The term “strategy” is derived indirectly from the Classic and Byzantine (330 A.D.) Greek “strategos,” which means “general.” While the term is credited to the Greeks, no Greek ever used the word. The Greek equivalent for the modern word “strategy” would have been “strategike episteme” or (general’s knowledge) “strategon sophia” (general’s wisdom). One of the most famous Latin works in the area of military strategy is written by Frontius and has the Greek title of Strategemata. Strategemata describes a compilation of strategema, or “strategems,” which are literally “tricks of war.” The Roman historians also introduced the term “strategia” to refer to territories under control of a strategus, a military commander in ancient Athens and a member of the Council of War. www[.]strategyskills[.]com

This article is about that mysterious thing called strategy, or more specifically security strategy.

I think a fair place to start out is to set the scene for what the word “strategy” means. The word is somewhat, according to myself, butchered. It is thrown around for high and low stuff. For small and big things. For this and that.

And it is quite common to witness that within a group of people, there are many different opinions on what a strategy is.

The definition of strategy, in this article and related ones, will equal to:

“A long term plan that is setting the direction for creating value.”

Textbooks and theories will, to some extent, correlate with the description above. And I do not, in any way, say that the theories or textbooks are wrong. This is not the intention of this article. I am not trying to point the middle finger at someone or something.

My goal with this article is to inspire and help you as a reader to apply some of the information, ideas, and thoughts that I provide you with to create a security strategy for your own organization.

What I will share in this article, and related once to the subject (i.e. security strategy) are the philosophies behind the knowledge and experience that I have practiced.

If you are looking for a “how to” manual, you may stop reading now. If you are interested in learning more about how to think about and the “Why” related to security strategy, I encourage you to continue reading. If you truly understand the “Why”, the rest (How, What, When etcetera) will pan out pretty easily.

The content around the subject is created from a holistic point of view and very much about “Why” you and your organization should develop and establish a security strategy.

So, to make things easy to understand, I will break down what a security strategy is into three explanations:

Long term plan
Direction
Creating value

Each bullet will be discussed in a separate article. Yes, this will be a series of articles. But in this article I will talk about Security strategy: What it is and Why your organization should have one.

SECURITY STRATEGY

Why is it even needed? And is there even a need for a separate strategy from the business strategy? Why should an organization develop separate strategies from its core business?

I have been asked and discussed these questions several times and I still do from time to time. They make total sense to be asked and contemplated. I think they are critical questions to be asked before the actual exercise and development of a security strategy occurs. Why? Let me explain.

From my perspective, if a security strategy is developed correctly it will align with the business strategy. A security strategy is not and shall not be something developed and driven in isolation from the rest of the business. It is not something that lives its own life. It, i.e. the security strategy, does not operate in a vacuum. This is the answer to our first question. And this is where the discussion should be focused around. But now, as a result of our first question, this may lead to a second one –> “Ok Henrik, but why is that?”.

The reason for it is due to that, as you also might have read between the lines above:

Security within an organization is a supporting function.

Likewise, to a security strategy, security on its own does not and shall not float around in an organization as a flamboyant and prominent bunch of molecules with the mentality “I am here to do you a favor”. If security, or any sort of strategy for that sake, becomes this form of a thing –> That is a failure.

Security within an organization, in general, does not have a self-existence. It does not sit there in an organization to look cool. It sits there to make the organization look cool = become successful.

For this reason, I think a very good starting point for a security leader and the team ( = organizational stakeholders and security subject matter experts) around him/her is to start out by forming a purpose. That “Why”, also known as a mission statement, will and should be a centerpiece for the team. The objective is to find a common answer to the question: What is our purpose as a team?.

Forming a mission statement is an team exercise. — The purpose/why/mission statement is not something that will appear as a sign on the wall. This is an exercise in where you, as a security leader, need to lead the way for you and your team and help them in understanding the direction and goal of the exercise. And of course –> creating the purpose. The mission statement.

Here and there, I have helped organizations to develop vision statements as well for their security strategy. But I think for the most part, a mission statement is enough for a security strategy. And for me, the mission statement should be formed around the purpose of why security exists within an organization. As said just a few sentences ago: It is there to support the organization to become successful.

Creating a mission statement is not something complex or advanced. It is, for the most part, a straightforward procedure. Start with 1.) get the team around you together, 2.) Create inclusiveness. And you as a security leader, 3.) help your team to understand the higher purpose of why you are important for your organization.

4.) Ask and discuss, for example, but not limited to, the question like: What purpose do you together serve? How do you make your organization become successful? And what does success mean for the organization?

As you see, these are simple questions but this does not equate to simple answers. The exercise is not that hard. But, just because a question is simple does not mean everyone in your team will be on the same page. Some persons in the team might be of a different opinion or have other perspectives about the role security plays in your organization. And if that is the case *drum roll* This is fine. A part of this exercise is to discuss these forms of discrepancies and to talk them through.

A security strategy is about setting the direction — A security strategy is, as I see it, about setting the direction for how to support your organization to create and realize value.

Just because you or someone else within your team are of different opinions does not mean it is wrong. Listen to each other and learn from each other. And most likely, this exercise will require more than one workshop. And the message, of that mission statement, when agreed on now needs to be put into action. This is where the magic starts to happen. And this is also where the actual job start with the mission statement.

This, putting the cool words from the PowerPoint into action, is one of those things I have found that can become a challenge, but it does not need to be. What I can ensure you is that only because you have created a mission statement, it is not enough to just have the words written down in that security strategy document.

My experience has learned me that there is not a one-size-fit-all-solution, but there are better and less good principles to follow if challenges starts to appear on the radar. For example, the team can not agree on their common higher purpose.

A good starting point, for you as a security leader, for trying to figure out why this is happening is to spend some time in trying to understand the culture of the organization and team. I would say that this exercise is very underrated and less often something that strategy people spend time at.

But I can promise you this:

It is much easier to change a security strategy and/or a mission statement to fit into an team or organization compared to changing the culture of a team or organization to fit into a security strategy or mission statement.

So, what happens after the mission statement has been planted and executed? As said, now the actual job starts with your security strategy and do not forget that the work is an iterative process.

If certain things changes or new data, information, risks, threats, etcetera appears that impacts your organization this is something that should be reflected in your strategy. As you understand, I am not one of those management or strategy dudes who think a security strategy is something that is a thing written in stone and can not be changed along the road. I am a pragmatic dude and think that applying such a mindset to a security strategy is key. I will write more about this in another article and what I put into how to apply a pragmatic mindset in relation to strategy.

An example for how to refine your security strategy, in the next iterative round, would be to expand the stakeholder involvement. Invite an even wider audience of business leaders, partners, and customers to the discussions and development phase. Let them tell their story. Let them give you feedback on the current security strategy. Ask questions with the intention to learn about how you can help them in their jobs and what security means for them. Try to see what forms of pain points, opportunities, risks, threats, and so forth they have on their agenda.

The idea I am trying to exemplify is to broaden the audience involved in the security strategy development. When a security strategy is developed, business stakeholders should be included from day one. But those that were a part of the first round do not, according to my beliefs, need to be the same persons over and over again. Bringing in new people who contribute with new perspectives is one of the easiest and most effective ways for how to improve a strategy. And this also creates a wider and higher inclusiveness within the organization. Find the right stakeholders and do not only focus on the “key” people. New perspectives = Instant improvements.

EPILOGUE

This is why you, who is a security practitioner, leader, <insert title> are there for your organization. To help and support others. And asking questions is one of the, if not the most, powerful tools a security leader can use to better understand how he/she can help the organization to become successful.

Security within an organization is a supporting function.

For your information

If you found this article interesting, read the next one in this series:

SECURITY STRATEGY – LONG TERM PLAN

Henrik Parkkinen

SECURITY STRATEGY

EPILOGUE

Share this:

Related