Developing a Strategic Planning Process ◾ 83
Scenario planning ◾ is a strategic planning method used by some organizations to make fl ex-
ible long-range plans. Scenario planning may be used in conjunction with other planning
models such as System inking or Computer Based Modeling programs to produce new
insights into the future, unprecedented cultural shifts, regulation environments, impending
technology horizons, and so on.
ese are just a few of the many available approaches that will help an organization advance
through the analysis and planning phases of strategic planning. Many other strategic analysis
methods, tools, and philosophies are discussed in other chapters in this book. Once you have
articulated a direction in which you intend to take the organization and have created an analysis
of current state, then you will deal with a strategy formation to move you in the direction you
wish to go.
Strategy Formation (Goals, Measurable Objectives)
All men can see these tactics whereby I conquer, but what none can see is the strategy
about which victory is evolved.
Sun Tsu
Strategy formation answers the question: “Now that we know where we want to go, how will we get
there?” Once a strategic planning group has created a clear picture of the organization and its chal-
lenges, the next step is to produce a strategic plan with goals, objectives, scenarios, or strategic alter-
natives. is stage of the plan is still typically high level and abstract, and can even be somewhat
generic if one uses basic industry strategies like one of Porter’s strategies (e.g., cost leadership).
A typical strategy will include strategic goals, which are usually set for a one- to three-year
period. ese goals are set in place following an analysis of what is going on inside and outside
the organization. Once the strategic goals have been determined, the next task is to determine
how those goals will be reached through initiatives, objectives, and targets with time lines and
RAA assigned to each. Goals are formed using SMART (Specifi c, Measurable, Acceptable to
those trying to achieve those goals, Realistic, and Timely) or SM A RTER (which adds Extending
the capabilities of those trying to achieve the goals and Rewarding them) guidelines.
In addition to SMART goals or SMARTER goals, strategic planners may also opt for the
occasional stretch goal. A stretch goal is usually aimed at a longer period than a year and is a sig-
nifi cantly challenging goal that causes an organization to fi nd a way to achieve outside the current
norms. Innovation and creativity are required to achieve stretch goals. e purpose of employing
stretch goals in an organization is to inspire eff orts that exceed what is currently possible. Stretch
goals can only be achieved through creativity, invention, and innovation.
Once strategic goals, objectives, and targets have been created from the planning func-
tion, the equally important implementation phase of strategic planning begins. Good stra-
tegic plans are nothing without great implementation. Eff ective security leaders have to do
both regardless of their predilection. Security by its very nature tends to attract those who
are quite good at implementation. e key to good implementation is also the ability to move
quickly from a strategic implementation plan to emergent or adaptive strategies when either
unexpected regulatory or competitive moves require it. What often gets missed is the inte-
gration of those new strategic adaptations at an organizational level back into the strategic
planning cycle.
TAF-K11348-10-0301-C005.indd 83TAF-K11348-10-0301-C005.indd 83 8/18/10 3:04:40 PM8/18/10 3:04:40 PM
84 ◾ Security Strategy: From Requirements to Reality
Implementation (a Bias toward Action and Learning)
A good plan, violently executed now, is better than a perfect plan next week.
General George S. Patton Jr.
e implementation phase answers the following questions:
1. Now that we think we know the direction we want to take, what are the next steps, who will
take them, and how will we track how well we are doing with our plan?
2. What do we do with information that tells us this might be the wrong direction?
Strategy? Keep moving, anywhere, somewhere, but keep moving.
Ulysses S. Grant
Some important questions for consideration in the implementation phase of planning are:
1. Who has oversight and review authority for plan content?
2. What measurements of performance will we use?
3. How often will we review progress (e.g., monthly, quarterly, biannually, annually)?
4. Who is responsible for measuring progress?
In our experience, the implementation stage of strategic plan-
ning is one of the most diffi cult parts of strategic planning.
Strategy without eff ective implementation is just organizational
wishing. Implementation is diffi cult for several reasons. First,
in larger organizations (like most organizations in which we have worked), the people responsible
for implementations are often diff erent from the high-level strategic planners. is creates the
need for good communication, understanding, and buy-in. Conversely, this creates the risk of mis-
communication, misunderstanding, and resistance. Implementation of a strategic plan is similar
to any change management eff ort and requires clear sponsorship, structure, measures, and reward
and recognition systems. is section of the strategic plan should document a set of specifi c steps,
phases, and activities required to get to the end-state. is is the strategy for moving forward.
Do not repeat the tactics which have gained you one victory, but let your methods be
regulated by the infi nite variety of circumstances.
Sun Tsu
Keys to Success for the Implementation Stage of Strategic Planning
1. A well-defi ned strategic planning process.
2. Clear and visible executive support, sponsorship, and involvement.
3. An empowered strategic planning team.
4. Involvement of all levels of the organization (inclusive not exclusive approach).
5. orough analysis of internal and external competitive data (while some information is the same
at the top level of strategic planning, additional data are required as you go though the varying
levels of an organization, particularly when it comes to organizational strengths and weaknesses).
Chi Wen Tzu always thought three times
before taking action. Twice would have been
quite enough.
Confucius
TAF-K11348-10-0301-C005.indd 84TAF-K11348-10-0301-C005.indd 84 8/18/10 3:04:40 PM8/18/10 3:04:40 PM
Developing a Strategic Planning Process ◾ 85
6. Clear priorities and a strategic plan with both strategic and tactical objectives.
7. Implementation plan (spelling out the cost, duration, priority order, and accountability for
each strategy and tactic). is phase of strategic planning is part of the tactical playbook for
day-to-day activities telling employees the priorities and presenting the logic for actions they
need to take in their daily work.
8. Review, reevaluation, and revision of the strategic plan, yearly at a minimum, quarterly more
optimally, and even more often in fast-moving environments.
9. An organizational understanding of how to do strategic planning with the adjacent under-
standing of the need for strategic planning.
10. A commitment to change.
Feedback, Tracking, and Control
However beautiful the strategy, you should occasionally look at the results.
Winston Churchill
e feedback, tracking, and control phase answers the following questions:
1. How will we know we are getting where we’d like to go?
2. How are we doing in achieving the results we want?
3. Is there any new information we need to know?
ere are several questions to consider in this element of strategic planning:
1. What are the key success factors that will tell our stakeholders that we are on the path to
success?
2. What performance metrics should we use?
3. How often should we schedule a regular review of strategic goals and their relevant
metrics?
4. What cost avoidance can be expected, and how can this be ascertained?
5. How do we capture cost-benefi t data and determine return on investment (ROI), both
quantitatively and qualitatively?
6. How often should we assess progress to determine whether recalibration is needed?
Creating eff ective feedback, tracking, and control elements
presents many challenges, not the least of which is understanding
multiple levels of tracking data. Tracking data is more detailed the
farther into the implementation plans that you go. At the same
time, there is a need for information and/or data that is meaning-
ful and that fl ows up to executive-level tracking in tracking tools such as a Balanced Scorecard
Strategy Map. e Balanced Scorecard Strategy Map came out of the Harvard Business School
from Drs. Robert Kaplan and David Norton as a performance measurement framework. A bal-
anced scorecard helps any industry, government, educational, or nonprofi t group to align strategic
initiatives, goals, and objectives with the organizational vision, mission, and strategy while moni-
toring organization performance. Executives usually want to see data that tells them whether or
Setting a goal is not the main thing. It is
deciding how you will go about achieving
it and staying with that plan.
Tom Landry
TAF-K11348-10-0301-C005.indd 85TAF-K11348-10-0301-C005.indd 85 8/18/10 3:04:41 PM8/18/10 3:04:41 PM
86 ◾ Security Strategy: From Requirements to Reality
not the strategy plan is on track. Top-level executives will review data clusters around topics like
operations management, customer management, innovation, and regulatory and social processes
that may impact strategy. Only high-level security metrics are likely at the top levels of the com-
pany (such as number of incidents and response time). But at each level of review (the next levels
of review are operations as a whole, followed by security as a whole, then security departments or
programs as a whole), you will need to determine what data elements are required and relevant to
the specifi c group reviewing them. ere is often a new or an emerging set of metrics.
Determining what gets reported at the executive level from IT versus what gets reported by
physical security is seldom a well-defi ned metric. Metrics may fall into qualitative or quantitative
categories. e diffi culty is determining which security metrics are most relevant to the organiza-
tion you fi nd yourself in. Diff erent organizations measure diff erent aspects of security, depending
on whether you work in government, business, educational, or nonprofi t sectors. Security metrics
are ver y much an emerging discipline compared with more mature fi elds like fi nance or operational
productivity metrics. However, organizations continue to press on in the refi ning of meaningful
security metrics. e National Institute of Standards and Technology of the U.S. Department of
Commerce is a signifi cant force in helping determine eff ective metrics for security.
As shown in Figure 5.1, metrics are developed, collected, and analyzed for four basic per-
spectives: Learning and Growth, Business Processes, Customer, and Financial. e Learning and
Growth perspective will typically include metrics regarding employee training and corporate
cultural attitudes toward ongoing learning. e Business Processes perspective includes metrics
Vision
and
Mission
Customers
How do we
appear to our
customers?
Internal Business
Processes
Financial
How do we
contribute to
ROI?
Security Balanced Scorecard
IT Security
Physical Security
Business Continuity Emergency Preparedness
Learning & Growth
How are we
improving our
ability to change
and improve?
Strategic Initiatives
Objectives
Ta ct i cs
Measures
Ta rg et s
O
T
M
T
O
T
M
T
O
T
M
T
Strategic Initiatives
Strategic Initiatives
Strategic Initiatives
To satisfy our customers
and stakeholders what
business processess
must we excel at?
Figure 5.1 Security balanced scorecard. (Based on Kaplan, R. S., and Norton, D. P. The balanced
scorecard: Translating strategy into action. Harvard Business School Press, Boston, 1996.)
TAF-K11348-10-0301-C005.indd 86TAF-K11348-10-0301-C005.indd 86 8/18/10 3:04:41 PM8/18/10 3:04:41 PM
Developing a Strategic Planning Process ◾ 87
related to the health of core business processes in the organization and how well they meet cus-
tomer requirements. e Customer perspective will utilize customer satisfaction and value metrics
to determine overall company performance. e Financial and Business Processes perspective will
focus on fi nance metrics, risk metrics, and cost-benefi t metrics.
As strategy is developed, metrics are collected and analyzed. A strategy map is created to logi-
cally show the specifi c linkage between each strategic objective and the cause-and-eff ect chain.
Many software packages are available to create basic balanced scorecards, but it is the organiza-
tional skill and mastery of this approach that can make this a very valuable tool. is tool can
provide a framework for strategic planners to help identify what must be measured and done.
Increasingly, organizations that began with basic scorecards have continued to refi ne their use of
this methodology to help guide the day-to-day decisions of their organization. Many success sto-
ries and illustrations of the eff ectiveness of the approach are available on the Web.
Completion
e completion phase of strategic planning is as important as the fi rst phases. e completion of
a strategic planning cycle should inform the fi rst phases of the next strategic planning cycle with
the metrics, measures, and results of the completion phase of the last planning cycle. Here is the
opportunity to celebrate the successful completion or milestones toward success of deliberate strat-
egies with all employees. It is also in this cycle that the unrealized and emergent strategies can be
analyzed and reviewed to move forward.
Best Strategies (Strategies That Work)
Faith in yourself, in your friends, in your colleagues and most of all, faith in your abil-
ity to impact our future is the best strategy I know.
Seth Godin
Updated strategies have the best chance of continuing to work. Here are a few questions to jump-
start the review of your current strategy:
1. Does your security strategy work as well as it used to? (Yesterday’s strategy rarely keeps
working.)
2. Have current issues rendered your old strategies inadequate? What needs to change in the
face of emerging threats: increasingly smarter mobile devices, cloud technologies, drive-by
attacks, and so on?
3. Are you tracking emergent strategies in your organization to better analyze how you are
coping with new threats?
4. Are you tracking unrealized strategies to learn from your failures?
5. Are your security policies, processes, and procedures documented?
6. Can you quickly update them as your organization learns?
7. Has your strategy created a culture of security in the organization you serve?
8. Are the tools and metrics you employ helping you implement and refi ne your strategy?
( ese include operational metrics, technology metrics, business metrics, compliance met-
rics, and risk metrics.)
TAF-K11348-10-0301-C005.indd 87TAF-K11348-10-0301-C005.indd 87 8/18/10 3:04:42 PM8/18/10 3:04:42 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.