Once you understand the organization’s strategy, aligning security to it becomes the easy part.
While there are unknowns in everything we do, we as security professionals must make assumptions when developing our strategy (unless of course you have performed an enterprise risk assessment.
These assumptions can be qualitative, or quantitative in nature, but don’t get caught up on the details. Remember, even the most quantitative analysis makes assumptions and predications; just ask corporate finance if you want more proof.
A good security strategy should include various components; the best way to align your security strategy with the organization is to use the business strategy as a template. Incorporating a matrix organization for security is helpful, since security is a horizontal organizational unit, not vertical (functional).
Focus on reporting structure, skillsets, forecasting hiring needs, investments (people and technology) and metrics. In another article, I will discuss the matrix organization and how security should be structured.
If all of this sounds too difficult to implement on your own, hire an outside organization to do a facilitated whiteboard session to help get things started. There are a number of books and articles online that can ease this venture.
Once a strategy has been developed, prioritization and resource allocation is a byproduct of the execution. As with every plan, there are unknowns, and these unknowns need to be taken into consideration when developing your plan, as stated above. If the organization experiences a breach, resources will need to be deployed to respond. If done correctly, executive management should already be ready for this possibility (assumption) and understand the shift in priority.
Even in the cases when the board of directors reads an article and they ask, “why are we not looking at this,” refer back to your strategy. If they still want to move forward, this will change your priority and thus other things will not be done. You need to communicate this tradeoff and possible risk exposure to them.
Of course, the daily operations of security still need to be done, but determine the capacity of your security team. If you are already at 100 percent capacity, clearly you will not be able to execute any plan. I would argue that if you were at 100 percent capacity, really doing anything more would be a waste of time.
Case in point: organizations run monthly vulnerability scans, but don’t have the resources to implement the required changes. So why do they even do them?
Overcome your resource problem by outsourcing the tactical components. Don’t do everything yourself. Bring the experts in, but guide them to execute your strategy. A “hacker” or penetration tester is not going to help you build a strategy or understand the organizational vision.
Don’t be left behind
Failure to start to change the mindset in security means that you will probably be left behind. This will take a few years, but the prevailing forces depicted in the graph above are beyond our control. As security becomes more mainstream, the competition for high-level positions will heat up. I foresee professionals with disciplines outside of security starting to take an interest in this field. It’s a pretty simple supply and demand curve, with higher paying positions (demand) the supply increases to meet this demand. We have the luxury now, but given the shifts in the security industry, now is the time to start to change the way we think.
Beyond Security: Part 1 – Without Strategic Thought the Industry is Doomed
Beyond Security: Part 2 – Provide Irreplaceable Value to your Organization