Strategy and Strategic Planning: Strategy, Strategic planning and security strategy, the information security lifecycle and Architecting the enterprise by Erlan Bakiev, Ph.D.
Precursors to Planning The Role of Planning Precursors to Planning Values Statement Vision Statement Mission Statement Strategic Planning Creating a Strategic Plan Planning Levels Planning and the CISO(Chief Info Security Officer) Planning for Information Security Implementation
Identify the roles in organizations that are active in the planning process Grasp the principal components of information security system implementation planning in the organizational planning scheme.
Planning Influences Employees Management Stockholders Outside stakeholders Physical environment Political and legal environment Competitive environment Technological environment
Information Security Professionals Professionals that support the information security program Chief Information Officer (CIO) Chief Information Security Office (CISO) Security Managers Security Technicians Data Owners Data Custodians Data Users Slide 6
Planning Definition Planning is creating action steps toward goals and then controlling them Provides direction for the organization’s future Allows managing resources Optimizes the use of the resources Coordinates the effort of independent organizational units
Precursors to Planning Values Statement Vision Statement Mission Statement
Values Statement Principles Qualities Benchmarks What your company is? Microsoft: Integrity, honesty, passion, and respectfulness are significant parts of Microsoft’s corporate philosophy
Vision Statement Ambitious Best-case scenario Future goals Where your company wants to be? Microsoft: A personal computer in every home running Microsoft software
Mission Statement Organization’s business Areas of operation Internal External How your company is going to get there? Google: Organize the world's information and make it universally accessible and useful.
Strategic Planning Strategy lays out the long-term direction to be taken by organization It guides organizational efforts, and focuses resources toward specific, clearly defined goals. Strategic planning includes Mission statement Vision statement Values statement Coordinated plans for sub units
Creating a Strategic Plan Organization Develops a general strategy Creates specific strategic plans for major divisions Each level of translates those objectives into more specific objectives for the level below
Top-Down Strategic Planning
Creating a Strategic Plan Strategic goals are translated into tasks Specific Measurable Achievable Realistic Timely
Planning Levels Strategic Planning Tactical Planning Five or more year focus Strategic plan separated into strategic goals for each department Tactical Planning One to three year focus Breaks strategic goals into a series of incremental objectives
Planning Levels Operational Planning Organize the ongoing, day-to-day performance of tasks Includes clearly identified coordination activities across department boundaries Communications requirements Weekly meetings Summaries Progress reports Break previous slide into this
Planning Levels
Strategic Plan Elements Introduction by senior executive Executive Summary Mission Statement and Vision Statement Organizational Profile and History Strategic Issues and Core Values Program Goals and Objectives Management/Operations Goals and Objectives Appendices (optional) Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets &etc
10 Tips For Strategic Planning Create a compelling vision statement Embrace the use of balanced scorecard approach Deploy a draft high level plan early, and get input from stakeholders Make the evolving plan visible
10 Tips For Planning (cont.) 5. Make the process invigorating for everyone 6. Be persistent 7. Make the process continuous 8. Provide meaning 9. Be yourself 10. Have fun
Planning For InfoSec Implementation Commonly the CISO directly reports to the CIO. The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans CISO plays a more active role planning the details
CISO Job Description Creates strategic information security plan with a vision for the future of information security Understands fundamental business activities performed by the company Suggests appropriate information security solutions that uniquely protect these activities Improves status of information security by developing action plans schedules budgets status reports top management communications
Planning for Information Security CIO: translates strategic plan into departmental and InfoSec objectives CISO: translates InfoSec objectives into tactical and operational objectives Implementation can now begin Implementation of information security can be accomplished in two ways Bottom-up Top-down
Bottom-Up Approach Grass-roots effort Individual administrators try to improve security No coordinated planning from upper management No coordination between departments Unpredictable funding
Top-Down Approach Strong upper management support A dedicated champion Assured funding Clear planning and implementation process Ability to influence organizational culture