Security favors preparedness and planning.

-Henrik Parkkinen

“The plan looks challenging Henrik!”
“Yes! If it do not challenge us, it will not make us grow as a team.”
“Point taken!”

Goals and a strategic plan shall be a bit challenging. At least how I see it. I am a firm believer that challenges are something that makes us, both as individuals and as teams, grow. It is a cliche though. But the place called “challenging”, is certainly one of the places where development is happening.

A team practicing the same things over and over and competing against the same opponent, again and again, will certainly develop less compared to another team doing the opposite.

Going to the gym and lifting the same weights over and over will not challenge you or make your muscles grow.

The challenges, that are a part of the long term plan in a strategy, shall not be totally out of proportion and reality. The challenges must be kept relevant and possible to reach with available resources.

A little bit of a stretch added upon the challenges is usually something good. Extrapolate the goal a little but not to oblivion. Throwing out a 30X multiplier from randomness for a goal is not a stretch. This is something else. Think through how much you stretch and why. Make it realistic but challenging.

LONG TERM PLAN

A strategy without an execution plan is, as I see it, not a strategy. For achieving the value realization of a security strategy there needs to be a plan in place for execution. This is sometimes here and there also referred to as a “road-map”.

Independent of whatever it is named, we as security leaders need to create and be able to showcase how the value of a security strategy will be realized for our organization. How the things from that cool PowerPoint will be translated to value for our organization. I will speak about value in a separate article.

Value from security is not just something that is or can be created over night. Sure, processes can be established. Technological controls can be implemented. Security awareness can be conducted. But doing all these things as one shot is not what creates long-lasting value.

The word “plan” is a measurement of time. I would say that a strategy is more equivalent to a plan that spans over a longer period of time, therefore we find “long term” in the definition. If you want to read more about what a security strategy is, check this article out:

Security Strategy – What is that?

Let us say that “long term” equals for example 36 months. No, this number is not carved into stone. Time periods that are between 12-24 months are in general more relevant to operational and tactical plans. But, as I said: the time periods are not set in stone. They usually fluctuate between organizations.

At some places where I have been conducting assignments, a security strategy in relation to a period of time has been 18-24 months. And it makes sense. If the organization is smaller in size, for example, a start-up, it makes total sense to create a security strategy for a short period of time.

As time goes on and maturity grows, the time periods can and will in most organizations be extended and made longer. This is usually a result of, for example, but not limited to, that the organization becomes better at forecasting and extrapolating future scenarios and organizational requirements.

One way to get better at forecasting the future is to use Emerging Risk management. I have written about the subject in two articles:

But where shall the road-map start you may ask? The easiest and best way, according to my experience, is to start from where you and your organization currently are.

Start by gaining a thorough understanding of the current situation, with the help of for example analyzing and/or measuring the current situation. This can be done in several ways. One method is for example to gain a bottom-up perspective of your organization’s security maturity. At the same time, measure where you want to go, i.e. measurements of the wanted state.

What I’m describing can be done with the help of one or a combination of several of the below methods:

a holistic security assessment supported by a standard, framework, etcetera.
a risk and threat assessment.
a technical security testing of critical line-of-business applications.
a top-down and bottom-up interview process including business leaders and executive management.
a feedback loop or questionnaire targeted to the organization.

What I have found to be a successful real-life approach is to adapt the methodology to the current situation and organization. Using a hammer for everything is not an effective option. If there are more suitable tools in the toolbox, why not use those? Or why not use a combination of tools if needed?

This approach, described below, has served me well several times:

Top-down: interview and interaction with the executive leaders and business stakeholders in the organization to understand their views on security.
Bottom-up: measure the current state and wanted state of the organization’s security maturity.

The key takeaway, independent of which method that you use is:

As a security leader, you must interact with the stakeholders in your organization to really understand what needs to go into that long term plan. A security strategy can not be a construction of something done by the security team in isolation from the rest of the organization.

It is you, as that security leader, who together with your stakeholders shall decide on what goes into that long term plan. The stakeholders shall be representatives from your business organization and you need to include them in the security strategy development.

Creating a long term plan for a security strategy is not something that can take place in Narnia without a connection to your organization. They shall and must be a part of it.

And there are some very powerful reasons, that many security leaders do not reflect on, why your business stakeholders should participate in the development of the security strategy. Of course, it has to do with the business alignment but there are more things to it. And it can be summarized with two words: change enablement.

Change enablement is key for achieving goal in a long term plan — A strategy without change enablement will be less likely to establish inclusiveness. Security is a team sport and needs to include all the stakeholders within an organization. To achieve those long term plans and goals in a security strategy, change enablement is key.

A long term plan, independent if it is 12 or 36 months, is highly dependent on change enablement. If this is neglected and not conducted in alignment with how things are done at the organization where you are implementing the security strategy I am quite sure this will result in a less favorable outcome. In the worst case, that security strategy will be totally useless. It will become a great and relentless paper tiger that scares people away. And this is the absolute last thing your security strategy and you as a security leader should do.

I have seen so many beautiful strategies being created by end boss management companies that have failed due to the lack of adequate change enablement. The blame shall not be put on those companies alone though. The receiving organization has a huge responsibility to anchor the change and lead the way from the sponsors and executive leaders.

However, do not make this mistake. If you spend all that time creating a solid strategy, make sure to spend resources and time on change enablement. Make sure to have your sponsors engaged as a part of the change and take responsibility for leading the way together with you.

Change enablement, which includes communication management, does not equal sending out 2-3 emails and posting the security strategy on an intranet page that no one reads. This is also a failure. And this is also not something to strive for or that I recommend you to do.

If you are interested in getting some inspiration around how to communicate and speak about security so that your audience understands you, take a look at this article:

SPEAKING SECURITY. THE LANGUAGE & COMMUNICATION

EPILOGUE

Use the data gathered from the chosen methods as input channels to the construction of your road map, i.e. long term plan. When constructing the long term plan, contemplate each part that goes in there in relation to the security strategies mission statement, business alignment, value creation, resources management, risks, opportunities etcetera. And this shall be done together with your stakeholders.

Creating the visual road map and strategy, in whatever format that is done in, is something but this is not everything. Make it clear to understand and spend more of your time communicating it. Telling the story. Do not get trapped in PowerPoint-land and theorization of things. Do not make that mistake.

A plan is great but as we can not predict the future, do not put all your efforts into planning for perfection. The world is not perfect. Things will happen that you can not calculate for in your plans. Create a plan but stay flexible and adaptable. Trust me on this one.

And, keep this one in mind! Change enablement. This is usually one of the most underrated parts (as mentioned earlier) of a security strategy. Invest time and energy in this part. Make sure all your stakeholders, all the way from the executive leaders to the people affected by the strategy understand the “why. Focus less on the details and more on the outcome and how it will impact them.

A strategy without change enablement will be less likely to establish inclusiveness. Security is a team sport and needs to include all the stakeholders within an organization. To achieve those long term plans and goals in a security strategy, change enablement is key.

I have also seen challenges take place when deciding on what to prioritize and what to put on the back burner. What is going into the plan in terms of projects and activities for which investments will be sanctioned. Do not underestimate subjective feelings, i.e. those “darlings” and hidden agendas when it comes to prioritization.

To facilitate this part of the process, something that can help out and usually do, is to create a selection methodology. For a certain activity to take place in the road map, it needs to match X number of the attributes in the selection methodology.

Some things that are identified will be no-brainers and go directly into the road map. Here and there less science will be needed to rule out subjective feelings and “darlings”. But, when selection becomes more of a hustle a selection methodology can help out the facilitation. This is especially helpful if a larger group of people (in many textbooks known as committees) are a part of that decision-making process.

And execution is king. This is what it is all about! At least how I see it. When the planning is conducted, start to execute. Now the horsepower from that good-looking PowerPoint needs to get down to the ground. More about this in a separate article *cliff-hanger*

Be consistent and work as a team. Security is a team-sport.

-Henrik Parkkinen

Henrik Parkkinen

LONG TERM PLAN

EPILOGUE

Share this:

Related