SECURITY STRATEGY – EXECUTION: WHAT & WHY

In my previous articles about the subject security strategy, I have been writing about what a security strategy is, i.e. a long-term plan that sets direction and creates value. And I have also talked about why having a strategy matters and busting some myths. But strategy on its own does not protect anything. A strategy points out the direction, but it’s the execution that does the work.

This article is about “The Execution” of a Security Strategy. I will explain “what” the execution is and “why” this is important.

“A strategy without execution is just a cool-looking drawing on a whiteboard or a piece of digital characters. This is also a truth I have seen taking place in multiple organizations.”

WHAT: Turning Strategy Into Action

When most people hear “security strategy,” what comes to mind are PowerPoint slides, long documents, or frameworks. But the thing here is that these things are artifacts, not outcomes. The real outcomes from a security strategy come from execution. This is where things happen in reality and not just on PowerPoint. But, as I said in the ingress, this is not how it always turns out. In many organizations, the security strategy work stops before an actual execution. It becomes this paper dragon that is never translated into actual outcomes.

Operationalization of a security strategy means:

• Translating strategic priorities into programs, projects, and activities that deliver measurable results.
• Embedding security objectives into organizational processes, not keeping them isolated in a security silo or function. Security needs to exist in the organization it supports.
• Delegating responsibility and accountability to the people in the organization to get the work done.

Execution Is Not One Size Fits All

Every organization is unique, as simple as that. Every organization is a cocktail with a set of different ingredients.  The way you execute and operate security through projects, programs, KPIs, communication channels, and governance loops must be adapted to your context. Copy-paste activities from a theoretical framework don’t magically make an organization secure or make sure your security strategy is executed efficiently.

But I have learned there are some very good principles to base the execution and operationalization around, and the other way around, some principles that are bad once. I will though, leave these once out in this article and get back to them in a separate one, where I will explain “How” to execute and operationalize a security strategy.

But the core principle for a successful security strategy is to make sure to align your security strategy with your organization’s business direction, i.e. mission, vision, and business objectives. This sounds super fluffy and is also something that is explained and mentioned in several security management and strategy theories and books.

How you align your security strategy with your business strategy needs to be made contextual to your organization. Once again, as I mentioned earlier in this article, each and every organization is a cocktail with its own uniqueness. And within an organization, “security” will mean something else between the different business entities. What security means to the HR team will differ from what it means to the IT team. Context matters, and it is also highly important to take into consideration when ensuring that your security strategy is aligned with the direction of your business.

And think about it. A security strategy and its execution will look a bit different between a large corporate enterprise with 800K people compared to an organization consisting of 500 people. The size of the security team will most likely not be the same between these organizations. Not the budget. Not the culture. Not the spirits. Not the people. But yes, both organizations may need a security strategy, and for this reason also need a method for how to execute on it. It is totally fine that the execution, and through which methods (e.g. waterfall, ITIL, Cobit, agile, lean, scrum), the actions and investments in the security strategy are carried out in terms of activities, projects, programs yada yada.

There is no one-size-fits-all method. It is up to you as the security leader to make sure the method for the execution is aligned and applicable to your organization. And what I’ve learned through the years is that there is a strength in each method, so why not use each strength from each method and combine them? Yes, there are people who don’t like it. That agile, for example, is mixed with waterfall. But it works and, from my own experience, a pragmatic approach will be superior. Do what works for your organization to achieve the desired outcome. And most likely one or another method is needed, but it’s not the method that does the magic. It is you as a security leader and the team around you, who together execute on the security strategy. There are no substitutes for pulling up the sleeves and doing the actual work.

WHY: Execution eats <insert> for breakfast

A strategy that sits on a shelf or in an annual slide deck is useless. In one of my earlier “myth-buster” discussions, I pointed out that a security strategy does not make an organization secure. It’s the execution that creates security in reality, not the slide decks.

A couple of core reasons why execution is essential:

• Without execution, strategy is just a nice story, a beautiful fairy tale.
  • You can have the most beautiful plan ever created, but if people don’t operationalize it in day-to-day activities, nothing changes.
  • It’s like having a map to a destination but never putting one foot forward.

• Execution creates value
  • As I have said several times in my articles, security exists to support the business. It doesn’t operate in isolation and shall not do so. Through proper execution:
    • Security initiatives should be tied directly to business outcomes. Risks are actively reduced or mitigated.
    • Controls are embedded into the organizational processes and workflow, improving the contextual security posture and resilience.

Value isn’t created by thinking, it’s created by doing. If your strategy never translates into work, i.e., things you and your organization execute on, you will sub-optimize the value realization from your security initiatives and investments.

• The world changes. Adapt the execution.
  • A static strategy is meaningless in a dynamic threat landscape and business ecosystem. Monitor for ongoing changes, adjust your plans based on new risks, new business goals, and external changes. You don’t need to change the direction of your strategy, but you may need to re-prioritize based on new business information.

EPILOGUE

Execution means learning, adjusting, and continuously improving. Security is not different from anything else that needs a strategy, i.e. a long-term plan for value creation. And for a strategy to become something more than a bunch of digital letters and papers, it needs to be executed upon and communicated. If you, as a security leader, don’t make sure to execute and communicate your strategy, how would your stakeholders and those your security strategy support understands how it adds value to them? They need to see the progress and also hear what is happening, both the good and bad news. When progress is going according to plan and the oposit.

And no, this is not a one-time effort or something that only takes place when the strategy has been created. Execution needs to be continious and the strategy needs to be continuously communicated to your team and stakeholders. And it will most likely need to be communicated in different ways. Each and every one doesn’t need the same form of communication. Some of your stakeholders might want to know a bit more about the details, and some don’t. Some might want to understand where they fit in, what parts of the strategy impact them, if something will allocate their time, if they need to pitch in on some parts etc. Communicating your security strategy and doing so is also one of the objectives related to the execution of it.

A strategy is of course valuable, but I think that many security leaders fall into the trap of thinking that when the development of it is done and when it’s been presented to the security team, the work is “completed”. Now the box is ticked. But this is kind of only one piece of a strategy game. You, as a security leader, need to ensure the strategy is executed up in a continuum and communicated to all your stakeholders, those within your own team and those outside of your own team, i.e. “business people”.

I will not jump into the path of explaining how communication or the execution should be done, as there are several different ways to do it, and I also think one important aspect here to consider is the organizational culture and structure. “Communication” for example, will be conducted in different ways depending on the organization. Some might want to do it “top down”, i.e. it always starts from the top of the organization and is cascaded down through the reporting lines.

At other places, it might be done more organically and without a hierarchy. There are pros and cons to it, and I’m not debating about what is the best way or the worst one. I think that you, as a security leader, should follow the path of your organization. Pro tip –> In most organizations, there are people who are experts or spend their time working with communication, internal, external, or both. I think a good starting point is to have a conversation with these people and listen to their recommendations. And yes, these are also one of your many stakeholders.

I have written a whole article named that fits very well with what you have read if you come this far. And if you find this article interesting, I think you should look at this one:

• SPEAKING SECURITY. THE LANGUAGE & COMMUNICATION

Do what works for your organization to achieve the desired outcome. There are no substitutes for pulling up the sleeves and doing the actual work. Execution is not a one-size-fits-all. Be pragmatic and do what works for your organization.

//Henrik Parkkinen