systems, legacy systems that will need to be updated or replaced, and so
on. In a large and complex organization, this task can be a daunting one, for hundreds of thousands
of assets may need to be identi ed. is type of survey will often require security to coordinate
multiple departments to get an accurate assessment.  ere is also the question of “right” technol-
ogy. Does what we are doing now make any sense? Are we really providing value for the enterprise?
Careful analysis of customer requirements and the benefi ts provided will help inform future tech-
nology decisions.
A future sur vey helps identif y what technologies are likely to be employed, should be employed,
have convergence implications for security, and/or what potential cost/savings implications will
accompany those technologies.  e technical culture(s) input is more a look at speci c organiza-
tional subcultures that have developed as a result of supporting various technologies.  is can be
extremely important later in strategic planning as communication and solutions are devised for
determining how best to accommodate those subgroups.
As increasing numbers of organizations begin to move toward more systemic approaches to
security, the technology drivers also began to shift. In a purely compliance environment, technol-
ogy reviews tend to remain a functional security responsibility.  e focus may be on increasing sur-
veillance equipment and the like for security personnel to better monitor control access points and
information systems and to observe the behaviors of individuals on or adjacent to company sites.
As an organization moves toward a “commitment focus” for security, the technology require-
ments begin to shift as well. Technology is now evaluated for alignment with strategic objec-
tives around likely reduced impact or disruption to organizational work ow, cost e ectiveness,
reliability, and consistency. When technology changes are made, they are widely communicated
through the workforce in order to create a greater willingness to accept and use new technology.
Consideration is given to how security technology will impact the entire value chain system of the
extended enterprise.  is requires designing technology systems and processes that create secure
but easy access to relevant information by all partners, suppliers, and customers.
An environmental scan typically includes all of the arenas we have considered so far in its inter-
nal and external analysis. From the arenas of regulatory and legal in uences, industry standards,
marketplace and customer data, organizational culture in uences, national and international
inputs, and technology infrastructure come the determination of business drivers.  e forces that
are primary business drivers for an enterprise versus the security group may di er somewhat, but
it is important to understand both sets in order to e ectively determine a strategic plan for moving
your organization forward.
TAF-K11348-10-0301-C004.indd 64TAF-K11348-10-0301-C004.indd 64 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
Strategic Framework (Inputs to Strategic Planning)65
Business Drivers
[Strategy is] a mental tapestry of changing intentions for harmonizing and focusing our
eff orts as a basis for realizing some aim or purpose in an unfolding and often unfore-
seen world of many bewildering events and many contending interests. [Its aim was] to
improve our ability to shape and adapt to unfolding circumstances, so that we (as indi-
viduals or as groups or as a culture or as a nation-state) can survive on our own terms.
John R. Boyd
Business drivers are external or internal infl uences (such as market forces) that signifi cantly
impact and/or set direction for programs, business, or organizations.  ey are typically the forces
that “drive” your business forward.
Business drivers help frame the validation of organizational mission and con rmation of busi-
ness objectives (augmented by stakeholder analysis); hot issues are identi ed, and key performance
indicators and critical success factors are identi ed. ese in turn help defi ne specifi c business
objectives, provide a sense of urgency and motivation, and create guiding principles and expecta-
tions of employees for successful implementation of the changes required.
e identi cation and understanding of business drivers is crucial to adapting a security func-
tion to the organization it supports. In any organization a key set of factors will drive it forward.
Di erent organizations will have di erent drivers depending on the market or customer space
they serve. In business the questions asked are, “What makes us money?” “Where does the profi t
come from?” “What are the key ‘drivers’ that make us money?” “What business are we really in?”
e Sherwood Applied Business Architecture (SABSA) model is one of the strategic planning
frameworks that can greatly assist a security group in determining a security view of the world.
e SABSA methodology is most helpful in strategic planning.
Successful management of security requires understanding the enterprise’s strategic drivers for
two reasons. Strategic drivers can provide advantages or confl icts with a security group’s strategic
plan. As you link and align your own plan to the enterprise strategic plan, some of the enterprise
strategic drivers will inevitably confl ict with those of security. An enterprise is looking for ways to
ensure profi tability and productivity, while a security group is inevitably concerned about manag-
ing organizational risk. Because of the ever-increasing use of technology, global market factors,
and the changing dynamics of the extended enterprise, it is even more di cult to keep security
activities and strategic drivers aligned with those of an enterprise.  e natural tension between
quick response to an ever more demanding marketplace and the careful planning required to
manage enterprise risk presents security leadership signifi cant challenges. Today’s security leaders
must be up to the challenge and able to overcome barriers.
Business drivers may be prioritized by importance, impact, or requirements that will in u-
ence the organization in question. A high-priority business driver will typically require a strategic
response from an organization in its planning, which in turn may foster one or more strategic
initiatives. ere is not a one-for-one correlation between business drivers and strategic responses,
or between strategic responses and strategic initiatives. A strategic response may address more
than one driver. For example, business drivers might be globalization and further penetration of
electronic trading in a sector of business.  is driver requires a strategic response such as bolster-
ing market data and analysis.  e response in turn drives multiple strategic initiatives such as
enhancing electronic trading tools and improving data capacity and transaction costs (but you
dont improve costs; rather, you lower, control, accept them, etc.).
TAF-K11348-10-0301-C004.indd 65TAF-K11348-10-0301-C004.indd 65 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
66Security Strategy: From Requirements to Reality
e Tower Group chose IT security as one of the top 10 business drivers in 2009 for the bank-
ing industry.  e other nine drivers in the Tower Report were the current economic environment,
regulatory change and compliance, competitive threats, changing customer preferences, revenue
growth, operational effi ciency, business growth and competition, customer loss/dissatisfaction,
and fraud and fi nancial crime. According to Tower analysts, the examples of potential strategic
technology initiatives arising from the IT security driver in 2009 included:
Upgrade of loan processing modi cation collections/foreclosure processing
Modi cation of systems to deploy new processes for compliance
Improvement of analytics and performance management
Automation and streamlining of processes and employment of Software as a Service
(SaaS)
Outsourcing and consolidation of systems
Support for improved fraud detection and risk analysis
Improvement of data access controls and data tracking; expanded use of encryption
In addition, the Tower Report pointed out the need for banking institutions to develop a more
sophisticated understanding of enterprise performance metrics and drivers to better comply with
current regulations as well as new regulatory requirements.
Business drivers are an important input for any strategic plans developed by a security group.
e challenge for a security professional is to try to fi nd the right balance between protecting
enterprise assets and processes while, at the same time, enabling the enterprise to do business.
After the organization has reviewed and prioritized its business drivers, it is important for
the security group to gain a clear understanding of the primary business drivers because these
provide the impetus for strategic security program initiatives. By clearly understanding the
business drivers, the security group gains additional insights into the motivations and expecta-
tions of its stakeholders, which in turn help tune the security program’s short-term objectives.
In today’s litigious environment, here are some possible current business drivers at an extended
enterprise level.
Business Drivers for the Enterprise
1. Legal liability (today so much is driven by who can sue you)
2. Emerging regulations from multiple sectors (e.g., international, national, industry)
3. Fear (of the public, enterprise stakeholders, economic uncertainties, etc.)
4. Brand value
5. IT (certainly a business driver as cited by the Tower Report)
6. IT, a partner with innovation
7. Increases in risk while companies transit to new technology
Its not diffi cult to see that security business drivers and initiatives must be clearly articulated
and linked to enterprise drivers. As securitys role in business continues to evolve and change,
becoming a risk manager and trusted adviser to the executive suite of an enterprise is crucial to
maintaining security leadership longevity. Security’s strategy must map clearly and logically to the
extended enterprise.
TAF-K11348-10-0301-C004.indd 66TAF-K11348-10-0301-C004.indd 66 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
Strategic Framework (Inputs to Strategic Planning)67
e most important thing I’ve learned since becoming CEO is context. It’s how your
company fi ts in with the world and how you respond to it.
Je rey Immelt
So far in this chapter we have reviewed how an environmental analysis (which reviews regu-
latory and legal infl uences, industry standards, marketplace and customer data, organizational
culture infl uences, national and international inputs, and technology infrastructure) helps inform
the internal and external analysis process required for good strategic planning. From this analysis
an organization can determine its best sense of business drivers.
ese tools can also be helpful to nonprofi t organizations. While nonprofi ts may not compete
for market space, they do compete for everything from volunteers’ time, dollars, and work that
similar charitable organizations are doing. We have found environmental scans to be quite useful
in planning for churches, missions, and various nonprofi t organizations.
Additional Environmental Scan Resources
In addition to conducting your own environmental scan analysis, you may fi nd additional help
from outside services in formulating your overall data gathering and analysis required for strategic
planning. Many outside agencies and consultant groups will gladly assist you in your work.  e
following section presents a few examples of such services that may prove benefi cial.
Benchmarking is very popular today—but companies benchmark the wrong thing.
ey benchmark what other companies do, when they should be benchmarking how
those companies think.
Unknown
Benchmarking is a way to evaluate the effi ciency and eff ectiveness of your organization by
comparing your services to those of similar organizations in your business sector. Executive man-
agement utilizes benchmarking data to identify opportunities for operational cost reduction.
Security services may already be included in those benchmarking reports. Benchmarking IT and
corporate security services can be benefi cial for improving internal security processes, fi nding
ways to reduce cost, and improving e ciency in internally provided services, including guard
services, reception, parking management, alarm services and CCTV, monitoring, personnel badg-
ing, search dog handlers, and so on.
A nu mber of g roups ca n help you w ith t his proce ss. For e xa mple, Sh are d Ser vic es Benc hm ark ing
Association (SSBA) conducts benchmarking studies to identify practices that improve the overall
operations of their members. SSBA™ off ers free membership for the employees of any group that
manages shared services for a corporation.  e SSBA is part of the Benchmarking Network, Inc.,
which is an international resource for business process research and metrics. Groups like this
provide many kinds of benchmarking resources from industry standards to studies, reports, inter-
est group roundtables, benchmark training, and more. You will fi nd benchmarking associations
in nearly every industry that will also be bene cial in building business expertise. Professional
benchmarking associations present many opportunities for networking, educational opportuni-
ties, and as industry support.
TAF-K11348-10-0301-C004.indd 67TAF-K11348-10-0301-C004.indd 67 8/18/10 3:03:56 PM8/18/10 3:03:56 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset