CISOs need a unique perspective on the key elements to be considered when developing a strategic security plan...
for their organization.
Organizational plans are often classified into five categories, encompassing a wide range of activities and functions. They include the following:
- Strategic plans
- Tactical plans
- Operational plans
- Single-use plans
- Standing plans
Strategic planning encompasses the broadest and most comprehensive type of planning. It nominally includes the main purpose of the organization, its mission, as well as the organization's short-, intermediate- and long-range objectives, including the specific details of how those objectives and goals will be achieved. Strategic planning contains within it operational and tactical planning, as well as standing and single-use plans. Overall, strategic planning is essentially a formalized process for setting the security organization's goals based on business objectives, and then mapping out how to accomplish these goals through objective management and initiatives over the coming years.
Fundamentally, however, the strategic security plan is a foundational document; it's a roadmap for the security organization as to how it will complement the enterprise's corporate strategic plan. The plan is normally reviewed and updated each year, and it is monitored monthly as actual results are determined. Also, the plan is updated as necessary to reflect new regulatory and organizational impacts (for example, the move from the North American Electric Reliability Corporation Critical Infrastructure Protection Standards version 5 to version 6).
Strategic security plans are also useful to help CISOs and their teams to have and sustain a strategic/big picture view of their functions and to stay above the reactive/tactical mode. In many ways, the strategic plan is really the organization's business plan for the next three to five years.
To reiterate, the CISO's strategic security plan should link the security program very clearly to wider corporate strategies. Such linkages can be crucial in justifying budget and resource allocations.
Strategic security plan elements
Kirk Bailey, CISO at the University of Washington in Seattle, has been leading security organizations since the 1970s. In some of his presentations on the subject of being a CISO and running a large security program, he includes the following list of technical and organizational feeds that must go into a strategic security plan:
- Organization and authority controls
- Risk management program
- Intelligence program
- Audit and compliance program
- Privacy program
- Incident management
- Education and awareness program
- Operational management
- Technical security and access controls
- Monitoring, measurement and reporting
- Physical and enforcement security
- Asset identification and classification
- Employee and related account management practices
In addition to these including these topics, be sure to weave in how the strategic security program links with business continuity/disaster recovery planning, third-party/vendor risk and security controls, and governance.
Besides the above, an added analysis to weave into your plan is a list of the organization's stakeholders. Identifying those entities and individuals affected by the strategic security plan is an important activity to help the CISO and his organization to meet requirements, complete assigned mission(s) and create value for the organization. If a CISO does not clearly know who the stakeholders are, it is difficult to ascertain who is affected, how they will support or threaten the organization, or even if the strategic plan completely encompasses the organization and its different subunits.
Fundamental approaches to strategic planning
An elementary, but helpful, way to look at the strategic planning approach is sometimes referred to as the generative approach. Here, leadership identifies the strategic issues with three points of focus on the table.
- Where are you today? Where does the company stand on such security elements as the mission of the organization, structure, programs, people/skills, budget, etc.
- Where do you want the organization to be in the future? What does the optimal vision of the organization look like?
Finally, after looking at numbers 1 and 2 above and comparing the now and future organization, you then need to consider number 3.
- How do we get from our current state to the future vision? What are the actions, strategies and tactics necessary to move from 1 to 2?
Essentially, this approach is intended to clarify strategic planning processes to include a vision, procedures and tools.
What is included in the strategic security plan?
A seminal and simple to follow template for developing the plan is "A Strategic Planning Template for Dummies" by Dr. Jens J. Hansen. Hansen includes the following headings for the different sections of the strategic plan:
- Introductory statement
- Background statement/history
- Management board and staff
- Organizational tenants
- Organizational vision
- Mission statement
- Strengths/weaknesses/opportunities/threats (SWOT) analysis
- Strengths (internal and external)
- Weaknesses (internal and external)
- Opportunities (internal and external)
- Threats (internal and external)
- Major goals (usually less than 10)
- Specific objectives
- Evaluation (plan validation)
- Formative evaluation
- Summative evaluation
A possible strategic planning process
There is no right or wrong way to develop a strategic plan; however, some key process guidelines include the following:
- Identify and involve an executive sponsor, giving the process legitimacy.
- Identify/assign a person to initiate, champion and monitor the process. This person should be committed and involved and have the ability and courage to ask the hard questions and not accept shallow responses during plan development. Sometimes, this can be an outside consultant familiar with strategic planning processes and development.
- Collect supporting information and resources, such as:
- The organization's current mission (both the enterprise and security organization)
- Financial information (e.g., current, future and past budget information)
- Human resource requirements, rules and available support
- Information technology and communications resources
- Set up a war room for the meetings including white boards, projectors/screens, flip charts, wall space for posters, flip chart results, etc.
The following is a very high-level approach to developing a strategic security plan. This is subject to modification, abbreviation and expansion. Suggested members of the core participant team include the following:
- CISO (chair)
- Facilitator (consultant or internal employee familiar with strategic planning processes)
- CISO's direct reports
- CIO or representative
- Legal representative
- Human resources representative
- Risk management representative (if not in the CISO's chain of command)
- Finance/accounting representative
A final key aspect of strategic security plan development is including the plan and its supporting elements in all aspects of the security program's decision-making and governance. The plan should be used for change management decisions, major modification/upgrade considerations, mergers/acquisitions, and it should be the overall conscience for the CISO and the enterprise.
Learn how to make an effective security incident response plan
Discover how to stick to your IT security plan
Check out the pros and cons of the different types of CISOs