This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."
Download it now to read this article plus other related content.
When the wolves are at the door--and they're at the door every day--it can be difficult to focus strategically on where we think the threat may be in three or five years and what our reaction should be. That, however, does not preclude the requirement for the CISO to set the strategic course.
So once a year, we gather our team at an off-site meeting to create--drum roll, please--the Strategic Plan, which often ends up being more tactical than strategic. The result is that we end up without a true strategy because we haven't devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I've done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.
Perhaps if we'd done a better job as an industry in our strategic planning and thinking, we wouldn't be overrun with the poorly coded applications we have today that just beg for a hacker's attention. In retrospect, my strategic thinking should have focused more on these kinds of big problems that have business
| implications, because as we all know, business is typically what
suffers when you have a security incident. I knew legacy applications were vulnerable to the kind
of command-execution and client-side attacks we are seeing today, and you probably did too. Have we
just been too focused on Patch Tuesday vulnerabilities or the latest vulnerability assessment
results? When did application security show up on your Top 5 list of things to worry about? Think
about it--we've known about the problem of protecting personally identifiable information for
years, but when did it be-come your No. 1 priority?
I think times are changing in most business circles, and hopefully security is finally being appreciated as being business critical. Perhaps not always happily, but recognized nonetheless, due to the growing regulatory environment, increasing requirement to protect intellectual property--and in the government sector, the need to guard our citizens' perception that we are protecting their personal information. So while it takes a degree of boldness to look into the future, I believe CISOs neglect true strategic planning at their peril because real success is impossible without the road map a strategic plan provides.
This was first published in October 2008