Many security strategies are born quickly and die even quicker. Sometimes their execution is flawless – until someone notices that they minimize risks that are no longer relevant. How to avoid these mistakes? What are the essential qualities of a strategy that works?
Definition of a successful security strategy for an entire organization is a demanding but also exciting and rewarding task. It requires an understanding of complex cybersecurity challenges and ability to decode them into a simple language. It also requires strong leadership skills to plan how to turn ideas into action.
During various projects focused on developing security strategies, I was able to notice several recurring patterns. Some of them indicated that the value of the plan was equal to the cost of paper used to print it. However, the following features of security programs were good indicators of success.
Table of contents
Agile
Agile security strategy is flexible. You need to review it often and adapt to current market conditions. Our environment is changing continuously. The product lifecycles are getting shorter. Innovative solutions arrive every day and businesses are trying to embrace them. They optimize operations and reduce costs. They allow the introduction of new services and products opening markets where competition does not exist. However, they also create new risks that you need to manage to protect the reputation of your company.
Agile security strategy also focuses on a reasonable timeframe. The longer the time perspective you use, the more uncertainty about the future you may have. When establishing security strategies, I usually focus on planning around timeframes of 90 days, six months and one year. Why them? I am going to explain that in the next post.
Aligned
Security programs collapse when they lack support from management. It often occurs when the strategy does not meet business expectations. In that case, it is regarded as a distraction to essential projects and never gets implemented.
To make sure that your strategy supports the business perspective, start with a recognition of your firm objectives, regulatory requirements affecting your industry and technology trends which your company plans to pursue. Form your strategy in a way that supports their adoption. Ensure you do not stop new solutions with too many restrictions making them challenging to implement or painful to use.
Think about cloud computing, artificial intelligence, big data, mobility and other trends in the market. Countless companies already embraced them.
And now ask yourself a question of how well your strategy supports them? What security capabilities do you plan to build to allow the business to use those new solutions securely? And how well are you prepared for the next big thing in your industry?
Achievable
Imagine now that a significant incident hits your company. Suddenly, all hands are on deck. People become available, and money is not a concern anymore. All you have to do is to move fast. Your job is to make sure that every security area that was flashing in red turns to green magically.
Promise that in your strategy and you are in trouble. If a particular security capability does not exist or is at a basic level, it will not become standardized, managed and optimized suddenly. Your red area will not become green overnight. Promises not kept might bite you back because they will impact your credibility in the future.
Because of that, make sure that your strategy is feasible. Have a good perception of the current status of your security domains before defining target maturity levels for them. Try to find a middle ground between objectives which are not compelling and those which are impossible.
Actionable
Strategies that picture only a high-level vision are difficult to initiate. To make your strategy actionable, support it by defining the architecture of required capabilities. Prepare an implementation roadmap and project cards for initiatives that have to be approved.
Agreed
One of the critical steps during strategy development is understanding the viewpoint of your key stakeholders. They are people from various levels of the organization who are interested in and have the power to influence the outcome of your plan.
It is a good idea to involve them in the process. Your colleagues are a good source of business requirements. They can warn you about potential roadblocks. They can help you to find ways to overcome many organizational challenges based on their experience.
The more inclusive you are, the fewer people that will be surprised by your vision of the security. Constructing something together also forms a sense of ownership and speeds up the implementation process.
Of course, you need to find a balance here. Too many people engaged will slow you down. Find adequate representatives of teams in your organization and work with them.
Prioritized
Time and money are limited resources. Consider them when you develop your implementation roadmap. The number of initiatives you can efficiently run at the same time depends on their scope, size of your security team, required engagement of the business, availability of external support and how much of your attention those projects require.
Since you cannot handle too much at the same time, prioritize your workstreams using precisely defined criteria and plan them accordingly.
Usually, I recommend running no more than three initiatives of strategic importance at the same time. If you add more to the mix, you can spread yourself too thin, do a lot of work and achieve nothing meaningful.
Resourced
You may be in trouble if the budget for your strategy is limited, and if there are no people with adequate skills available. Your plan might look good on paper, but it will be hard to turn into reality. The implementation may go too slowly, to the point where you lose momentum and lose the interest of the organization.
To avoid this scenario, assess the size of the team and the budget you need. Consider those factors for each security capability you want to build or transform.
Simple
Simplicity is what matters in days full of distraction, overbooked calendars and multiple issues competing for management attention. If you need to run a half-day workshop to explain your strategy to key stakeholders, think about simplification. If you have 6 or 7 slides that can guide a conversation during a short meeting, you are in a better position. There is a higher chance that your strategy will be understood.
Simplicity also shows in the architecture of security capabilities. Too many controls might hinder business activities. They might kill experimentation and innovation, which are crucial for many businesses. Go that way, and you will shoot yourself in the foot. In the long run, you will destroy the competitive advantage of your business. And as a result, the budget for security function will also shrink.
Lean is the way to go. Lean security is cost-effective. It focuses on delivering value.
Summary
I believe that these are essential success factors required for a security strategy to be well defined, widely accepted and successfully implemented. Please note that this list is not pure science, based on statistics. It flows from my personal experience. I am aware that there might be many more characteristics of a successful security strategy you observed during your professional experience.
