Strategic vs. tactical thinking, is a common misconception in security. Many security professionals believe that by completing tactical functions they are ultimately achieving strategic goals. The idea introduced in part one of this series is that thinking strategically is about aligning the business objectives to the activities that security is providing for the business.
For example, when executive management sets a three-year strategy for an organization to execute, security needs to be involved and develop an aligned strategy. Executive teams create strategy, which their organization executes. That strategy is measured to determine its effectiveness, along with metrics, Key Performance Indicators (KPI) and various other measurements throughout the year to determine if the plan is effective. Over the course of my career, I have been involved in thousands of engagements with clients whose annual revenue ranges from $160 billion to $30 million, and I can tell you that over 90 percent of these organizations lack a solid security strategy that aligns with business goals. Image may be NSFW.
Clik here to view.
Why is this the case? Well, thinking (strategy) is difficult, while doing (tactical) is easy. Let’s face it, the modern day security industry was born managing firewalls. Most of the security professionals have an IT background and very few have the experience to develop a strategy. However, the need for strategic thinking is at a premium. Could you imagine if the CEO of a SEC filed company commented at the earnings call, that “we really don’t have a strategy, we are just reactive to the market?” Yet that’s how the security industry operates.
Understanding the Vision
As we approach 2014, you need to ask yourself and your team tough questions. Do we have a three-year strategy for security? Has executive management been briefed and do they agree with the strategy and the investment? Most importantly, have we defined the metrics that will hold security accountable for executing that strategy? In order to evolve, you have to evaluate and plan.
As I stated before, you need to set a vision for security, with objectives that align to the business. This means that security must understand how the organization makes money and what the strategy is for the Image may be NSFW.
Clik here to view.
organization. If the business strategy is to move operations to China or to the Cloud, security has to plan for the expansion. This means that you must interact with the executive management and possibly the board of directors, so you can explain the ROI of security based on the organizations goals. If you don’t have access to either one of these sources, most likely security is not taken seriously at your organization or they already view security as just tactical, lower level. Unfortunately, you have bigger problems than I can solve in this article, but it will be addressed in a later post.
Beyond Security: Part 3 – How to Align Security to Business Strategy
In the third installment of the beyond security series, I will discuss what components are required to align your security strategy to your organization and how it adds value to the business.
Beyond Security: Part 1 – Without Strategic Thought the Industry is Doomed
