The assignment is attached. Original work, no plagiarism. Need this done in APA format.CIS 519 – Weeks 4 & 5 Project
Complete the following assignments for weeks 4 & 5. Please include your name, class
number, and assignment number on your paper. Follow APA formatting standards,
especially for citations and references.
Assignment: Explaining the strategic planning process
Learning Objectives and Outcomes
You will understand the steps in the strategic planning process.
You will how a sample organization could use the strategic planning process.
Scenario
The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations
throughout the region.
Online banking and use of the Internet are the bank’s strengths, given limited its human
resources.
The customer service department is the organization’s most critical business function.
The organization wants to be in compliance with Gramm-Leach-Bliley Act (GLBA) and IT security
best practices regarding its employees.
The organization wants to monitor and control use of the Internet by implementing content
filtering.
The organization wants to eliminate personal use of organization-owned IT assets and systems.
The organization wants to monitor and control use of the e-mail system by implementing e-mail
security controls.
The organization wants to implement this policy for all the IT assets it owns and to incorporate
this policy review into an annual security awareness training program.
Assignment Requirements
1. Page 75 of the book lists the 11 stages in the strategic planning process. Even though they are
listed in the Roles and Responsibilities section, it’s really an outline of the overall strategic
planning process.
2. Provide a 1-2 paragraph explanation of each stage. You need to explain the goal(s) of the stage
and how it fits into the whole strategic planning process. Include the inputs and outputs of each
stage.
Using the scenario above:
3. Summarize your recommendations for this organization as they create a new IT Strategy.
Include their potential benefits and costs
4. Describe how this organization would use the strategic planning process to develop and
maintain their strategic plan.
Your writing must be professional with proper attention to formatting, spelling, grammar, and
punctuation.
Security
Strategy
From Requirements to Reality
TAF-K11348-10-0301-C000.indd i
8/18/10 2:44:55 PM
TAF-K11348-10-0301-C000.indd ii
8/18/10 2:44:57 PM
Security
Strategy
From Requirements to Reality
Bill Stackpole and Eric Oksendahl
TAF-K11348-10-0301-C000.indd iii
8/18/10 2:44:57 PM
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2011 by Taylor and Francis Group, LLC
Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number: 978-1-4398-2733-8 (Paperback)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Library of Congress Cataloging‑in‑Publication Data
Stackpole, Bill.
Security strategy : from requirements to reality / Bill Stackpole and Eric Oksendahl.
p. cm.
Includes bibliographical references and index.
ISBN 978â•‚1â•‚4398â•‚2733â•‚8 (alk. paper)
1. Computer security. 2. Information technologyâ•‚â•‚Security measures. 3. Data protection. 4.
Businessâ•‚â•‚Data processingâ•‚â•‚Security measures. I. Oksendahl, Eric. II. Title.
QA76.9.A25S684 2011
005.8â•‚â•‚dc22
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the Auerbach Web site at
http://www.auerbach-publications.com
2010025968
To my father who always pushed us to be the best we could be.
William “Bill” Stackpole
To my wife Elaine who has always stood beside me and encouraged
and supported my efforts. I am truly a blessed man.
Eric Oksendahl
TAF-K11348-10-0301-C000e.indd v
8/18/10 3:00:42 PM
TAF-K11348-10-0301-C000e.indd vi
8/18/10 3:00:42 PM
Contents
Acknowledgments ………………………………………………………………………………………………… xv
Introduction ……………………………………………………………………………………………………….xvii
Preface ………………………………………………………………………………………………………………..xxi
Authors ……………………………………………………………………………………………………………. xxiii
SECTION I
STRATEGY
1 Strategy: An Introduction ………………………………………………………………………………..3
Strategic Planning Essentials…………………………………………………………………………………. 3
Strategic Planning Process Evaluation…………………………………………………………………….. 5
Security Leadership Challenges……………………………………………………………………………… 6
Getting Started …………………………………………………………………………………………………… 7
Value Proposition………………………………………………………………………………………… 8
Other Challenges for Security and Strategic Planning ………………………………………………. 8
When Strategic Planning Should Be Conducted………………………………………………………10
Metaphor Analysis and Strategic Planning………………………………………………………………10
Strategic Planning as a Process………………………………………………………………………13
Requirements for Successful Strategic Plans…………………………………………………….14
Creating a Security Culture…………………………………………………………………………………..15
Security Continuum (Moving toward a Security Culture)…………………………………………15
Conclusion…………………………………………………………………………………………………………16
2 Getting to the Big Picture ………………………………………………………………………………17
Background (Why Should Security Bother with Strategic Planning?)………………………….17
Menu of Strategic Planning Methods and Models ……………………………………………………18
Which Strategic Planning Tools?………………………………………………………………………….. 20
What Are Security Plan Essentials? (Analysis, Planning, and Implementation) ……………. 20
Learn the Big Picture of the Extended Enterprise……………………………………………..21
Include a High-Level Risk Assessment as Input ……………………………………………….21
Link Your Strategic Plan to the Organization Strategic Plan…………………………….. 22
Develop Flexibility and Fluidity in Your Department……………………………………… 22
When Should Strategic Planning Be Done?……………………………………………………………. 23
Six Keys to Successful Strategic Planning………………………………………………………………. 24
Simplicity…………………………………………………………………………………………………. 24
vii
TAF-K11348-10-0301-C000toc.indd vii
8/18/10 3:20:00 PM
viii ◾
Contents
Passion (Emotional Energy) and Speed of Planning and Adapting……………………..25
Connection to Core Values …………………………………………………………………………. 26
Core Competencies……………………………………………………………………………………. 27
Communication………………………………………………………………………………………… 28
Implementation…………………………………………………………………………………………. 29
Myths about Strategic Planning …………………………………………………………………………… 30
Barriers to Strategic Planning………………………………………………………………………………..31
Pushing through to the Next Level of Strategic Breakthrough (Inside/Outside
Organizational Input/Output)………………………………………………………………………..31
Going Slow to Go Faster, or Don’t Just Do Something, Sit There (Honing
Organizational Strategic Planning Skills)………………………………………………………. 32
Think Ahead, Act Now………………………………………………………………………………. 32
Strategic Business Principles and Workplace Politics……………………………………….. 32
Looking for Niches, Voids, Under-Your-Nose Advantages………………………………….33
Overcoming Negative Perceptions of Security………………………………………………………….33
Averse to Outsourcing………………………………………………………………………………… 34
Reluctant to Change Quickly……………………………………………………………………… 34
Stovepiped Organization Out of Touch with Business Realities ………………………… 34
Always Looking for the Next Magic Technology Bullet…………………………………….35
Promises, Promises You Can’t Keep……………………………………………………………….35
Developing Strategic Thinking Skills ……………………………………………………………………..35
Create Time for Thinking…………………………………………………………………………… 36
Scan ………………………………………………………………………………………………………… 36
Inquire …………………………………………………………………………………………………….. 37
Focus Long Distance/Practice Short Distance………………………………………………… 37
Anticipate ………………………………………………………………………………………………… 38
Communicate …………………………………………………………………………………………… 38
Evaluate …………………………………………………………………………………………………… 38
Practice Flexibility……………………………………………………………………………………… 39
Conclusion……………………………………………………………………………………………………….. 40
3 Testing the Consumer …………………………………………………………………………………….41
Introduction……………………………………………………………………………………………………….41
Defining the Consumer Buckets ………………………………………………………………………….. 42
What Historic Issues Are We Trying to Resolve or Avoid?………………………………… 42
What Are the Challenges?…………………………………………………………………………… 43
Customer Relationship Management (CRM)…………………………………………………. 43
Customer Value Management (CVM) ………………………………………………………….. 44
When Should You Collect Consumer Data?…………………………………………………….45
Quick Customer Assessment……………………………………………………………………………….. 46
Managing Key Internal Relationships…………………………………………………………… 46
Conducting Face-to-Face Interviews………………………………………………………………47
Guidelines for How to Solicit Feedback ………………………………………………………….47
Designing Customer Feedback Surveys…………………………………………………………………. 48
Online Survey Guidelines…………………………………………………………………………… 49
Focus Group Guidelines …………………………………………………………………………….. 49
Deploying a Survey ……………………………………………………………………………………………. 50
TAF-K11348-10-0301-C000toc.indd viii
8/18/10 3:20:00 PM
Contents
◾
ix
Measuring Customer Satisfaction Results ……………………………………………………………… 50
Integration of Consumer Data …………………………………………………………………………….. 50
Conclusion…………………………………………………………………………………………………………52
4 Strategic Framework (Inputs to Strategic Planning)…………………………………………..53
Introduction……………………………………………………………………………………………………….53
Environmental Scan…………………………………………………………………………………………… 54
Regulations and Legal Environment ………………………………………………………………………55
Industry Standards…………………………………………………………………………………………….. 56
Marketplace–Customer Base ………………………………………………………………………………..59
Organizational Culture………………………………………………………………………………………. 60
National and International Requirements (Political and Economic)…………………………….61
Competitive Intelligence …………………………………………………………………………………….. 62
Business Intelligence ………………………………………………………………………………………….. 63
Technical Environment and Culture…………………………………………………………………….. 63
Business Drivers ………………………………………………………………………………………………….65
Business Drivers for the Enterprise……………………………………………………………….. 66
Additional Environmental Scan Resources………………………………………………………………67
Scenario Planning ……………………………………………………………………………………………… 68
Futurist Consultant Services ……………………………………………………………………………….. 69
Blue Ocean Strategy versus Red Ocean Strategy …………………………………………………….. 70
Future (the Need to Be Forward Looking)…………………………………………………………….. 71
Conclusion……………………………………………………………………………………………………….. 72
5 Developing a Strategic Planning Process ………………………………………………………….73
Roles and Responsibilities …………………………………………………………………………………….74
Process and Procedures ………………………………………………………………………………………. 75
Get Ready to Plan for a Plan …………………………………………………………………………………76
Planning, Preparation, and Facilitation…………………………………………………………………. 77
Building a Foundation for Strategy (High, Wide, and Deep) ……………………………………. 79
In the Beginning ……………………………………………………………………………………………….. 79
Vision, Mission, and Strategic Initiatives……………………………………………………….. 80
Vision Statement ……………………………………………………………………………….. 80
Mission Statement ………………………………………………………………………………81
Strategic Initiatives………………………………………………………………………………81
Analysis……………………………………………………………………………………………………. 82
Strategy Formation (Goals, Measurable Objectives)………………………………………… 83
Implementation (a Bias toward Action and Learning) ……………………………………………… 84
Keys to Success for the Implementation Stage of Strategic Planning …………………… 84
Feedback, Tracking, and Control…………………………………………………………………………..85
Completion ………………………………………………………………………………………………………. 87
Best Strategies (Strategies That Work) …………………………………………………………………… 87
Conclusion……………………………………………………………………………………………………….. 88
6 Gates, Geeks, and Guards (Security Convergence)……………………………………………..91
Introduction……………………………………………………………………………………………………….91
Terms and Definitions ……………………………………………………………………………….. 93
Benefits of Security Convergence …………………………………………………………………………. 93
TAF-K11348-10-0301-C000toc.indd ix
8/18/10 3:20:00 PM
x
◾
Contents
Cost Savings …………………………………………………………………………………………….. 93
Improved Security and Risk Management…………………………………………………….. 94
More Effective Event/Incident Management………………………………………………….. 95
User Experience ………………………………………………………………………………………… 96
Regulatory Compliance ……………………………………………………………………………… 96
Improved Business Continuity Planning……………………………………………………….. 96
Other Improvements………………………………………………………………………………….. 97
Convergence Challenges …………………………………………………………………………………….. 97
Success Factors………………………………………………………………………………………………….. 98
Conclusion……………………………………………………………………………………………………….. 99
SECTION II TACTICS
7 Tactics: An Introduction……………………………………………………………………………….103
Tactical Framework……………………………………………………………………………………………103
Facilities—Physical Attack Scenarios……………………………………………………………104
IT Systems—Logical Attack Scenarios …………………………………………………………106
Objectives Identification …………………………………………………………………………………….107
First Principles ………………………………………………………………………………………………….108
Observation Principle…………………………………………………………………………………108
Response Principle …………………………………………………………………………………….109
Timeliness Principle…………………………………………………………………………………..109
Preparedness Principle………………………………………………………………………………..110
Economy Principle ……………………………………………………………………………………. 111
Maintenance of Reserves (Coverage) Principle ……………………………………………….112
Redundancy Principle ………………………………………………………………………………..113
Least Privilege Principle……………………………………………………………………………..114
Commonality Principle……………………………………………………………………………… 115
Conclusion……………………………………………………………………………………………………….116
8 Layer upon Layer (Defense in Depth) ……………………………………………………………. 119
Introduction…………………………………………………………………………………………………….. 119
Defense-in-Depth Objectives Identification …………………………………………………………..121
Information Environments………………………………………………………………………………… 122
Threats …………………………………………………………………………………………………………… 122
Environmental Objectives…………………………………………………………………………………. 123
In-House Objectives ………………………………………………………………………………… 123
Limited and Controlled Boundary Access Points………………………………….. 123
Effective Logging, Detection, and Alerting Capabilities ………………………….125
Operational Excellence for Security Controls………………………………………. 126
Superior Personnel Supervision, Training, and Skills Management………….. 127
High Assurance Identity Management………………………………………………… 127
Timely Incident Response and Resolution…………………………………………… 128
Shared-Risk Environments………………………………………………………………………….129
Hosted Objectives……………………………………………………………………………………..129
Consumer Scenario……………………………………………………………………………129
Provider Scenario………………………………………………………………………………132
TAF-K11348-10-0301-C000toc.indd x
8/18/10 3:20:00 PM
Contents
◾
xi
Hybrid Objectives……………………………………………………………………………………. 136
Consumer Objectives……………………………………………………………………….. 136
Provider Objectives……………………………………………………………………………139
Conclusion……………………………………………………………………………………………………….141
9 Did You See That! (Observation)……………………………………………………………………143
Introduction……………………………………………………………………………………………………..143
Observation Objectives ………………………………………………………………………………………144
Observation Elements………………………………………………………………………………………..145
Reconnaissance …………………………………………………………………………………………145
Sentry ……………………………………………………………………………………………………..146
Physical Security……………………………………………………………………………….146
IT Security……………………………………………………………………………………….149
Alarming………………………………………………………………………………………………….152
Command………………………………………………………………………………………………..154
Summary ………………………………………………………………………………………………… 155
Drivers and Benefits for Excellence in Observation…………………………………………………156
Observation Challenges ……………………………………………………………………………………..157
Success Factors and Lessons Learned ……………………………………………………………………158
Reconnaissance…………………………………………………………………………………………158
Surveillance………………………………………………………………………………………………158
CCTV Surveillance Lessons Learned……………………………………………………159
Physical Detectors Lessons Learned ……………………………………………………..159
IT System Security…………………………………………………………………………………….159
IT System Security Lessons Learned…………………………………………………….159
Excellence in Observation Control Objectives……………………………………………………….160
Reconnaissance …………………………………………………………………………………………160
Surveillance………………………………………………………………………………………………160
Event Detectors…………………………………………………………………………………………161
Pattern and Anomaly Detectors …………………………………………………………………..163
Conclusion……………………………………………………………………………………………………….165
10 Trust but Verify (Accountability)……………………………………………………………………169
Introduction……………………………………………………………………………………………………..169
Unmatched Value of Accountability……………………………………………………………………..169
Comprehensive Accountability Challenges ……………………………………………………………172
Identity Challenges ……………………………………………………………………………………172
Audit Challenges……………………………………………………………………………………….173
Best Uses for the Accountability Tactic…………………………………………………………………174
Comprehensive Accountability Identity Objectives…………………………………………………175
Identity Control Requirements for Accountability………………………………………….176
Domain and Local Account Management…………………………………………….176
Name Collision…………………………………………………………………………………176
Identity Retention……………………………………………………………………………………..178
Identity Verification …………………………………………………………………………………..179
Local System Accounts……………………………………………………………………………….180
TAF-K11348-10-0301-C000toc.indd xi
8/18/10 3:20:00 PM
xii
◾
Contents
Shared Accounts ……………………………………………………………………………………….181
Comprehensive Accountability Audit Objectives……………………………………………………182
Current State ……………………………………………………………………………………………182
Audit Requirements for Accountability…………………………………………………………183
Domain and Local Audit Management………………………………………………..183
Complete …………………………………………………………………………………………184
Temporal …………………………………………………………………………………………185
Consistent………………………………………………………………………………………..185
Relevant…………………………………………………………………………………………..185
Understandable…………………………………………………………………………………186
Simple……………………………………………………………………………………………..186
Sequential ………………………………………………………………………………………..186
Correlated………………………………………………………………………………………..187
Tamperproof…………………………………………………………………………………….187
Traceable………………………………………………………………………………………….187
Retained ………………………………………………………………………………………….188
Conclusion……………………………………………………………………………………………………….188
11 SDL and Incident Response…………………………………………………………………………..189
Introduction……………………………………………………………………………………………………..189
Terms Used in This Chapter ……………………………………………………………………….190
Security Development Lifecycle (SDL) Overview……………………………………………190
Security Incident Response Overview …………………………………………………………..191
Tactical Objectives…………………………………………………………………………………….193
Elements of Application Development and Response ………………………………………195
Application ………………………………………………………………………………………………………195
Phase 1—Requirements ……………………………………………………………………………..196
Phase 2—Design ………………………………………………………………………………………197
Threat Modeling ……………………………………………………………………………….197
Phase 3—Development ……………………………………………………………………………..197
Phase 4—Verification ………………………………………………………………………………..197
Phase 5—Release ………………………………………………………………………………………198
Phase 6—Support/Service ………………………………………………………………………….198
(SDL)2—Software as a Service Extensions (SaaS)……………………………………………………198
Security Development Lifecycle Drivers and Benefits ……………………………………..199
Security Development Lifecycle Challenges…………………………………………………. 200
SDL Success Factors and Lessons Learned …………………………………………………… 202
Application Control Objectives………………………………………………………………….. 203
Observation/Recognition ………………………………………………………………….. 203
Passive Detection Control Objectives………………………………………………….. 204
Active Detection Control Objectives…………………………………………………… 204
Transition Objectives ……………………………………………………………………………………….. 209
Common Collection and Dispatch…………………………………………………………….. 209
Transition Drivers and Benefits…………………………………………………………………..210
Transition Challenges ………………………………………………………………………………..211
Transition Success Factors and Lessons Learned …………………………………………….212
TAF-K11348-10-0301-C000toc.indd xii
8/18/10 3:20:00 PM
Contents
◾
xiii
Lessons Learned………………………………………………………………………………..212
Transition Control Objectives……………………………………………………………………..212
Rapid Response…………………………………………………………………………………………………214
Incident Response Procedures ……………………………………………………………………..215
Automated Responses………………………………………………………………………………..217
Nonincident-Related Response Procedures (Reporting)…………………………………..218
Reporting as a Response……………………………………………………………………………..218
Rapid Response Drivers and Benefits ……………………………………………………………219
Response Challenges………………………………………………………………………………….221
Response Success Factors and Lessons Learned………………………………………………221
Response Control Objectives…………………………………………………………………….. 223
Conclusion……………………………………………………………………………………………………… 223
12 Keep Your Enemies Closer…………………………………………………………………………….225
Introduction……………………………………………………………………………………………………. 225
Hire a Hacker Objectives ………………………………………………………………………………….. 227
Offensive Objectives ………………………………………………………………………………… 227
How to Use This Tactic for Offense……………………………………………………………. 228
Defensive Objectives ………………………………………………………………………………… 229
How to Use This Tactic for Defense……………………………………………………………. 230
Summary …………………………………………………………………………………………………231
The Hire a Hacker Controversy…………………………………………………………………………..231
Success Factors and Lessons Learned ……………………………………………………………………233
Control Objectives …………………………………………………………………………………………….233
Countering Insider Threats (Malicious Insider)…………………………………………….. 234
Competent Supervision ……………………………………………………………………………..235
Supervisor Attributes ……………………………………………………………………….. 236
Supervisory Attributes ……………………………………………………………………… 238
Employee Screening…………………………………………………………………………..241
Target Retaliation ……………………………………………………………………………………..245
Target Deception ………………………………………………………………………………………247
Malicious Code Implantation ……………………………………………………………. 248
Conclusion……………………………………………………………………………………………………….251
13 Hire a Hessian (Outsourcing)………………………………………………………………………..253
Introduction……………………………………………………………………………………………………..253
Security in the Outsourcing of IT Services…………………………………………………………… 254
Outsourcing Pros—Benefits………………………………………………………………………..255
Outsource Cons—Challenges……………………………………………………………………..255
Success Factors and Lessons Learned…………………………………………………………….256
Outsourcing Control Objectives ………………………………………………………………….257
Security in the Outsourcing of Security Services …………………………………………………….261
Commonly Outsourced Services………………………………………………………………….261
Security Auditing………………………………………………………………………………261
Penetration Testing, Vulnerability Assessment……………………………………… 262
Systems Monitoring …………………………………………………………………………. 262
Incident Support……………………………………………………………………………… 263
TAF-K11348-10-0301-C000toc.indd xiii
8/18/10 3:20:00 PM
xiv ◾
Contents
System Management/Administration………………………………………………….. 263
Security Officer Services…………………………………………………………………… 263
Outsourcing of Security Services Objectives………………………………………………… 264
Challenges to Outsourcing Security Services…………………………………………………265
Success Factors and Lessons Learned ………………………………………………………….. 266
Outsourcing Security Services Control Objectives………………………………………….267
Maintain the Confidentiality of Results………………………………………………..267
Prevent the Disclosure of Events………………………………………………………… 268
Preserving Evidence …………………………………………………………………………. 269
Avoiding Retention/Discovery Liabilities…………………………………………….. 269
Elevated Privilege and Intellectual Property Loss ……………………………………270
Conclusion……………………………………………………………………………………………………… 272
14 Security Awareness Training …………………………………………………………………………275
Introduction……………………………………………………………………………………………………..275
Staff Development Training………………………………………………………………………………. 277
General Staff Security Training………………………………………………………………….. 277
Security Staff Training……………………………………………………………………………… 278
Security Staff Training Requirements …………………………………………………………. 279
Security Awareness Training ……………………………………………………………………………… 280
Awareness Training Objectives ………………………………………………………………….. 280
Awareness Training Elements…………………………………………………………………….. 282
Awareness Training Drivers and Benefits …………………………………………………………….. 283
Industry Training Trends and Best-Practices Examples………………………………………….. 284
Training Resources…………………………………………………………………………………………… 286
Awareness Training Challenges………………………………………………………………………….. 289
Success Factors and Lessons Learned…………………………………………………………………….291
How Do You Know if Your Training Is Successful? ………………………………………………. 292
Conclusion……………………………………………………………………………………………………….293
References…………………………………………………………………………………………………………..295
Appendix ……………………………………………………………………………………………………………303
Physical Security Checklists ………………………………………………………………………………. 303
Index………………………………………………………………………………………………………………….313
TAF-K11348-10-0301-C000toc.indd xiv
8/18/10 3:20:01 PM
Acknowledgments
The authors wish to thank the following people for their hours of reviews, suggestions, and encouragement throughout the process of putting this book together.
Greg Gwash
Elaine Oksendahl
Dave Komendat
Carl Davis
Tim McQuiggan
Lt. Col. Thomas Stackpole, U.S. Army
Dave Cook
Butch Moody
Verdonn Simmons
Peter Oksendahl
Patrick Hanrion
A special thank you to Jennifer Reed who taught Bill’s science class for six weeks so he could
finish the book, and to Tim Lorenz who graciously gave him the time off.
xv
TAF-K11348-10-0301-C000f.indd xv
8/18/10 2:47:32 PM
TAF-K11348-10-0301-C000f.indd xvi
8/18/10 2:47:32 PM
Introduction
I need you to find a way to keep compliance from putting us out of business!
Ron Markezich
Corporate Vice President, Microsoft Online
Security as a business—what a concept! And to many security professionals it’s a concept that few
have had time to consider or have needed to consider. Compliance changed all that; it pushed
information security into the executive suite where it’s not only a jail sentence but a huge drag on
the bottom line. Combine that with a major economic downturn and one has a lot of incentive to
make security a value proposition. Both of us have watched this requirement develop in corporations and have witnessed security professionals struggle to get a handle on what it means to be a
valued business partner.
We see two recurring themes: first is the lack of good business processes on the security side
and second, a diminished understanding of the value of security on the executive side. It is these
two issues that have inspired us to write Security Strategy: From Requirements to Reality. Our primary goal in writing this book is to teach security leadership and security practitioners how to
select, develop, and deploy a security strategy appropriate to their organization. Our secondary
goal is to support the implementation of strategic planning initiatives, goals, and objectives with
a solid set of security tactics. It is also our hope that executive managers, marketing, and other
business units will use this book to better understand the value security brings to the organization
in the compliance-centric 21st century.
Businesses cannot survive in today’s marketplace without information technology (IT), and
IT cannot survive in today’s computing environments without security. Today’s leading companies are those that have solved the security conundrum and learned to leverage security to promote innovation, grab market share, and enhance brand. When Microsoft was being flogged by
the industry for poor security, Bill Gates created a trustworthy computing initiative that united
the company behind a single strategic goal: “to focus our [Microsoft’s] efforts on building trust
into every one of our products and services.” In less than 10 years Microsoft propelled itself from
whipping boy to market leader through innovation, commitment, and solid strategic planning.
One of Microsoft’s key initiatives was to consolidate security services into a single-customer-facing
entity (the Microsoft Security Response Center). This is a strategy that we see as critical to the
future success of security management. There should be one person to contact, one number to call,
one website to visit, and one operations group to receive and respond to security events. It should
never be the customer’s responsibility to figure out who to call while dealing with a difficult or
emergency situation.
xvii
TAF-K11348-10-0301-C000g.indd xvii
8/18/10 2:48:01 PM
xviii
◾
Introduction
We also believe in building a culture of security. Employees are your first line of defense; none
of them leave their houses in the morning without locking the door, and none of them should leave
their worksites at night without locking their computer and sensitive documents away. If you really
want your employees to be your first line of defense, you need to teach them how, and you must be
readily available, helpful, and responsive when they call. When the quality of Ford products began
to diminish, the company moved Quality Assurance from a business unit to a business culture.
Quality became “job one” for everyone working at the company from Bill Ford’s Quality Council
to the autoworker at the St. Paul assembly plant. This is our view of security; it is job one for every
employee, and it needs to be promoted as such.
The challenges are substantial but not insurmountable. It will require a lot of effort on the part
of the security group to build the strategic planning skills required, and it will take a fair amount
of forbearance on the executive management side as things stumble forward. But the end results
in cost reductions, brand enhancement, and operational efficiency are well worth the effort. Let’s
get started!
Approach
This book presents business strategy for security groups and tactics for implementing that strategy.
It is unique in its approach because it focuses entirely on security strategy planning and execution.
The book is about finding the strategy that works in your organization, building it, and implementing it to see real results. You won’t find any point solutions here, no silver bullets, no magic
formulas. What you will find is a comprehensive look at the structures and tools required to build
a security program that really does enable and enhance business processes in your organization.
The book is based on our experiences in working with large security groups to build and implement strategic plans and tactical solutions, but the book is equally applicable to smaller organizations looking for long-term security solutions.
We have divided the book into two parts. The first part is about business strategy. Although
it is security-centric, executive managers reading this portion of the book will totally understand
it. The second portion of the book is about tactics—the means needed to implement strategy.
Security professionals will completely understand this portion of the book. The real value for
both groups of readers will be reading the portions of the book that are not familiar to them. It is
our hope that in so doing a viable synergy will develop between the two groups—one that allows
security to take its place as a valued partner and contributor to the success of the enterprise.
Much of the security conundrum organizations find themselves in didn’t develop overnight; it
has been a long time in the making. While corporate (facilities) security is a long-standing discipline, information security, especially in the network arena, is a relatively new discipline, one that
has been in an almost nonstop fight against an onslaught of attacks and a continuously changing
landscape. It has taken time to develop the tools, processes, and skills needed to build effective
security solutions. Although much remains to be done, the security industry has finally found
itself in a place where it can begin to be proactive. A major part of that proactive effort is learning
how to become a full-fledged partner in the business.
Security must become part of an organization’s standard business processes and a partner in
the promotion and profitability of the business. For years security professionals have been talking
about how security enables the business; well, now it’s time to step up and prove it. So roll up your
sleeves, bolt on your armor, and get ready for some giant-killing ideas. Welcome to the business
of security.
TAF-K11348-10-0301-C000g.indd xviii
8/18/10 2:48:01 PM
Introduction ◾
xix
SIDEBAR: HOW TO READ A BUSINESS BOOK
1. Decide, before you start, that you’re going to change three things about what you do all day at work. Then,
as you’re reading, find the three things and do it. The goal of the reading, then, isn’t to persuade you to
change, it’s to help you choose what to change.
2. If you’re going to invest a valuable asset (like time), go ahead and make it productive. Use a postit or two,
or some index cards or a highlighter. Not to write down stuff so you can forget it later, but to create marching orders. It’s simple: if three weeks go by and you haven’t taken action on what you’ve written down,
you wasted your time.
3. It’s not about you, it’s about the next person. The single best use of a business book is to help someone
else. Sharing what you read, handing the book to a person who needs it…pushing those around you
to get in sync and to take action—that’s the main reason it’s a book, not a video or a seminar. A book
is a souvenir and a container and a motivator and an easily leveraged tool. Hoarding books makes
them worth less, not more.
Seth Godin
Terms Used in This Book
Business unit—To eliminate confusion between the organization as a whole and the business
suborganizations such as departments and divisions, the term business unit has been chosen
to refer to these suborganizations.
Consumer/Customer—The terms consumer and customer are used in a general sense. These
terms include those external entities that purchase products or use services from the organization as a whole, as well as those external or internal entities that use the services of a
business unit within the organization—for example, business units that use security services
and/or products and are subject to security governance.
Core Competencies—Core competencies are the specific strengths of an organization that
provide value in a market space.
Core Values—Core values are the operating principles that guide an organization’s conduct
and relationships.
Corporate security—The terms corporate, physical, and facilities security refer to the group
that manages the security of physical assets such as facilities, equipment, and inventory.
Corporate security is typically responsible for surveillance, building access controls, security
officers, loss prevention, and associated events.
IT security—IT security refers to the group that manages the security of information assets
stored, processed, and transferred on computer-based technologies. IT security is typically
responsible for the confidentiality, integrity, and availability of digital information, compliance with statutory, regulatory, and industry requirements, and business continuity/disaster
recovery planning for IT services.
Organization—This term, used in a generic sense, refers to for-profit and nonprofit businesses
(companies, corporations, and enterprises) and government entities/agencies.
Security—This book takes a holistic approach to security, so the terms security and security
group encompass both corporate and IT security functions.
Security group—To eliminate confusion between the organization as a whole and the security
suborganization, the terms security group or security function have been chosen to refer to the
security suborganization.
Stakeholder—A stakeholder is a party who is or may be affected by an action or actions taken
by an organization, for example, employees, managers, board members, shareholders, customers, contractors, vendors, and partners.
TAF-K11348-10-0301-C000g.indd xix
8/18/10 2:48:01 PM
TAF-K11348-10-0301-C000g.indd xx
8/18/10 2:48:01 PM
Preface
The CEO looked up from his desk and said, “I’m sure you are all aware of our plans to form a
joint venture with Coral Reef; this is a great opportunity for us but to be honest I have some real
concerns about it. If you will pardon the pun, these guys are some real sharks. If we give them
access to our network, they could steal us blind. I need you guys to tell me what the risks are.”
The CIO looked over his shoulder, “Matt?” With a slight grin, Matt, the CSO, replied, “There’s
no additional risk sir; we’ll set up a SharePoint site for the project and that’s the only thing they’ll
have access to.” The CEO was about to express his delight when the CFO interrupted, “Well that
might be true for remote access, but what about when they’re here on campus?” “It’s not any different,” Matt replied, “Their laptops aren’t part of our domain so they can’t connect to any of our
systems except e-mail, Instant Messenger, Web conferencing, and the project SharePoint.” “But
won’t they look like one of our employees if they have e-mail and IM accounts?” asked the CFO.
Matt replied, “Nope, all external parties have identities that start with F dash and their badges
have a different color so our employees know they are ‘foreigners.’” The CFO continued, “But
they will have access to our offices and workspaces; isn’t that a risk?” “There’s always a risk that
someone might go snooping around, but our identity and building access control systems are tied
together. They will only have access to the buildings they will be working in, and we can track all
other access attempts. We run a weekly report of all F dash building and computer accesses just to
make sure they are behaving. If we suspect they aren’t, we can always review the video surveillance
to see what they were up to,” Matt replied. “But they could still steal stuff !” the CFO exclaimed.
Matt replied, “Yes they could, but not for long! They’d be violating the security policy they agreed
to uphold and that’s reason enough to send them packing.” “Thank you gentleman, I believe we’re
good to go,” said the CEO as he dismissed the meeting with a smile and a hint of disbelief. Was
his security really that good?
The answer is yes. In three short years, Matt had managed to build a security program that not
only protected the company’s assets but also anticipated the company’s future business requirements and security needs. And he did it with a modest capital investment and no increases in
operational costs. Impossible, you say! Not at all. Matt was able to save a substantial amount of
money by converging the facilities and information security groups into a single team and converting older expensive video and building access controls technologies to IP network-based devices.
He used these savings and the reductions in operating costs to train and cross-train his staff to
improve effectiveness and coverage. He also got capital monies to make improvements to the identity management system and to implement some new control technologies.
Successes like this are rare in the security community, so how did all this come about? Security
strategy. Matt took the time to analyze the company’s vision, goals, and business strategies, and
xxi
TAF-K11348-10-0301-C000h.indd xxi
8/18/10 2:48:45 PM
xxii
◾
Preface
then he sat down with the key stakeholders to identify existing issues, understand their goals, and
learn what their expectations were for security. Next, Matt (with the help of his team and these
stakeholders) created a three-year Security Strategic Plan aligned with and supporting the overall
business strategy. Finally, he went out and sold that plan, implemented it, and demonstrated security’s value to the business.
Security strategy is the missing gem in many security programs. It’s not a common skill set
among security practitioners and there isn’t a lot of guidance on how to do strategic planning for
security management. It was the authors’ goal to remedy that situation by providing you with a
practical set of tools and guidance to get you started down the planning path (Section I) and to
help you build the processes and controls for implementing that plan (Section II).
There are a large number of strategic planning methodologies; trying to cover them all would
be unrealistic. Fortunately, they all follow a similar pattern so we have addressed those components and compiled an exhaustive set of references you can use to further study the method you
settled on for your company.
It is our sincere hope that this book will contribute to your success and make the practice
of security strategic planning a common discipline in the industry. Welcome to security as a
business!
Bill Stackpole
Eric Oksendahl
TAF-K11348-10-0301-C000h.indd xxii
8/18/10 2:48:45 PM
Authors
William “Bill” Stackpole, CISSP/ISSAP, CISM, former Principal Security Architect for Microsoft
Online Services, has more than 25 years of IT experience in security and project management.
In his past position, Bill provided thought leadership and guidance for Microsoft’s Secure Online
Services Delivery architecture. Before coming to Microsoft, Bill was a principal consultant for
Predictive System, an international network consultancy where he was the architect and promoted
the application security business. Bill holds a B.S. degree in Management Information Systems,
a CISSP with an Architecture Professional endorsement. He is coauthor of Software Deployment,
Updating, and Patching (Auerbach, 2007) and a contributing editor to Auerbach’s Handbook on
Information Security Management (Krause and Tipton). Bill is a former chair for the CISSP Test
Development Committee and a current member of the (ISC)2 Common Body of Knowledge committees for the CISSP and ISSAP certifications.
Eric Oksendahl, former Security Strategist for Boeing, has more than 25 years of experience as
a business management consultant, senior facilitator, teacher, and program manager. At Boeing,
Eric facilitated strategy development and implementation for the Security and Fire Protection
division, including physical and information security. He designed and coordinated the use of
strategy development and initiative deployment to integrate security practices into key business
processes (e.g., international sales campaigns). Prior to that, Eric was a program manager at the
Boeing Leadership Center where he conducted leadership development courses around the world
that included Boeing management, supplier management, and customer management. Eric holds
a B.A. from Montana State University and an M.A. in Communications from the University of
Washington.
xxiii
TAF-K11348-10-0301-C000i.indd xxiii
8/18/10 2:49:12 PM
TAF-K11348-10-0301-C000i.indd xxiv
8/18/10 2:49:12 PM
STRATEGY
I
This section of the book is about the selection, creation, and implementation of security strategy.
Strategy is planning in any field: a carefully devised plan of action to achieve a goal, or the art of
developing or carrying out such a plan long term (a year or more). In other words, a strategy is a
plan for what work will be done and by whom.
Strategic planning is a discipline designed to encourage long-term thinking about an organization. Strategy is a creative act that combines both analysis and creative choices in future actions;
it utilizes a structured process to create a formal, integrated enterprise plan. A strategic plan is
NOT a tactical roadmap. However, strategic planning is both strategy development and implementation. Strategy realization requires leadership throughout all phases of the strategic planning
process, which includes performance, monitoring, evaluation, and adjustment.
Although strategic planning tries to anticipate possible future environments in which the
organization will be functioning, it does not attempt to make day-to-day operational decisions.
Without well-executed implementation plans, strategy efforts remain, at best, wishes. Security
managers must still manage and make decisions on a daily basis using good judgment, while
retaining a sense of future direction. Some of these day-to-day decisions will cause a rethinking
of strategic direction. This is normal and does not negate the need for a robust strategic planning
process. There will be multiple planning iterations, and strategic plans may need to be adjusted
to accommodate emergent strategic objectives. The roller-coaster ride of life’s exigencies does not,
however, cancel the need for good strategic planning.
TAF-K11348-10-0301-S001.indd 1
8/18/10 3:14:52 PM
TAF-K11348-10-0301-S001.indd 2
8/18/10 3:14:52 PM
Chapter 1
Strategy: An Introduction
If you can’t describe your strategy in twenty minutes, simply and in plain language,
you haven’t got a plan. “But,” people may say, “I’ve got a complex strategy. It can’t
be reduced to a page.” That’s nonsense. That’s not a complex strategy. It’s a complex
thought about the strategy.
Larry Bossidy
Chairman, Honeywell International
Strategic Planning Essentials
Can you describe your current strategy in a clear, compelling manner in less than 20 minutes?
Behind every compelling description of strategy that a CEO, CFO, CIO, CSO, or any other
corporate executive might present is a strategic planning process. There are several basic elements
and core principles in a strategic plan. The following is a brief overview of the basic elements;
each of these elements and their subelements will be discussed in greater detail in the subsequent
chapters.
1. Preparation to Plan—This element includes allocation of essential resources, coordination
of personnel, and clear RAA (responsibilities, accountability, and authority) for the planning
process. Herein lies the crucial first step of strategic planning requiring discipline, focus,
and a willingness to ask tough questions while organizations prepare to face uncertainties,
consider new possibilities, and decide on fundamental change. First efforts in strategy aren’t
perfect, but one should prepare to plan anyway. This is the first step of many little steps to
follow in planning. You may want to engage an outside facilitator at the very beginning if
you haven’t done much strategic planning as a group.
2. Big Picture Renewal/Creating a Strategic Foundation—Here the cornerstones of any strategic plan are set, vision and mission are clarified, and reviews and analysis are conducted
on data from environmental scans or other sources. Internal and external examinations are
completed as an organization seeks to understand and prioritize influences and opportunities.
3
TAF-K11348-10-0301-C001.indd 3
8/18/10 3:01:46 PM
4
◾
Security Strategy: From Requirements to Reality
Here also is where the hard questions you have prepared in planning get asked— questions
such as “Where do we want to play?” “What do we do best?” “What is our business?” “What
are critical success factors?” “How will we communicate our plan and to whom?”
3. Strategies and Actions or Focusing the Plan—This is where the steps for how an organization will reach its vision are created. This may include elements like strategic objectives, goals,
initiatives, actions, and/or critical success factors for getting there. Here is often where strategy
maps or other tools help refine plans, prioritize requirements into specific goals, and link them
to measures and initiatives. The goal of this stage is to map elements of strategy into daily
operations. This is where the operational business plans are linked to overall strategic direction.
This is where business goals, operational objectives, action plans, and performance measures
are linked together. If an organization is not successful here, many groups may not understand
how strategy impacts their organization, and, in fact, they may work at cross purposes. At
this stage, it is imperative to tie together strategic goals, improvement objectives, action plans,
and key performance measures. These will work together to guide an organization during the
implementation of strategic plans. This element, too, is where a security group must relate
overall business strategy to operations strategy and tactical objectives to tactical action plans.
4. Implementation Schedule—Typically, the implementation schedule is prioritized with
specific RAA as the steps for implementation are determined. A schedule is documented
with start, milestone, and completion dates for each major strategy. Strategic actions are
linked to individuals with time frames and budget allocations.
5. Metrics for the Plan—The measures are created that will ensure the organization is headed
in the right direction and determine whether it is successfully implementing the strategic plan. Metrics are integrated into a foundation for the business plan. The business plan
should be linked to key performance metrics and compensation and, finally, integrated into
a balanced scorecard or some other tracking document for regularly scheduled reviews.
Metrics are acknowledged to be an important requirement for success, both strategically
and operationally, but are often ignored. Several levels of good metrics are usually required
for effective strategic planning. The top-level metrics that executive leadership consider are
the roll-up enterprise dashboard or balanced scorecard metrics that usually entail key compliance and risk indicators, as well as key performance indicators such as return on investment (ROI), resource management, value delivery, and response times. As strategic plans
move into initiatives, goals, specific objectives, and the like, obviously the metrics grow more
specific and detailed to the organization and objectives as objectives become organizational
tactics. Typically, security metrics are fashioned from two main sources, strategic initiatives
and external standards required by audit results. Often, as a security group moves from a
reactive posture to more of a planned posture, metrics from external standards will become
a subset of strategic security metrics. Security metrics will become defined by strategic goals
and not just audit results. (Eric watched a security group get hammered by audit results for
two years. It was a lot better when the group came up with a successful strategic plan!)
Defining metrics that work to move a strategic initiative forward are not easily attained.
Take, for example, the discussion on cloud-based security metrics in a recent article in CSO
magazine, “Clear Metrics for Cloud Security? Yes, Seriously,” by Ariel Silverstone, CISSP.
In her article she discusses the difficulty of developing metrics for the storage availability
and integrity of Cloud utilization-type initiatives. Her conclusion is that only time will tell
whether data from/in the Cloud will be deemed trustworthy by such metrics.
Typically, as processes improve and organizations learn from each round of planning,
metrics will become more specific, useful, and relative as success indicators. Metrics are a
TAF-K11348-10-0301-C001.indd 4
8/18/10 3:01:46 PM
Strategy: An Introduction
◾
5
difficult issue to manage in the strategic planning process. These difficulties include linking
strategic objectives with the key metrics and establishing the feedback loops required to effectively monitor the progress (success or failure of those objectives). The Information Security
and Control Association (ISACA) recommends performance measurement monitoring and
reporting on information security processes to ensure strategic objectives are achieved.
The performance metrics that ISACA recommends for IT security typically concern measures like number of incidents, number of systems where security requirements are not met,
response times, violations, types of malicious codes, security incidents, unauthorized IP
addresses, port and traffic types denied, access rights authorized, revoked, reset, or changed,
and so on. You will find a number of examples of these types of metrics in the chapters of
this book on tactics.
Captured metrics should also include the less quantifiable, but equally important, people
aspects of security such as badging, social engineering, and workplace violence. IT metrics
must also capture the harder-to-capture people aspects of computing such as sabotage, data
theft, and misuse of computing resources. These statistics can be much harder to gather,
quantify, and assess, but they are key issues IT security must face. This is made even more
difficult in organizations where corporate and IT security are managed by different stovepiped functions in the organization and data are not rolled up into a common knowledge
base. Good performance metric determination, monitoring, and assessment help inform
and lay the foundation for the next cycle of strategic planning.
6. Communication Plan Enacted—A communication plan is put into effect, including clear
communication strategies and dissemination plans for each predetermined target audience.
Key messages, executive summary, and strategy documents are created, and the implementation plan is scheduled, with clear benchmarks established for evaluating success. Tactical
objectives are employed throughout the organization and measured for success.
7. Completion—Results of the strategic planning cycle implementation are analyzed, and the
lessons learned are incorporated into following planning cycles. Here is where unanticipated
consequences, as well as unrealized and emergent strategies, should be reviewed, and key
performance indicators and metrics refined. Often, while one strategic planning cycle is in
completion, another planning cycle is being implemented, and perhaps plans are made for a
following one.
Strategic Planning Process Evaluation
EXERCISE 1.1
If you are reading this book, it is likely that you are already part of a security group. To help you better understand where strategic planning fits into the security management process, we have devised
this short self-assessment quiz. Before you continue reading, take a few moments to reflect on your
current organizational status quo by answering the following questions:
1. Where is your security group spending the majority of its time right now, working to create
change or reacting to change?
2. In the past year have you spent more time chasing situations or implementing your strategic
goals and objectives in a systematic manner?
3. Is security viewed as a separate functional business unit or as a partner who contributes to the
success of the overall strategic plan for your organization?
4. Do other parts of your organization consider you to be an enabler of organizational business
strategies or a roadblock?
TAF-K11348-10-0301-C001.indd 5
8/18/10 3:01:46 PM
6
◾
Security Strategy: From Requirements to Reality
5. Do you have plans in place for possible changes in the marketplace so that you will be able
to quickly course-correct?
6. Can your security leadership articulate a clear business purpose and function that the leadership of your organization understands and accepts?
7. What opportunities does the security group have now that it didn’t have a year ago?
8. What problems or unintended consequences has your security group created for itself?
9. Are your corporate and IT security functions integrated around your organization’s business
needs or functioning as related organizational stovepipes?
10. How’s your security group skill set depth (bench-strength) in strategic planning and
implementation?
11. Is your security group better prepared to do analysis, planning, and implementation of your
strategic plan than it was last year?
12. Are you quicker at all three functions?
13. What information and knowledge did you uncover last year that you didn’t know you needed
to know?
14. How good have you been at implementing your strategic plan this year? By what measures?
15. Are your metrics for implementation of your strategic plan better than they were the year before?
16. Are your metrics clearly linked to strategic goals?
17. Is your security group in regular conversation with the other functions of the organization to
improve relationships and better understand business objectives?
Answering these questions may help you focus in on the concepts in this book that will be most
useful in your security group. As you answered these questions, a number of organizational challenges undoubtedly came to mind. Here is a partial list of ongoing challenges for security groups:
◾
◾
◾
◾
◾
◾
◾
◾
Economic uncertainties and limited security funding
Stricter statutory and regulatory compliance requirements
Increased audits and audit requirements
Outsourcing and cloud-based service risks
A growing number of application breaches
A need for better tracking of incident responsiveness and resolution
Increased needs for third-party risk assessments and penetration testing
Stricter privacy requirements in every aspect of business (including increasingly complex customer relations management systems that now reach throughout an extended enterprise)
If that isn’t enough pressure, at the same time strategic planning cycles need to be shorter in
order to be responsive in much of organizational life. Cycles are shifting from years to months,
months to weeks, weeks to days, and days to hours. Shorter cycle times for strategic thinking create a demand for leadership that understands not only the basics of strategic planning, but also the
art of working within the organizational culture.
Now is the time to be preparing your organization’s strategic plan and response or to adjust
the plan you already have in place. Security is a function that requires good strategic leadership
capable of setting strategy, communicating vision, and leading passionately. With strong strategic
planning and execution skills, security will more likely be seen as a key enabler of business.
Security Leadership Challenges
Today, security leadership has to face new challenges every day in an environment that seems to
present increasing unpredictability in economics, technology, and global threat trends. Absorbing
new information that is produced at ever-increasing speeds, while coordinating the protection of
TAF-K11348-10-0301-C001.indd 6
8/18/10 3:01:46 PM
Strategy: An Introduction
◾
7
people, property, and information on a day-to-day basis, is at the very least challenging, at the
worst overwhelming. How enterprise leaders learn to cope, adapt, and process information is
helped to some degree by new software and technology applications, but even that produces more
data that have to be understood and acted upon.
Today’s business environment demands security executives with keen business savvy, solid risk
management fundamentals, and a whole systems understanding of the organization within which
they focus. The current business reality is that security groups must balance the security needs of
an extended enterprise that includes all elements in a value stream they support (from customer
requirements to company processes and supplier inputs), while also meeting the requirements of
an ever-increasing number of governance and regulatory agencies.
The role of security governance, ever-increasing compliance requirements, and the demands
of effective integration of sound security practices into business processes and risk management
efforts, requires strong leadership and the ability to communicate well beyond traditional business
stovepipes. A holistic security management approach is required to create a comprehensive security
strategy that aligns security goals with corporate/organizational goals. In addition, it is imperative
for organizations that want to resolve ongoing security issues to engage multiple stakeholders in
an effort to create a security-conscious culture.
The business case for enterprise security architecture has already been well made. Organizations
need to develop and implement a security strategy that is integrated with the enterprise strategic
plan. Good security strategy requires:
◾ Having the time and perseverance to plan
◾ Continual alignment of the plan with emerging business requirements
◾ An ability to design and implement an architecture supporting the plan (along with processes
and policies required to implement and enforce the plan)
◾ Reporting and measurement methodology to track the plan
◾ Specific metric indicators of the plan’s success or failure
Despite their importance, these key elements remain hard won and elusive for many organizations. Strategic planning is becoming increasingly important in a hypervelocity world. Thinking,
planning, and moving quickly while controlling risk are essential skills. Today’s security leadership must be able to continuously demonstrate the business acumen needed to move from concept
to endgame for new business initiatives.
Getting Started
Strategic planning is essentially a process of gathering and analyzing information, and envisions
ways to act on that information to better the business. It begins by understanding where the
security group is—how it functions—within your organization. The fundamental question concerning security that must be asked is as follows: “Is security simply a servant of a corporate, organizational, or business strategy, or does it serve a greater purpose?”
In many organizations, people inside and outside of security would answer this question with
a resounding “Yes, it is simply a servant!” Their primary rationale: “Security is a service provider
within the organization, and services are not a source of strategic guidance for an organization.”
That being said, there are certainly many people inside security groups who are not only willing
but more than capable of providing organizational strategic input, even if they are not a formal
part of the organizational strategic process.
TAF-K11348-10-0301-C001.indd 7
8/18/10 3:01:47 PM
8
◾
Security Strategy: From Requirements to Reality
EXERCISE 1.2
If you haven’t already read every organizational strategic plan you can get your hands on, get started
now! If you are going to build a successful security strategy, you need to get a sense of the big picture
in which your organization functions.
Value Proposition
From a systemic perspective, a secure workforce, secure facilities, and well-protected information
resources are actually part of the organizational brand, both product and service. The security of products and services is now part of the organization’s promise to the marketplace, enterprise stakeholders, and shareholders. It is imperative that organizations deliver on that promise, or they will soon
become irrelevant. Organizational strategic planning can readily benefit from the security practitioner’s viewpoint. Whether security is part of the organizational brand or has developed its own brand,
it must be part and partner in the organization’s strategic discussions. Brand is critical to security
because the process of building a brand helps to convey important fundamentals that link security
explicitly to the intent and promise an organization makes to its internal and external customers.
In the authors’ experience, often other organizational functions view security as a roadblock
to efficient business practices. However, leaving the security group out of the strategic planning
process can result in a number of unintended consequences. One example of these unintended
consequences is, perhaps, the decision to outsource back-office types of transactions to sourced
companies in another country without including security in a strategic conversation. While economically that may be the right strategy, several important elements may be overlooked such as
creating vulnerabilities to Personally Identifiable Information (PII) data or providing industrial
espionage opportunities for data mining. There may be easy solutions, at a lesser cost, if security is
included in the original planning, than managing these risks after the fact.
Conversely, if security wants a place at the strategic planning table, it will need to examine the
strengths of its own leadership and answer these two fundamental questions:
1. “How can security help the organization achieve strategic goals?” In other words, “What
will it take from security to enable the business/organization to get where it wants to go?”
2. “How can the security strategic plan be a living document updated periodically to reflect
changes in organizational priorities based on industry trends, marketplace, or emerging
technologies?”
The advantages of including security in organizational strategic planning and the Enterprise
Risk Management (ERM) components of strategic planning are:
◾ Better understanding of potential risks in any strategic direction
◾ More accurate planning for budget allocations to manage those risks
◾ Quicker movement in strategic objectives for security integration into product, infrastructure, desktop, and business continuity processes
Other Challenges for Security and Strategic Planning
Another crucial issue for the security group in any organization is: “How is the strategic plan (or
portions of an organizational strategic plan) to be developed, updated, and what groups will participate?” After the strategic plan is drafted, the fundamental questions of how to communicate,
TAF-K11348-10-0301-C001.indd 8
8/18/10 3:01:47 PM
Strategy: An Introduction
◾
9
integrate, align, and update the strategic plan come into play. The bottom line for any security
strategic plan is that other parts of the organization must understand it, or it will be difficult to
achieve effective results protecting the organization’s assets (people, material, and information)
at an acceptable cost.
While a business/organization strategy is aimed at organizational vision, purpose, mission,
strategies, execution, and measurement of success, an IT security strategy often focuses mainly
on information security architecture. It is shaped by the organizational goals, environment,
and technical capabilities the business requires in order to achieve its vision. Corporate (physical/
facilities) security strategy focuses on policies and procedures for loss prevention and the protection of people and property. Corporate security is also guided by organizational goals, environment, and technology advances.
Often, issues arise in this natural tension between the organizational business philosophy
(and business architecture) and the more pragmatic aspects of IT architecture. Ralph Whittle
and Conrad Myric, in a white paper titled “Enterprise Business Architecture: The Formal Link
between Strategy and Results,” outline the formal link between architecture and strategy. In their
words, “These bold new enterprises are not building some static, rigid new architecture, with a
moat around the castle. Quite the opposite, they are building fluid, dynamic, integrated architectures capable of evolving with and supporting the corporate strategy. A fundamental requirement
of the integrated architecture is that it must have the capability to evolve, change, and adapt in a
predictive way.” The problem for IT architecture achieving this goal, as Whittle and Myric define
it, is that when it comes to organizational strategic planning and IT strategic planning, most IT
architecture has not been funded or developed to the needed levels. Th is results in tensions for IT
architecture including, but not limited to:
1. Unclear understanding of business/organizational requirements
2. Inflexible architecture that is unable to respond to environmental challenges
3. Piecemeal local approaches to architecture and security practices rather than integrated
efforts, including lack of corporate and IT security integration
4. Unclear linkage to organizational strategy and metrics for successful implementation, scalability, and usability of security services
5. Piecemeal tactical efforts rather than a systemic architectural approach
6. Unmanaged costs or insufficient funding
7. Ineffective risk management efforts
8. IT security that hobbles the business
Fixing the problems that arise from these tensions is not an effort for the faint of heart. One
of the requirements of security leadership is a well-constructed security strategy that aligns the
strategy, vision, and objectives of the enterprise and answers these questions:
◾ What is the business reason for doing this?
◾ What are we trying to achieve?
◾ How do we enable and support the enterprise achieving its strategic objectives?
Explicit answers to these questions help everyone in the organization, including those involved in
security architecture, to make reasoned decisions for their pieces of the strategic puzzle. Without
clear answers to these questions, it is difficult to acquire the upper management support needed to
advance security strategy. Without explicit upper management support, security efforts are seldom
TAF-K11348-10-0301-C001.indd 9
8/18/10 3:01:47 PM
◾
10
Security Strategy: From Requirements to Reality
successful. Gaining this support for strategic efforts is not only a critical success factor, but is often
one of the most difficult things a security leader will do.
When Strategic Planning Should Be Conducted
Strategic planning should be part of organizational planning in the following situations:
◾
◾
◾
◾
◾
When an organization is newly formed.
When reenvisioning is required.
Before and during mergers or acquisitions.
In preparation for a new venture, product(s), or service(s).
When exogenous or outside shocks to your organizational environment require adaptation
or refinement of a potential strategic scenario. (Scenario planning creates more than one
option for an organization to pursue based on future impacts and may require more exploration when an unexpected event drastically changes the environment.)
At the very least strategy should be conducted on an annual basis to fit within your organization’s business planning cycle, before monies are allocated for a given year in order to fund organizational requirements for accomplishing strategic goals and objectives. Throughout the year there
should be organizational reviews of the strategic planning inputs, adjustments, updated action
plans, and metrics. Strategic planning should be a planned part of organizational life throughout
the calendar year, not as a “once-a-year, put-a-plan-in-a-binder and put-it-on-a-shelf until next
year” activity. Security leadership should formally conduct a quarterly review.
Regardless of when your organization is engaged in strategic planning, paying attention to the
language that is used in strategic planning can often help planners understand the organization
and by utilizing new language, transform the organization.
Metaphor Analysis and Strategic Planning
Metaphors reveal how organizations think of themselves and are a window into organizational
culture, attitudes, and beliefs. Metaphors can also be an important tool in transforming organizations and will often appear in the communication strategies for strategic change. A whole literature has evolved around analyzing organizational culture by the metaphors found in the everyday
conversation on how organizations conduct business; an example is Donald Schon’s concept of a
generative metaphor. A generative metaphor is an “implicit metaphor that can cast a kind of spell
on a community.” In an implicit metaphor, the full subject is not explained, but is implied from
the context of the sentence. Much of our daily communication in organizational life contains
implicit metaphoric language. A branch of this literature assumes that one’s approach to strategy
is best caught by the metaphors employed in strategic planning sessions.
David Sibbit, president and founder of Grove Consultants International, has worked on strategic
planning with organizations for many years by utilizing “story maps” that he and his consultants generate from the conversations held among strategic planning groups. Sibbit, in an article titled “Strategizing
with Visual Metaphors,” made the following observations about the power of metaphors:
I serendipitously picked up a 2005 article I’d clipped from the Harvard Business Review
called “How Strategists Really Think: Tapping the Power of Analogy.” (It’s available
for $6.50 through the HBR website.)
TAF-K11348-10-0301-C001.indd 10
8/18/10 3:01:47 PM
Strategy: An Introduction
◾
11
Gavetti and Rivkin argue that there is a middle ground between formal, deductive analysis, which works well in information-rich, more mature industries, and trial
and error, almost a necessity in very dynamic, untested emergent industries. “Many,
perhaps, most strategic problems are neither so novel and complex that they require
trial and error nor so familiar and modular that they permit deduction. Much of the
time, managers have only enough cues to see a resemblance to a past experience. They
can see how an industry they’re thinking about entering looks like one they already
understand, for example. It is in this large middle ground that analogical reasoning
has its greatest power.
The frame of “strategy by analogy” is different from “visual thinking.” These labels
are metaphors that provide a framing context that directly aff ects what a viewer or listener
pays attention to. And within the visual work the choices of what to illustrate, and most
critically, the organizing graphic metaphor and its emphasis, open and close opportunities for engagement, discussion and interpretation.
Over the years we have heard many such metaphors, similes, and strategy analogies in our
work with strategy groups, consultants, and educators. Metaphors can help employees look at
old issues with a new lens or become a compelling new image of how an organization sees itself.
During our careers, we have heard the following metaphors for strategy:
◾
◾
◾
◾
◾
◾
◾
◾
◾
◾
◾
◾
◾
◾
A battle (and other military metaphors)
A revolution
A chess match
Sailing a ship
Sports strategy
A game metaphor
The solving of a puzzle
A city-state, kingdom, domain, or enclave
An organic system
Conducting a symphony
Part of the value chain or system
Sailing a blue ocean, red ocean, purple ocean
BBQ sauce
Pizza
Organizations themselves can also be described by metaphors such as running a tight ship,
part of a family, a dynasty, or parts of the body (e.g., IT is described as the nervous system, management as the brain, etc.). Learning to examine anything through a variety of metaphors often
helps bring new insight and clarity to participants. A strong use of metaphor can galvanize quick
understanding and provide different mental models with which to examine a topic.
Security strategy lends itself particularly well to these metaphors, and we use several in our
own approaches. Bill Stackpole will frame the tactics chapters of this book in the metaphors of
military tactics and enclaves (a distinct political geography, territorial culture, or social unit) and
will discuss the principles behind his use of them. Eric’s own favorite metaphor for conducting
strategy sessions remains a “strategy jam” (see Figure 1.1). In fact, a musical jam can get cooking as well when ideas are being generated and integrated. A consulting colleague at Boeing,
Andrew Moskowitz, and Eric conducted several “strategy jam” sessions for a newly formed group
TAF-K11348-10-0301-C001.indd 11
8/18/10 3:01:47 PM
12 ◾
Security Strategy: From Requirements to Reality
Figure 1.1
Strategy jam.
of support organizations. “Strategy jam” as a metaphor became very useful for conducting strategic planning for several reasons. Let’s now examine three of the relevant principles behind the
metaphor “strategy jam.”
Need for Responsiveness—In today’s environment, older methodologies for conducting
strategy sessions are top heavy, have long lead times, and usually exclude inputs from the
people who have the information and creativity needed for successful strategic planning.
Consequently, these approaches may have little buy-in from employees and usually just end
up as pieces of inert information bound in glossy folders or stored in a database somewhere.
Employees have little knowledge of what’s in the strategic plans and even less interest. Next
year when the next round of planning begins, someone will blow the dust off the old plans,
and the process will repeat itself.
Need for Collaboration—Our industries and organizations have been permanently
impacted by Total Quality Management and Productivity-LEAN systems, Process
Management rollouts, and Enterprise Risk Management integration, and we are currently
trying to understand and assess the impact of Security Convergence on our industry. Never
has there been a greater need to engage every ounce of creativity available in our organizations. And yet, for too many organizations, strategic planning remains the providence of executives or senior management. The problem is one of participation. When you try to tell or sell
an organizational plan to employees who have had no opportunity to provide their thoughts
and ideas, you get little buy-in, commitment, follow-through, or impact. A strategy jam, on the
other hand, is an ongoing strategic conversation that is flexible, collaborative, and focused.
Need for Adaptive Skills—Creativity and intuition are the main focus when people and
organizations need to adapt their organizational tactics to a “Big
Life is like a band. We need not all play
the same part, but we MUST all play in Picture Vision” and/or changing business model. Adapting and
harmony.
changing directions with continuous adjustments while executing
are important aspects of jamming. This type of strategic jam sesUnknown author
sion most often occurs in business in new product creation, new
divisions, and start-ups. But even in more traditional strategic planning, there is still an
ongoing requirement for these skills in a more orchestrated context. Ned Herrmann, author
TAF-K11348-10-0301-C001.indd 12
8/18/10 3:01:47 PM
Strategy: An Introduction
◾
13
of The Creative Brain, puts it this way: “In the corporation of the future, new leaders will not
be masters, but maestros. The leadership task will not be masters, but maestros. The leadership task will be to anticipate the signs of coming change, to inspire creativity.” Lou Gertsner,
former chairman of IBM, also referred to the need to be adaptive in strategic planning when
he stated, “You have to be fast on your feet and adaptive or else a strategy is useless.”
It is in that spirit that we approach strategic thinking. Every brain in an organization is part
of the solution; yet, when asked, most managers estimate they were only tapping 20% of available creativity. (In some organizations that might be a little optimistic.) In a strategy jam session,
each instrument has an input. Participants, like musicians in a musical jam session (blues, jazz,
orchestra etc.), need to know the basics of strategic planning (i.e., the notes, chording, and frets of
music), and, at the same time, they must be able to listen to the other musicians, pick up on what
they are playing, and blend into a new creation, while responding to the audience (customers/
stakeholders). So it is in a strategy jam: The players come with an understanding of the basic structures and components of strategic planning, listen to the other players, and create a new direction
for the organization. Our goal for this book is to provide you with the scales and notes of strategic
planning. The artistry and creativity with which those components are applied depend on you and
on your approach to the art of strategy formation and execution and the requirements that match
the organization in which you work. Whether your strategy jam is in the form of jazz, blues,…
Purchase answer to see full
attachment
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.