---

“How the
[*BiiiiiP*]
did we end up here?”

This statement should be less of a feeling or experience related to the execution or the subject “strategy”. But here and there this approach seems to be a thing. Personally, I am less about surprise-party-moments when strategies or the topic is a subject.

To not end up at an unwanted destination or place a good starting point is to set out a “direction”. And to make sure you are going in that direction. This, i.e. “Direction”, is the topic of the article.

If you want to read about my view on what a security strategy is, check this one out SECURITY STRATEGY – WHAT IS THAT?. This is also the first article in this series about the subject “Security Strategy”.

DIRECTION

I see a strategy comparable to a compass. A compass that puts out the “right direction” on the map. You can read more about the map in this article, Security Strategy- Long term plan.

The “right direction” is not something that is generic or the same for each organization. It is the opposite, the “right direction” is subjective and something unique for each organization.

Why is that the case? Why is the direction not generic? Why are you not able to just copy-past a strategic direction from one organization into another?

The “direction” when constructing a security strategy needs to be aligned with the organization’s business mission, vision, and objectives. And these things are not generic stuff. And they should not be the same as each organization is unique. Each organization has its own culture, history, past, future, present moment, people, and so forth. Each organization is a beautiful cocktail with a mixture of all these things and much, much more. And they are and shall be unique. This is about the beauty as all organizations have their own positives and negatives.

Think about it, if the organization you are supporting, as a security practitioner, leader, expert,1337 etcetera, is producing food and drugs it will imply that the business mission, vision, and objectives will MOST likely be different compared to another organization that is a start-up and operating in the software industry. I think you get the point I am making. And I do not think that we need to make things more complex at this point around this part.

So, why should you as a security leader even care about having a certain direction, for you and your team, ensuring alignment towards our business goals? Is it not just enough that we, as security ninjas exist and do great things for our organization?

This is absolutely a way of doing things but it is not how I think you should roll with a security strategy. Going out swinging is not something that security is favoring. You may come out on the other side in a ok shape but do not strive to randomize your efforts and investments in your security strategy and when you set out the direction.

If you, together with your team around you, set the direction together it will for example provide to increase:

• Business alignment
• Operationally efficiency
• Value creation and realization
• Organizational supportability
• Goal visualization
• And the list goes on…

Security should not just float around in an organization and do random stuff. It is very few business entities that operate this way from a strategic point of view that is considered as successful. This statement is also highly applicable to professional teams in the sports world. They do not either operate their sh*t in this way.

And why do I, again and again, go back to the sports world and team sports thing when I speak about security? Yes, you are right. I have a long personal career in team sports and I also think that security is a team sport to 100%. It is not a one-man mission. It is not a street fight where you go in and throw away haymakers and hope for the best. Security is favored by preparedness.

OK, back to that compass thing. Let me translate “direction” into an analogy related to a compass now.

Let us say that we have a vision of traveling to Banff National Park, Canada (which looks like an amazingly beautiful place on Earth). And let us say that we decided to walk there, this is our travel method. And before we start walking, from wherever we start, we should put out a direction towards Banff National Park, Canada. We should point the compass in the right direction so that we know that we are walking toward the desired goal.

But if we, for some reason, decide during our traveling towards Banff National Park in Canada that we need to change the direction, we need to adjust the compass. If we put this into the context of an organization, this is a feature that a security strategy, according to my own experience and empiric wisdom, shall include. What I am referring to is, Flexibility and Adaptation.

If certain external things, like for example threats (that we do not have any possibility to control) are actualized in for example a very short period of time, we as security people need to be flexible and adapt to these circumstances. The same reasoning goes for risks and emerging risks. And to put these things into reality, let’s say hello to:

• Heartbleed
• COVID-19
• Log4J
• AI-stuff
• and this list can be made much, much longer.

We, as security people, are not in control of these things. We can manage (in many situations) the related vulnerabilities to the threats and risks but we can not control what is happening outside of our own universe…which actually is very, very, very little compared to those things that we can control. Think about this one:

How many and what kind of things, related to security can you and your organization actually control?

This is a very interesting thought experiment and exercise I have conducted with many security subject matter experts and leaders. It can be a very eye-opening contemplation. The idea here is not to scare you or those I have conducted the thought experiment with. The idea is to awaken that contemplative mind and shine some light on how the security universe and threat landscape operate and you and your organization’s position in that universe and landscape.

Think about it once again. Do you and can you really have control of the things threatening you and your organization?

EPILOGUE

If we and the team we have around us operate ourselves mindfully and have somewhat of a horizon-scanning capability established (and keep track of what is happening around us of course) we will most likely find better ways to navigate when surprises pop up. What I am speaking about are those threats attacking us, both from the inside and outside of our organization.

This approach is much, much, much better than sitting and hoping for the best or going with a long-term approach based on “we take it when we cross that bridge”. And I am very confident that we have not seen the last surprise, from both a cyber security or a global macro perspective that the threat landscape has to offer us. It is outside of our control.

If you, me, or someone else in the world could look into the absolute future and tell us how things will pan out, the world would look different. But hey, the time machine or that magical crystal ball has not (at least to my knowledge) been invented (yet).

There is so much more power “hidden” in a security strategy than most people think about. It is not only that long-term plan, direction, and/or artifact to tick off on that security-check list.

There is so much power behind the construction of a common direction together with the team around you. “The direction” you, your team, and your organization are developing shall be used as your common compass for where you together are going. This is also something that is less talked about in many of those strategy textbooks. Or at least those I have read (and I have gone through a bunch). But this –> that compass = direction, is something that has helped me tremendously throughout my career. The analogy itself and the way of thinking that I have described for you.

You and your team need to understand “Why” you are walking in a particular direction and, of course, “What” that direction is. You as a security leader need to communicate that direction. You need to be able to do so both verbally and visually, again and again. It is not enough to show a visually cool-looking presentation once and say “This is the direction, here is the plan.”. Humans do not work that way. And this is not how you conduct change enablement related to a strategy.

The direction is where you and your team together shall spend your energy. This is what you together can control. And this is where you shall invest your resources, i.e. “the direction”.

Foster a mindset within your organization and a team mentality that can be flexible and adaptable when needed. No, it does not just need to be said once or twice. The mindset is something that is built and developed by you working together with your team where you as a security leader need to demonstrate it in action. Show the way, go the way, and do it together. Actions speak louder than words.

And the bad guys out there do not pause their attacks against you just because you and your organization have not fully adjusted to certain external circumstances. Or that you feel the need to readjust the compass, i.e. direction. The longer time it takes for you to readjust the compass, usually means that the larger the window of opportunity is for the bad guys (if the adjustment means risk exposure is increased).

Be pragmatic, stay flexible, and adapt when needed.

If you decide to go alone, you are limited to the strengths of your own capabilities. If you decide to go with a team, your collected capabilities becomes your collected strengths. Find the right people and set the direction together. You can always change the direction. But it is far more harder to change the people. Find the right people. Contemplate the direction. Go forward & adjust the speed and direction if needed. Do it together, as a team. Direction is primary, speed is secondary. Teamwork is everything. Henrik Parkkinen

Henrik Parkkinen