Security Strategy From Requirements to Reality TAF-K11348-10-0301-C000.indd i 8/18/10 2:44:55 PM TAF-K11348-10-0301-C000.indd ii 8/18/10 2:44:57 PM Security Strategy From Requirements to Reality Bill Stackpole and Eric Oksendahl TAF-K11348-10-0301-C000.indd iii 8/18/10 2:44:57 PM Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number: 978-1-4398-2733-8 (Paperback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging‑in‑Publication Data Stackpole, Bill. Security strategy : from requirements to reality / Bill Stackpole and Eric Oksendahl. p. cm. Includes bibliographical references and index. ISBN 978â•‚1â•‚4398â•‚2733â•‚8 (alk. paper) 1. Computer security. 2. Information technologyâ•‚â•‚Security measures. 3. Data protection. 4. Businessâ•‚â•‚Data processingâ•‚â•‚Security measures. I. Oksendahl, Eric. II. Title. QA76.9.A25S684 2011 005.8â•‚â•‚dc22 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com 2010025968 To my father who always pushed us to be the best we could be. William “Bill” Stackpole To my wife Elaine who has always stood beside me and encouraged and supported my efforts. I am truly a blessed man. Eric Oksendahl TAF-K11348-10-0301-C000e.indd v 8/18/10 3:00:42 PM TAF-K11348-10-0301-C000e.indd vi 8/18/10 3:00:42 PM Contents Acknowledgments ............................................................................................................... xv Introduction ......................................................................................................................xvii Preface ................................................................................................................................xxi Authors ............................................................................................................................ xxiii SECTION I STRATEGY 1 Strategy: An Introduction ............................................................................................3 Strategic Planning Essentials.............................................................................................. 3 Strategic Planning Process Evaluation................................................................................ 5 Security Leadership Challenges.......................................................................................... 6 Getting Started .................................................................................................................. 7 Value Proposition...................................................................................................... 8 Other Challenges for Security and Strategic Planning ....................................................... 8 When Strategic Planning Should Be Conducted...............................................................10 Metaphor Analysis and Strategic Planning........................................................................10 Strategic Planning as a Process.................................................................................13 Requirements for Successful Strategic Plans.............................................................14 Creating a Security Culture...............................................................................................15 Security Continuum (Moving toward a Security Culture)................................................15 Conclusion........................................................................................................................16 2 Getting to the Big Picture ..........................................................................................17 Background (Why Should Security Bother with Strategic Planning?)...............................17 Menu of Strategic Planning Methods and Models ............................................................18 Which Strategic Planning Tools?...................................................................................... 20 What Are Security Plan Essentials? (Analysis, Planning, and Implementation) ................ 20 Learn the Big Picture of the Extended Enterprise.....................................................21 Include a High-Level Risk Assessment as Input .......................................................21 Link Your Strategic Plan to the Organization Strategic Plan................................... 22 Develop Flexibility and Fluidity in Your Department............................................. 22 When Should Strategic Planning Be Done?...................................................................... 23 Six Keys to Successful Strategic Planning......................................................................... 24 Simplicity................................................................................................................ 24 vii TAF-K11348-10-0301-C000toc.indd vii 8/18/10 3:20:00 PM viii ◾ Contents Passion (Emotional Energy) and Speed of Planning and Adapting..........................25 Connection to Core Values ..................................................................................... 26 Core Competencies................................................................................................. 27 Communication...................................................................................................... 28 Implementation....................................................................................................... 29 Myths about Strategic Planning ....................................................................................... 30 Barriers to Strategic Planning............................................................................................31 Pushing through to the Next Level of Strategic Breakthrough (Inside/Outside Organizational Input/Output)...................................................................................31 Going Slow to Go Faster, or Don’t Just Do Something, Sit There (Honing Organizational Strategic Planning Skills)................................................................ 32 Think Ahead, Act Now........................................................................................... 32 Strategic Business Principles and Workplace Politics............................................... 32 Looking for Niches, Voids, Under-Your-Nose Advantages........................................33 Overcoming Negative Perceptions of Security...................................................................33 Averse to Outsourcing............................................................................................. 34 Reluctant to Change Quickly................................................................................. 34 Stovepiped Organization Out of Touch with Business Realities .............................. 34 Always Looking for the Next Magic Technology Bullet...........................................35 Promises, Promises You Can’t Keep.........................................................................35 Developing Strategic Thinking Skills ................................................................................35 Create Time for Thinking....................................................................................... 36 Scan ........................................................................................................................ 36 Inquire .................................................................................................................... 37 Focus Long Distance/Practice Short Distance......................................................... 37 Anticipate ............................................................................................................... 38 Communicate ......................................................................................................... 38 Evaluate .................................................................................................................. 38 Practice Flexibility................................................................................................... 39 Conclusion....................................................................................................................... 40 3 Testing the Consumer .................................................................................................41 Introduction......................................................................................................................41 Defining the Consumer Buckets ...................................................................................... 42 What Historic Issues Are We Trying to Resolve or Avoid?....................................... 42 What Are the Challenges?....................................................................................... 43 Customer Relationship Management (CRM).......................................................... 43 Customer Value Management (CVM) .................................................................... 44 When Should You Collect Consumer Data?.............................................................45 Quick Customer Assessment............................................................................................ 46 Managing Key Internal Relationships..................................................................... 46 Conducting Face-to-Face Interviews........................................................................47 Guidelines for How to Solicit Feedback ...................................................................47 Designing Customer Feedback Surveys............................................................................ 48 Online Survey Guidelines....................................................................................... 49 Focus Group Guidelines ......................................................................................... 49 Deploying a Survey .......................................................................................................... 50 TAF-K11348-10-0301-C000toc.indd viii 8/18/10 3:20:00 PM Contents ◾ ix Measuring Customer Satisfaction Results ........................................................................ 50 Integration of Consumer Data ......................................................................................... 50 Conclusion........................................................................................................................52 4 Strategic Framework (Inputs to Strategic Planning)..................................................53 Introduction......................................................................................................................53 Environmental Scan......................................................................................................... 54 Regulations and Legal Environment .................................................................................55 Industry Standards........................................................................................................... 56 Marketplace–Customer Base ............................................................................................59 Organizational Culture.................................................................................................... 60 National and International Requirements (Political and Economic)..................................61 Competitive Intelligence .................................................................................................. 62 Business Intelligence ........................................................................................................ 63 Technical Environment and Culture................................................................................ 63 Business Drivers ................................................................................................................65 Business Drivers for the Enterprise.......................................................................... 66 Additional Environmental Scan Resources........................................................................67 Scenario Planning ............................................................................................................ 68 Futurist Consultant Services ............................................................................................ 69 Blue Ocean Strategy versus Red Ocean Strategy .............................................................. 70 Future (the Need to Be Forward Looking)....................................................................... 71 Conclusion....................................................................................................................... 72 5 Developing a Strategic Planning Process ...................................................................73 Roles and Responsibilities .................................................................................................74 Process and Procedures .................................................................................................... 75 Get Ready to Plan for a Plan .............................................................................................76 Planning, Preparation, and Facilitation............................................................................ 77 Building a Foundation for Strategy (High, Wide, and Deep) ........................................... 79 In the Beginning .............................................................................................................. 79 Vision, Mission, and Strategic Initiatives................................................................. 80 Vision Statement ............................................................................................ 80 Mission Statement ..........................................................................................81 Strategic Initiatives..........................................................................................81 Analysis................................................................................................................... 82 Strategy Formation (Goals, Measurable Objectives)................................................ 83 Implementation (a Bias toward Action and Learning) ...................................................... 84 Keys to Success for the Implementation Stage of Strategic Planning ........................ 84 Feedback, Tracking, and Control......................................................................................85 Completion ...................................................................................................................... 87 Best Strategies (Strategies That Work) .............................................................................. 87 Conclusion....................................................................................................................... 88 6 Gates, Geeks, and Guards (Security Convergence).....................................................91 Introduction......................................................................................................................91 Terms and Definitions ............................................................................................ 93 Benefits of Security Convergence ..................................................................................... 93 TAF-K11348-10-0301-C000toc.indd ix 8/18/10 3:20:00 PM x ◾ Contents Cost Savings ........................................................................................................... 93 Improved Security and Risk Management.............................................................. 94 More Effective Event/Incident Management........................................................... 95 User Experience ...................................................................................................... 96 Regulatory Compliance .......................................................................................... 96 Improved Business Continuity Planning................................................................. 96 Other Improvements............................................................................................... 97 Convergence Challenges .................................................................................................. 97 Success Factors................................................................................................................. 98 Conclusion....................................................................................................................... 99 SECTION II TACTICS 7 Tactics: An Introduction...........................................................................................103 Tactical Framework.........................................................................................................103 Facilities—Physical Attack Scenarios.....................................................................104 IT Systems—Logical Attack Scenarios ..................................................................106 Objectives Identification .................................................................................................107 First Principles ................................................................................................................108 Observation Principle.............................................................................................108 Response Principle .................................................................................................109 Timeliness Principle...............................................................................................109 Preparedness Principle............................................................................................110 Economy Principle ................................................................................................. 111 Maintenance of Reserves (Coverage) Principle .......................................................112 Redundancy Principle ............................................................................................113 Least Privilege Principle.........................................................................................114 Commonality Principle.......................................................................................... 115 Conclusion......................................................................................................................116 8 Layer upon Layer (Defense in Depth) ...................................................................... 119 Introduction.................................................................................................................... 119 Defense-in-Depth Objectives Identification ....................................................................121 Information Environments............................................................................................. 122 Threats ........................................................................................................................... 122 Environmental Objectives.............................................................................................. 123 In-House Objectives ............................................................................................. 123 Limited and Controlled Boundary Access Points......................................... 123 Effective Logging, Detection, and Alerting Capabilities ...............................125 Operational Excellence for Security Controls.............................................. 126 Superior Personnel Supervision, Training, and Skills Management.............. 127 High Assurance Identity Management......................................................... 127 Timely Incident Response and Resolution................................................... 128 Shared-Risk Environments.....................................................................................129 Hosted Objectives..................................................................................................129 Consumer Scenario.......................................................................................129 Provider Scenario..........................................................................................132 TAF-K11348-10-0301-C000toc.indd x 8/18/10 3:20:00 PM Contents ◾ xi Hybrid Objectives................................................................................................. 136 Consumer Objectives................................................................................... 136 Provider Objectives.......................................................................................139 Conclusion......................................................................................................................141 9 Did You See That! (Observation)..............................................................................143 Introduction....................................................................................................................143 Observation Objectives ...................................................................................................144 Observation Elements.....................................................................................................145 Reconnaissance ......................................................................................................145 Sentry ....................................................................................................................146 Physical Security...........................................................................................146 IT Security....................................................................................................149 Alarming................................................................................................................152 Command..............................................................................................................154 Summary ............................................................................................................... 155 Drivers and Benefits for Excellence in Observation.........................................................156 Observation Challenges ..................................................................................................157 Success Factors and Lessons Learned ..............................................................................158 Reconnaissance......................................................................................................158 Surveillance............................................................................................................158 CCTV Surveillance Lessons Learned............................................................159 Physical Detectors Lessons Learned ..............................................................159 IT System Security.................................................................................................159 IT System Security Lessons Learned.............................................................159 Excellence in Observation Control Objectives................................................................160 Reconnaissance ......................................................................................................160 Surveillance............................................................................................................160 Event Detectors......................................................................................................161 Pattern and Anomaly Detectors .............................................................................163 Conclusion......................................................................................................................165 10 Trust but Verify (Accountability)..............................................................................169 Introduction....................................................................................................................169 Unmatched Value of Accountability................................................................................169 Comprehensive Accountability Challenges .....................................................................172 Identity Challenges ................................................................................................172 Audit Challenges....................................................................................................173 Best Uses for the Accountability Tactic...........................................................................174 Comprehensive Accountability Identity Objectives.........................................................175 Identity Control Requirements for Accountability.................................................176 Domain and Local Account Management....................................................176 Name Collision.............................................................................................176 Identity Retention..................................................................................................178 Identity Verification ...............................................................................................179 Local System Accounts...........................................................................................180 TAF-K11348-10-0301-C000toc.indd xi 8/18/10 3:20:00 PM xii ◾ Contents Shared Accounts ....................................................................................................181 Comprehensive Accountability Audit Objectives............................................................182 Current State .........................................................................................................182 Audit Requirements for Accountability..................................................................183 Domain and Local Audit Management........................................................183 Complete ......................................................................................................184 Temporal ......................................................................................................185 Consistent.....................................................................................................185 Relevant........................................................................................................185 Understandable.............................................................................................186 Simple...........................................................................................................186 Sequential .....................................................................................................186 Correlated.....................................................................................................187 Tamperproof.................................................................................................187 Traceable.......................................................................................................187 Retained .......................................................................................................188 Conclusion......................................................................................................................188 11 SDL and Incident Response......................................................................................189 Introduction....................................................................................................................189 Terms Used in This Chapter ..................................................................................190 Security Development Lifecycle (SDL) Overview...................................................190 Security Incident Response Overview ....................................................................191 Tactical Objectives.................................................................................................193 Elements of Application Development and Response .............................................195 Application .....................................................................................................................195 Phase 1—Requirements .........................................................................................196 Phase 2—Design ...................................................................................................197 Threat Modeling ...........................................................................................197 Phase 3—Development .........................................................................................197 Phase 4—Verification ............................................................................................197 Phase 5—Release ...................................................................................................198 Phase 6—Support/Service .....................................................................................198 (SDL)2—Software as a Service Extensions (SaaS)............................................................198 Security Development Lifecycle Drivers and Benefits ............................................199 Security Development Lifecycle Challenges.......................................................... 200 SDL Success Factors and Lessons Learned ............................................................ 202 Application Control Objectives............................................................................. 203 Observation/Recognition ............................................................................. 203 Passive Detection Control Objectives........................................................... 204 Active Detection Control Objectives............................................................ 204 Transition Objectives ..................................................................................................... 209 Common Collection and Dispatch....................................................................... 209 Transition Drivers and Benefits.............................................................................210 Transition Challenges ............................................................................................211 Transition Success Factors and Lessons Learned ....................................................212 TAF-K11348-10-0301-C000toc.indd xii 8/18/10 3:20:00 PM Contents ◾ xiii Lessons Learned............................................................................................212 Transition Control Objectives................................................................................212 Rapid Response...............................................................................................................214 Incident Response Procedures ................................................................................215 Automated Responses............................................................................................217 Nonincident-Related Response Procedures (Reporting).........................................218 Reporting as a Response.........................................................................................218 Rapid Response Drivers and Benefits .....................................................................219 Response Challenges..............................................................................................221 Response Success Factors and Lessons Learned......................................................221 Response Control Objectives................................................................................ 223 Conclusion..................................................................................................................... 223 12 Keep Your Enemies Closer........................................................................................225 Introduction................................................................................................................... 225 Hire a Hacker Objectives ............................................................................................... 227 Offensive Objectives ............................................................................................. 227 How to Use This Tactic for Offense...................................................................... 228 Defensive Objectives ............................................................................................. 229 How to Use This Tactic for Defense...................................................................... 230 Summary ...............................................................................................................231 The Hire a Hacker Controversy......................................................................................231 Success Factors and Lessons Learned ..............................................................................233 Control Objectives ..........................................................................................................233 Countering Insider Threats (Malicious Insider)..................................................... 234 Competent Supervision .........................................................................................235 Supervisor Attributes ................................................................................... 236 Supervisory Attributes ................................................................................. 238 Employee Screening......................................................................................241 Target Retaliation ..................................................................................................245 Target Deception ...................................................................................................247 Malicious Code Implantation ...................................................................... 248 Conclusion......................................................................................................................251 13 Hire a Hessian (Outsourcing)...................................................................................253 Introduction....................................................................................................................253 Security in the Outsourcing of IT Services..................................................................... 254 Outsourcing Pros—Benefits...................................................................................255 Outsource Cons—Challenges................................................................................255 Success Factors and Lessons Learned......................................................................256 Outsourcing Control Objectives ............................................................................257 Security in the Outsourcing of Security Services .............................................................261 Commonly Outsourced Services............................................................................261 Security Auditing..........................................................................................261 Penetration Testing, Vulnerability Assessment............................................. 262 Systems Monitoring ..................................................................................... 262 Incident Support.......................................................................................... 263 TAF-K11348-10-0301-C000toc.indd xiii 8/18/10 3:20:00 PM xiv ◾ Contents System Management/Administration........................................................... 263 Security Officer Services.............................................................................. 263 Outsourcing of Security Services Objectives......................................................... 264 Challenges to Outsourcing Security Services.........................................................265 Success Factors and Lessons Learned .................................................................... 266 Outsourcing Security Services Control Objectives.................................................267 Maintain the Confidentiality of Results........................................................267 Prevent the Disclosure of Events.................................................................. 268 Preserving Evidence ..................................................................................... 269 Avoiding Retention/Discovery Liabilities..................................................... 269 Elevated Privilege and Intellectual Property Loss ..........................................270 Conclusion..................................................................................................................... 272 14 Security Awareness Training ....................................................................................275 Introduction....................................................................................................................275 Staff Development Training........................................................................................... 277 General Staff Security Training............................................................................. 277 Security Staff Training.......................................................................................... 278 Security Staff Training Requirements ................................................................... 279 Security Awareness Training .......................................................................................... 280 Awareness Training Objectives ............................................................................. 280 Awareness Training Elements................................................................................ 282 Awareness Training Drivers and Benefits ....................................................................... 283 Industry Training Trends and Best-Practices Examples.................................................. 284 Training Resources......................................................................................................... 286 Awareness Training Challenges...................................................................................... 289 Success Factors and Lessons Learned...............................................................................291 How Do You Know if Your Training Is Successful? ....................................................... 292 Conclusion......................................................................................................................293 References..........................................................................................................................295 Appendix ...........................................................................................................................303 Physical Security Checklists ........................................................................................... 303 Index..................................................................................................................................313 TAF-K11348-10-0301-C000toc.indd xiv 8/18/10 3:20:01 PM Acknowledgments The authors wish to thank the following people for their hours of reviews, suggestions, and encouragement throughout the process of putting this book together. Greg Gwash Elaine Oksendahl Dave Komendat Carl Davis Tim McQuiggan Lt. Col. Thomas Stackpole, U.S. Army Dave Cook Butch Moody Verdonn Simmons Peter Oksendahl Patrick Hanrion A special thank you to Jennifer Reed who taught Bill’s science class for six weeks so he could finish the book, and to Tim Lorenz who graciously gave him the time off. xv TAF-K11348-10-0301-C000f.indd xv 8/18/10 2:47:32 PM TAF-K11348-10-0301-C000f.indd xvi 8/18/10 2:47:32 PM Introduction I need you to find a way to keep compliance from putting us out of business! Ron Markezich Corporate Vice President, Microsoft Online Security as a business—what a concept! And to many security professionals it’s a concept that few have had time to consider or have needed to consider. Compliance changed all that; it pushed information security into the executive suite where it’s not only a jail sentence but a huge drag on the bottom line. Combine that with a major economic downturn and one has a lot of incentive to make security a value proposition. Both of us have watched this requirement develop in corporations and have witnessed security professionals struggle to get a handle on what it means to be a valued business partner. We see two recurring themes: first is the lack of good business processes on the security side and second, a diminished understanding of the value of security on the executive side. It is these two issues that have inspired us to write Security Strategy: From Requirements to Reality. Our primary goal in writing this book is to teach security leadership and security practitioners how to select, develop, and deploy a security strategy appropriate to their organization. Our secondary goal is to support the implementation of strategic planning initiatives, goals, and objectives with a solid set of security tactics. It is also our hope that executive managers, marketing, and other business units will use this book to better understand the value security brings to the organization in the compliance-centric 21st century. Businesses cannot survive in today’s marketplace without information technology (IT), and IT cannot survive in today’s computing environments without security. Today’s leading companies are those that have solved the security conundrum and learned to leverage security to promote innovation, grab market share, and enhance brand. When Microsoft was being flogged by the industry for poor security, Bill Gates created a trustworthy computing initiative that united the company behind a single strategic goal: “to focus our [Microsoft’s] efforts on building trust into every one of our products and services.” In less than 10 years Microsoft propelled itself from whipping boy to market leader through innovation, commitment, and solid strategic planning. One of Microsoft’s key initiatives was to consolidate security services into a single-customer-facing entity (the Microsoft Security Response Center). This is a strategy that we see as critical to the future success of security management. There should be one person to contact, one number to call, one website to visit, and one operations group to receive and respond to security events. It should never be the customer’s responsibility to figure out who to call while dealing with a difficult or emergency situation. xvii TAF-K11348-10-0301-C000g.indd xvii 8/18/10 2:48:01 PM xviii ◾ Introduction We also believe in building a culture of security. Employees are your first line of defense; none of them leave their houses in the morning without locking the door, and none of them should leave their worksites at night without locking their computer and sensitive documents away. If you really want your employees to be your first line of defense, you need to teach them how, and you must be readily available, helpful, and responsive when they call. When the quality of Ford products began to diminish, the company moved Quality Assurance from a business unit to a business culture. Quality became “job one” for everyone working at the company from Bill Ford’s Quality Council to the autoworker at the St. Paul assembly plant. This is our view of security; it is job one for every employee, and it needs to be promoted as such. The challenges are substantial but not insurmountable. It will require a lot of effort on the part of the security group to build the strategic planning skills required, and it will take a fair amount of forbearance on the executive management side as things stumble forward. But the end results in cost reductions, brand enhancement, and operational efficiency are well worth the effort. Let’s get started! Approach This book presents business strategy for security groups and tactics for implementing that strategy. It is unique in its approach because it focuses entirely on security strategy planning and execution. The book is about finding the strategy that works in your organization, building it, and implementing it to see real results. You won’t find any point solutions here, no silver bullets, no magic formulas. What you will find is a comprehensive look at the structures and tools required to build a security program that really does enable and enhance business processes in your organization. The book is based on our experiences in working with large security groups to build and implement strategic plans and tactical solutions, but the book is equally applicable to smaller organizations looking for long-term security solutions. We have divided the book into two parts. The first part is about business strategy. Although it is security-centric, executive managers reading this portion of the book will totally understand it. The second portion of the book is about tactics—the means needed to implement strategy. Security professionals will completely understand this portion of the book. The real value for both groups of readers will be reading the portions of the book that are not familiar to them. It is our hope that in so doing a viable synergy will develop between the two groups—one that allows security to take its place as a valued partner and contributor to the success of the enterprise. Much of the security conundrum organizations find themselves in didn’t develop overnight; it has been a long time in the making. While corporate (facilities) security is a long-standing discipline, information security, especially in the network arena, is a relatively new discipline, one that has been in an almost nonstop fight against an onslaught of attacks and a continuously changing landscape. It has taken time to develop the tools, processes, and skills needed to build effective security solutions. Although much remains to be done, the security industry has finally found itself in a place where it can begin to be proactive. A major part of that proactive effort is learning how to become a full-fledged partner in the business. Security must become part of an organization’s standard business processes and a partner in the promotion and profitability of the business. For years security professionals have been talking about how security enables the business; well, now it’s time to step up and prove it. So roll up your sleeves, bolt on your armor, and get ready for some giant-killing ideas. Welcome to the business of security. TAF-K11348-10-0301-C000g.indd xviii 8/18/10 2:48:01 PM Introduction ◾ xix SIDEBAR: HOW TO READ A BUSINESS BOOK 1. Decide, before you start, that you’re going to change three things about what you do all day at work. Then, as you’re reading, find the three things and do it. The goal of the reading, then, isn’t to persuade you to change, it’s to help you choose what to change. 2. If you’re going to invest a valuable asset (like time), go ahead and make it productive. Use a postit or two, or some index cards or a highlighter. Not to write down stuff so you can forget it later, but to create marching orders. It’s simple: if three weeks go by and you haven’t taken action on what you’ve written down, you wasted your time. 3. It’s not about you, it’s about the next person. The single best use of a business book is to help someone else. Sharing what you read, handing the book to a person who needs it…pushing those around you to get in sync and to take action—that’s the main reason it’s a book, not a video or a seminar. A book is a souvenir and a container and a motivator and an easily leveraged tool. Hoarding books makes them worth less, not more. Seth Godin Terms Used in This Book Business unit—To eliminate confusion between the organization as a whole and the business suborganizations such as departments and divisions, the term business unit has been chosen to refer to these suborganizations. Consumer/Customer—The terms consumer and customer are used in a general sense. These terms include those external entities that purchase products or use services from the organization as a whole, as well as those external or internal entities that use the services of a business unit within the organization—for example, business units that use security services and/or products and are subject to security governance. Core Competencies—Core competencies are the specific strengths of an organization that provide value in a market space. Core Values—Core values are the operating principles that guide an organization’s conduct and relationships. Corporate security—The terms corporate, physical, and facilities security refer to the group that manages the security of physical assets such as facilities, equipment, and inventory. Corporate security is typically responsible for surveillance, building access controls, security officers, loss prevention, and associated events. IT security—IT security refers to the group that manages the security of information assets stored, processed, and transferred on computer-based technologies. IT security is typically responsible for the confidentiality, integrity, and availability of digital information, compliance with statutory, regulatory, and industry requirements, and business continuity/disaster recovery planning for IT services. Organization—This term, used in a generic sense, refers to for-profit and nonprofit businesses (companies, corporations, and enterprises) and government entities/agencies. Security—This book takes a holistic approach to security, so the terms security and security group encompass both corporate and IT security functions. Security group—To eliminate confusion between the organization as a whole and the security suborganization, the terms security group or security function have been chosen to refer to the security suborganization. Stakeholder—A stakeholder is a party who is or may be affected by an action or actions taken by an organization, for example, employees, managers, board members, shareholders, customers, contractors, vendors, and partners. TAF-K11348-10-0301-C000g.indd xix 8/18/10 2:48:01 PM TAF-K11348-10-0301-C000g.indd xx 8/18/10 2:48:01 PM Preface The CEO looked up from his desk and said, “I’m sure you are all aware of our plans to form a joint venture with Coral Reef; this is a great opportunity for us but to be honest I have some real concerns about it. If you will pardon the pun, these guys are some real sharks. If we give them access to our network, they could steal us blind. I need you guys to tell me what the risks are.” The CIO looked over his shoulder, “Matt?” With a slight grin, Matt, the CSO, replied, “There’s no additional risk sir; we’ll set up a SharePoint site for the project and that’s the only thing they’ll have access to.” The CEO was about to express his delight when the CFO interrupted, “Well that might be true for remote access, but what about when they’re here on campus?” “It’s not any different,” Matt replied, “Their laptops aren’t part of our domain so they can’t connect to any of our systems except e-mail, Instant Messenger, Web conferencing, and the project SharePoint.” “But won’t they look like one of our employees if they have e-mail and IM accounts?” asked the CFO. Matt replied, “Nope, all external parties have identities that start with F dash and their badges have a different color so our employees know they are ‘foreigners.’” The CFO continued, “But they will have access to our offices and workspaces; isn’t that a risk?” “There’s always a risk that someone might go snooping around, but our identity and building access control systems are tied together. They will only have access to the buildings they will be working in, and we can track all other access attempts. We run a weekly report of all F dash building and computer accesses just to make sure they are behaving. If we suspect they aren’t, we can always review the video surveillance to see what they were up to,” Matt replied. “But they could still steal stuff !” the CFO exclaimed. Matt replied, “Yes they could, but not for long! They’d be violating the security policy they agreed to uphold and that’s reason enough to send them packing.” “Thank you gentleman, I believe we’re good to go,” said the CEO as he dismissed the meeting with a smile and a hint of disbelief. Was his security really that good? The answer is yes. In three short years, Matt had managed to build a security program that not only protected the company’s assets but also anticipated the company’s future business requirements and security needs. And he did it with a modest capital investment and no increases in operational costs. Impossible, you say! Not at all. Matt was able to save a substantial amount of money by converging the facilities and information security groups into a single team and converting older expensive video and building access controls technologies to IP network-based devices. He used these savings and the reductions in operating costs to train and cross-train his staff to improve effectiveness and coverage. He also got capital monies to make improvements to the identity management system and to implement some new control technologies. Successes like this are rare in the security community, so how did all this come about? Security strategy. Matt took the time to analyze the company’s vision, goals, and business strategies, and xxi TAF-K11348-10-0301-C000h.indd xxi 8/18/10 2:48:45 PM xxii ◾ Preface then he sat down with the key stakeholders to identify existing issues, understand their goals, and learn what their expectations were for security. Next, Matt (with the help of his team and these stakeholders) created a three-year Security Strategic Plan aligned with and supporting the overall business strategy. Finally, he went out and sold that plan, implemented it, and demonstrated security’s value to the business. Security strategy is the missing gem in many security programs. It’s not a common skill set among security practitioners and there isn’t a lot of guidance on how to do strategic planning for security management. It was the authors’ goal to remedy that situation by providing you with a practical set of tools and guidance to get you started down the planning path (Section I) and to help you build the processes and controls for implementing that plan (Section II). There are a large number of strategic planning methodologies; trying to cover them all would be unrealistic. Fortunately, they all follow a similar pattern so we have addressed those components and compiled an exhaustive set of references you can use to further study the method you settled on for your company. It is our sincere hope that this book will contribute to your success and make the practice of security strategic planning a common discipline in the industry. Welcome to security as a business! Bill Stackpole Eric Oksendahl TAF-K11348-10-0301-C000h.indd xxii 8/18/10 2:48:45 PM Authors William “Bill” Stackpole, CISSP/ISSAP, CISM, former Principal Security Architect for Microsoft Online Services, has more than 25 years of IT experience in security and project management. In his past position, Bill provided thought leadership and guidance for Microsoft’s Secure Online Services Delivery architecture. Before coming to Microsoft, Bill was a principal consultant for Predictive System, an international network consultancy where he was the architect and promoted the application security business. Bill holds a B.S. degree in Management Information Systems, a CISSP with an Architecture Professional endorsement. He is coauthor of Software Deployment, Updating, and Patching (Auerbach, 2007) and a contributing editor to Auerbach’s Handbook on Information Security Management (Krause and Tipton). Bill is a former chair for the CISSP Test Development Committee and a current member of the (ISC)2 Common Body of Knowledge committees for the CISSP and ISSAP certifications. Eric Oksendahl, former Security Strategist for Boeing, has more than 25 years of experience as a business management consultant, senior facilitator, teacher, and program manager. At Boeing, Eric facilitated strategy development and implementation for the Security and Fire Protection division, including physical and information security. He designed and coordinated the use of strategy development and initiative deployment to integrate security practices into key business processes (e.g., international sales campaigns). Prior to that, Eric was a program manager at the Boeing Leadership Center where he conducted leadership development courses around the world that included Boeing management, supplier management, and customer management. Eric holds a B.A. from Montana State University and an M.A. in Communications from the University of Washington. xxiii TAF-K11348-10-0301-C000i.indd xxiii 8/18/10 2:49:12 PM TAF-K11348-10-0301-C000i.indd xxiv 8/18/10 2:49:12 PM STRATEGY I This section of the book is about the selection, creation, and implementation of security strategy. Strategy is planning in any field: a carefully devised plan of action to achieve a goal, or the art of developing or carrying out such a plan long term (a year or more). In other words, a strategy is a plan for what work will be done and by whom. Strategic planning is a discipline designed to encourage long-term thinking about an organization. Strategy is a creative act that combines both analysis and creative choices in future actions; it utilizes a structured process to create a formal, integrated enterprise plan. A strategic plan is NOT a tactical roadmap. However, strategic planning is both strategy development and implementation. Strategy realization requires leadership throughout all phases of the strategic planning process, which includes performance, monitoring, evaluation, and adjustment. Although strategic planning tries to anticipate possible future environments in which the organization will be functioning, it does not attempt to make day-to-day operational decisions. Without well-executed implementation plans, strategy efforts remain, at best, wishes. Security managers must still manage and make decisions on a daily basis using good judgment, while retaining a sense of future direction. Some of these day-to-day decisions will cause a rethinking of strategic direction. This is normal and does not negate the need for a robust strategic planning process. There will be multiple planning iterations, and strategic plans may need to be adjusted to accommodate emergent strategic objectives. The roller-coaster ride of life’s exigencies does not, however, cancel the need for good strategic planning. TAF-K11348-10-0301-S001.indd 1 8/18/10 3:14:52 PM TAF-K11348-10-0301-S001.indd 2 8/18/10 3:14:52 PM Chapter 1 Strategy: An Introduction If you can’t describe your strategy in twenty minutes, simply and in plain language, you haven’t got a plan. “But,” people may say, “I’ve got a complex strategy. It can’t be reduced to a page.” That’s nonsense. That’s not a complex strategy. It’s a complex thought about the strategy. Larry Bossidy Chairman, Honeywell International Strategic Planning Essentials Can you describe your current strategy in a clear, compelling manner in less than 20 minutes? Behind every compelling description of strategy that a CEO, CFO, CIO, CSO, or any other corporate executive might present is a strategic planning process. There are several basic elements and core principles in a strategic plan. The following is a brief overview of the basic elements; each of these elements and their subelements will be discussed in greater detail in the subsequent chapters. 1. Preparation to Plan—This element includes allocation of essential resources, coordination of personnel, and clear RAA (responsibilities, accountability, and authority) for the planning process. Herein lies the crucial first step of strategic planning requiring discipline, focus, and a willingness to ask tough questions while organizations prepare to face uncertainties, consider new possibilities, and decide on fundamental change. First efforts in strategy aren’t perfect, but one should prepare to plan anyway. This is the first step of many little steps to follow in planning. You may want to engage an outside facilitator at the very beginning if you haven’t done much strategic planning as a group. 2. Big Picture Renewal/Creating a Strategic Foundation—Here the cornerstones of any strategic plan are set, vision and mission are clarified, and reviews and analysis are conducted on data from environmental scans or other sources. Internal and external examinations are completed as an organization seeks to understand and prioritize influences and opportunities. 3 TAF-K11348-10-0301-C001.indd 3 8/18/10 3:01:46 PM 4 ◾ Security Strategy: From Requirements to Reality Here also is where the hard questions you have prepared in planning get asked— questions such as “Where do we want to play?” “What do we do best?” “What is our business?” “What are critical success factors?” “How will we communicate our plan and to whom?” 3. Strategies and Actions or Focusing the Plan—This is where the steps for how an organization will reach its vision are created. This may include elements like strategic objectives, goals, initiatives, actions, and/or critical success factors for getting there. Here is often where strategy maps or other tools help refine plans, prioritize requirements into specific goals, and link them to measures and initiatives. The goal of this stage is to map elements of strategy into daily operations. This is where the operational business plans are linked to overall strategic direction. This is where business goals, operational objectives, action plans, and performance measures are linked together. If an organization is not successful here, many groups may not understand how strategy impacts their organization, and, in fact, they may work at cross purposes. At this stage, it is imperative to tie together strategic goals, improvement objectives, action plans, and key performance measures. These will work together to guide an organization during the implementation of strategic plans. This element, too, is where a security group must relate overall business strategy to operations strategy and tactical objectives to tactical action plans. 4. Implementation Schedule—Typically, the implementation schedule is prioritized with specific RAA as the steps for implementation are determined. A schedule is documented with start, milestone, and completion dates for each major strategy. Strategic actions are linked to individuals with time frames and budget allocations. 5. Metrics for the Plan—The measures are created that will ensure the organization is headed in the right direction and determine whether it is successfully implementing the strategic plan. Metrics are integrated into a foundation for the business plan. The business plan should be linked to key performance metrics and compensation and, finally, integrated into a balanced scorecard or some other tracking document for regularly scheduled reviews. Metrics are acknowledged to be an important requirement for success, both strategically and operationally, but are often ignored. Several levels of good metrics are usually required for effective strategic planning. The top-level metrics that executive leadership consider are the roll-up enterprise dashboard or balanced scorecard metrics that usually entail key compliance and risk indicators, as well as key performance indicators such as return on investment (ROI), resource management, value delivery, and response times. As strategic plans move into initiatives, goals, specific objectives, and the like, obviously the metrics grow more specific and detailed to the organization and objectives as objectives become organizational tactics. Typically, security metrics are fashioned from two main sources, strategic initiatives and external standards required by audit results. Often, as a security group moves from a reactive posture to more of a planned posture, metrics from external standards will become a subset of strategic security metrics. Security metrics will become defined by strategic goals and not just audit results. (Eric watched a security group get hammered by audit results for two years. It was a lot better when the group came up with a successful strategic plan!) Defining metrics that work to move a strategic initiative forward are not easily attained. Take, for example, the discussion on cloud-based security metrics in a recent article in CSO magazine, “Clear Metrics for Cloud Security? Yes, Seriously,” by Ariel Silverstone, CISSP. In her article she discusses the difficulty of developing metrics for the storage availability and integrity of Cloud utilization-type initiatives. Her conclusion is that only time will tell whether data from/in the Cloud will be deemed trustworthy by such metrics. Typically, as processes improve and organizations learn from each round of planning, metrics will become more specific, useful, and relative as success indicators. Metrics are a TAF-K11348-10-0301-C001.indd 4 8/18/10 3:01:46 PM Strategy: An Introduction ◾ 5 difficult issue to manage in the strategic planning process. These difficulties include linking strategic objectives with the key metrics and establishing the feedback loops required to effectively monitor the progress (success or failure of those objectives). The Information Security and Control Association (ISACA) recommends performance measurement monitoring and reporting on information security processes to ensure strategic objectives are achieved. The performance metrics that ISACA recommends for IT security typically concern measures like number of incidents, number of systems where security requirements are not met, response times, violations, types of malicious codes, security incidents, unauthorized IP addresses, port and traffic types denied, access rights authorized, revoked, reset, or changed, and so on. You will find a number of examples of these types of metrics in the chapters of this book on tactics. Captured metrics should also include the less quantifiable, but equally important, people aspects of security such as badging, social engineering, and workplace violence. IT metrics must also capture the harder-to-capture people aspects of computing such as sabotage, data theft, and misuse of computing resources. These statistics can be much harder to gather, quantify, and assess, but they are key issues IT security must face. This is made even more difficult in organizations where corporate and IT security are managed by different stovepiped functions in the organization and data are not rolled up into a common knowledge base. Good performance metric determination, monitoring, and assessment help inform and lay the foundation for the next cycle of strategic planning. 6. Communication Plan Enacted—A communication plan is put into effect, including clear communication strategies and dissemination plans for each predetermined target audience. Key messages, executive summary, and strategy documents are created, and the implementation plan is scheduled, with clear benchmarks established for evaluating success. Tactical objectives are employed throughout the organization and measured for success. 7. Completion—Results of the strategic planning cycle implementation are analyzed, and the lessons learned are incorporated into following planning cycles. Here is where unanticipated consequences, as well as unrealized and emergent strategies, should be reviewed, and key performance indicators and metrics refined. Often, while one strategic planning cycle is in completion, another planning cycle is being implemented, and perhaps plans are made for a following one. Strategic Planning Process Evaluation EXERCISE 1.1 If you are reading this book, it is likely that you are already part of a security group. To help you better understand where strategic planning fits into the security management process, we have devised this short self-assessment quiz. Before you continue reading, take a few moments to reflect on your current organizational status quo by answering the following questions: 1. Where is your security group spending the majority of its time right now, working to create change or reacting to change? 2. In the past year have you spent more time chasing situations or implementing your strategic goals and objectives in a systematic manner? 3. Is security viewed as a separate functional business unit or as a partner who contributes to the success of the overall strategic plan for your organization? 4. Do other parts of your organization consider you to be an enabler of organizational business strategies or a roadblock? TAF-K11348-10-0301-C001.indd 5 8/18/10 3:01:46 PM 6 ◾ Security Strategy: From Requirements to Reality 5. Do you have plans in place for possible changes in the marketplace so that you will be able to quickly course-correct? 6. Can your security leadership articulate a clear business purpose and function that the leadership of your organization understands and accepts? 7. What opportunities does the security group have now that it didn’t have a year ago? 8. What problems or unintended consequences has your security group created for itself? 9. Are your corporate and IT security functions integrated around your organization’s business needs or functioning as related organizational stovepipes? 10. How’s your security group skill set depth (bench-strength) in strategic planning and implementation? 11. Is your security group better prepared to do analysis, planning, and implementation of your strategic plan than it was last year? 12. Are you quicker at all three functions? 13. What information and knowledge did you uncover last year that you didn’t know you needed to know? 14. How good have you been at implementing your strategic plan this year? By what measures? 15. Are your metrics for implementation of your strategic plan better than they were the year before? 16. Are your metrics clearly linked to strategic goals? 17. Is your security group in regular conversation with the other functions of the organization to improve relationships and better understand business objectives? Answering these questions may help you focus in on the concepts in this book that will be most useful in your security group. As you answered these questions, a number of organizational challenges undoubtedly came to mind. Here is a partial list of ongoing challenges for security groups: ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ Economic uncertainties and limited security funding Stricter statutory and regulatory compliance requirements Increased audits and audit requirements Outsourcing and cloud-based service risks A growing number of application breaches A need for better tracking of incident responsiveness and resolution Increased needs for third-party risk assessments and penetration testing Stricter privacy requirements in every aspect of business (including increasingly complex customer relations management systems that now reach throughout an extended enterprise) If that isn’t enough pressure, at the same time strategic planning cycles need to be shorter in order to be responsive in much of organizational life. Cycles are shifting from years to months, months to weeks, weeks to days, and days to hours. Shorter cycle times for strategic thinking create a demand for leadership that understands not only the basics of strategic planning, but also the art of working within the organizational culture. Now is the time to be preparing your organization’s strategic plan and response or to adjust the plan you already have in place. Security is a function that requires good strategic leadership capable of setting strategy, communicating vision, and leading passionately. With strong strategic planning and execution skills, security will more likely be seen as a key enabler of business. Security Leadership Challenges Today, security leadership has to face new challenges every day in an environment that seems to present increasing unpredictability in economics, technology, and global threat trends. Absorbing new information that is produced at ever-increasing speeds, while coordinating the protection of TAF-K11348-10-0301-C001.indd 6 8/18/10 3:01:46 PM Strategy: An Introduction ◾ 7 people, property, and information on a day-to-day basis, is at the very least challenging, at the worst overwhelming. How enterprise leaders learn to cope, adapt, and process information is helped to some degree by new software and technology applications, but even that produces more data that have to be understood and acted upon. Today’s business environment demands security executives with keen business savvy, solid risk management fundamentals, and a whole systems understanding of the organization within which they focus. The current business reality is that security groups must balance the security needs of an extended enterprise that includes all elements in a value stream they support (from customer requirements to company processes and supplier inputs), while also meeting the requirements of an ever-increasing number of governance and regulatory agencies. The role of security governance, ever-increasing compliance requirements, and the demands of effective integration of sound security practices into business processes and risk management efforts, requires strong leadership and the ability to communicate well beyond traditional business stovepipes. A holistic security management approach is required to create a comprehensive security strategy that aligns security goals with corporate/organizational goals. In addition, it is imperative for organizations that want to resolve ongoing security issues to engage multiple stakeholders in an effort to create a security-conscious culture. The business case for enterprise security architecture has already been well made. Organizations need to develop and implement a security strategy that is integrated with the enterprise strategic plan. Good security strategy requires: ◾ Having the time and perseverance to plan ◾ Continual alignment of the plan with emerging business requirements ◾ An ability to design and implement an architecture supporting the plan (along with processes and policies required to implement and enforce the plan) ◾ Reporting and measurement methodology to track the plan ◾ Specific metric indicators of the plan’s success or failure Despite their importance, these key elements remain hard won and elusive for many organizations. Strategic planning is becoming increasingly important in a hypervelocity world. Thinking, planning, and moving quickly while controlling risk are essential skills. Today’s security leadership must be able to continuously demonstrate the business acumen needed to move from concept to endgame for new business initiatives. Getting Started Strategic planning is essentially a process of gathering and analyzing information, and envisions ways to act on that information to better the business. It begins by understanding where the security group is—how it functions—within your organization. The fundamental question concerning security that must be asked is as follows: “Is security simply a servant of a corporate, organizational, or business strategy, or does it serve a greater purpose?” In many organizations, people inside and outside of security would answer this question with a resounding “Yes, it is simply a servant!” Their primary rationale: “Security is a service provider within the organization, and services are not a source of strategic guidance for an organization.” That being said, there are certainly many people inside security groups who are not only willing but more than capable of providing organizational strategic input, even if they are not a formal part of the organizational strategic process. TAF-K11348-10-0301-C001.indd 7 8/18/10 3:01:47 PM 8 ◾ Security Strategy: From Requirements to Reality EXERCISE 1.2 If you haven’t already read every organizational strategic plan you can get your hands on, get started now! If you are going to build a successful security strategy, you need to get a sense of the big picture in which your organization functions. Value Proposition From a systemic perspective, a secure workforce, secure facilities, and well-protected information resources are actually part of the organizational brand, both product and service. The security of products and services is now part of the organization’s promise to the marketplace, enterprise stakeholders, and shareholders. It is imperative that organizations deliver on that promise, or they will soon become irrelevant. Organizational strategic planning can readily benefit from the security practitioner’s viewpoint. Whether security is part of the organizational brand or has developed its own brand, it must be part and partner in the organization’s strategic discussions. Brand is critical to security because the process of building a brand helps to convey important fundamentals that link security explicitly to the intent and promise an organization makes to its internal and external customers. In the authors’ experience, often other organizational functions view security as a roadblock to efficient business practices. However, leaving the security group out of the strategic planning process can result in a number of unintended consequences. One example of these unintended consequences is, perhaps, the decision to outsource back-office types of transactions to sourced companies in another country without including security in a strategic conversation. While economically that may be the right strategy, several important elements may be overlooked such as creating vulnerabilities to Personally Identifiable Information (PII) data or providing industrial espionage opportunities for data mining. There may be easy solutions, at a lesser cost, if security is included in the original planning, than managing these risks after the fact. Conversely, if security wants a place at the strategic planning table, it will need to examine the strengths of its own leadership and answer these two fundamental questions: 1. “How can security help the organization achieve strategic goals?” In other words, “What will it take from security to enable the business/organization to get where it wants to go?” 2. “How can the security strategic plan be a living document updated periodically to reflect changes in organizational priorities based on industry trends, marketplace, or emerging technologies?” The advantages of including security in organizational strategic planning and the Enterprise Risk Management (ERM) components of strategic planning are: ◾ Better understanding of potential risks in any strategic direction ◾ More accurate planning for budget allocations to manage those risks ◾ Quicker movement in strategic objectives for security integration into product, infrastructure, desktop, and business continuity processes Other Challenges for Security and Strategic Planning Another crucial issue for the security group in any organization is: “How is the strategic plan (or portions of an organizational strategic plan) to be developed, updated, and what groups will participate?” After the strategic plan is drafted, the fundamental questions of how to communicate, TAF-K11348-10-0301-C001.indd 8 8/18/10 3:01:47 PM Strategy: An Introduction ◾ 9 integrate, align, and update the strategic plan come into play. The bottom line for any security strategic plan is that other parts of the organization must understand it, or it will be difficult to achieve effective results protecting the organization’s assets (people, material, and information) at an acceptable cost. While a business/organization strategy is aimed at organizational vision, purpose, mission, strategies, execution, and measurement of success, an IT security strategy often focuses mainly on information security architecture. It is shaped by the organizational goals, environment, and technical capabilities the business requires in order to achieve its vision. Corporate (physical/ facilities) security strategy focuses on policies and procedures for loss prevention and the protection of people and property. Corporate security is also guided by organizational goals, environment, and technology advances. Often, issues arise in this natural tension between the organizational business philosophy (and business architecture) and the more pragmatic aspects of IT architecture. Ralph Whittle and Conrad Myric, in a white paper titled “Enterprise Business Architecture: The Formal Link between Strategy and Results,” outline the formal link between architecture and strategy. In their words, “These bold new enterprises are not building some static, rigid new architecture, with a moat around the castle. Quite the opposite, they are building fluid, dynamic, integrated architectures capable of evolving with and supporting the corporate strategy. A fundamental requirement of the integrated architecture is that it must have the capability to evolve, change, and adapt in a predictive way.” The problem for IT architecture achieving this goal, as Whittle and Myric define it, is that when it comes to organizational strategic planning and IT strategic planning, most IT architecture has not been funded or developed to the needed levels. Th is results in tensions for IT architecture including, but not limited to: 1. Unclear understanding of business/organizational requirements 2. Inflexible architecture that is unable to respond to environmental challenges 3. Piecemeal local approaches to architecture and security practices rather than integrated efforts, including lack of corporate and IT security integration 4. Unclear linkage to organizational strategy and metrics for successful implementation, scalability, and usability of security services 5. Piecemeal tactical efforts rather than a systemic architectural approach 6. Unmanaged costs or insufficient funding 7. Ineffective risk management efforts 8. IT security that hobbles the business Fixing the problems that arise from these tensions is not an effort for the faint of heart. One of the requirements of security leadership is a well-constructed security strategy that aligns the strategy, vision, and objectives of the enterprise and answers these questions: ◾ What is the business reason for doing this? ◾ What are we trying to achieve? ◾ How do we enable and support the enterprise achieving its strategic objectives? Explicit answers to these questions help everyone in the organization, including those involved in security architecture, to make reasoned decisions for their pieces of the strategic puzzle. Without clear answers to these questions, it is difficult to acquire the upper management support needed to advance security strategy. Without explicit upper management support, security efforts are seldom TAF-K11348-10-0301-C001.indd 9 8/18/10 3:01:47 PM ◾ 10 Security Strategy: From Requirements to Reality successful. Gaining this support for strategic efforts is not only a critical success factor, but is often one of the most difficult things a security leader will do. When Strategic Planning Should Be Conducted Strategic planning should be part of organizational planning in the following situations: ◾ ◾ ◾ ◾ ◾ When an organization is newly formed. When reenvisioning is required. Before and during mergers or acquisitions. In preparation for a new venture, product(s), or service(s). When exogenous or outside shocks to your organizational environment require adaptation or refinement of a potential strategic scenario. (Scenario planning creates more than one option for an organization to pursue based on future impacts and may require more exploration when an unexpected event drastically changes the environment.) At the very least strategy should be conducted on an annual basis to fit within your organization’s business planning cycle, before monies are allocated for a given year in order to fund organizational requirements for accomplishing strategic goals and objectives. Throughout the year there should be organizational reviews of the strategic planning inputs, adjustments, updated action plans, and metrics. Strategic planning should be a planned part of organizational life throughout the calendar year, not as a “once-a-year, put-a-plan-in-a-binder and put-it-on-a-shelf until next year” activity. Security leadership should formally conduct a quarterly review. Regardless of when your organization is engaged in strategic planning, paying attention to the language that is used in strategic planning can often help planners understand the organization and by utilizing new language, transform the organization. Metaphor Analysis and Strategic Planning Metaphors reveal how organizations think of themselves and are a window into organizational culture, attitudes, and beliefs. Metaphors can also be an important tool in transforming organizations and will often appear in the communication strategies for strategic change. A whole literature has evolved around analyzing organizational culture by the metaphors found in the everyday conversation on how organizations conduct business; an example is Donald Schon’s concept of a generative metaphor. A generative metaphor is an “implicit metaphor that can cast a kind of spell on a community.” In an implicit metaphor, the full subject is not explained, but is implied from the context of the sentence. Much of our daily communication in organizational life contains implicit metaphoric language. A branch of this literature assumes that one’s approach to strategy is best caught by the metaphors employed in strategic planning sessions. David Sibbit, president and founder of Grove Consultants International, has worked on strategic planning with organizations for many years by utilizing “story maps” that he and his consultants generate from the conversations held among strategic planning groups. Sibbit, in an article titled “Strategizing with Visual Metaphors,” made the following observations about the power of metaphors: I serendipitously picked up a 2005 article I’d clipped from the Harvard Business Review called “How Strategists Really Think: Tapping the Power of Analogy.” (It’s available for $6.50 through the HBR website.) TAF-K11348-10-0301-C001.indd 10 8/18/10 3:01:47 PM Strategy: An Introduction ◾ 11 Gavetti and Rivkin argue that there is a middle ground between formal, deductive analysis, which works well in information-rich, more mature industries, and trial and error, almost a necessity in very dynamic, untested emergent industries. “Many, perhaps, most strategic problems are neither so novel and complex that they require trial and error nor so familiar and modular that they permit deduction. Much of the time, managers have only enough cues to see a resemblance to a past experience. They can see how an industry they’re thinking about entering looks like one they already understand, for example. It is in this large middle ground that analogical reasoning has its greatest power. The frame of “strategy by analogy” is different from “visual thinking.” These labels are metaphors that provide a framing context that directly aff ects what a viewer or listener pays attention to. And within the visual work the choices of what to illustrate, and most critically, the organizing graphic metaphor and its emphasis, open and close opportunities for engagement, discussion and interpretation. Over the years we have heard many such metaphors, similes, and strategy analogies in our work with strategy groups, consultants, and educators. Metaphors can help employees look at old issues with a new lens or become a compelling new image of how an organization sees itself. During our careers, we have heard the following metaphors for strategy: ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ ◾ A battle (and other military metaphors) A revolution A chess match Sailing a ship Sports strategy A game metaphor The solving of a puzzle A city-state, kingdom, domain, or enclave An organic system Conducting a symphony Part of the value chain or system Sailing a blue ocean, red ocean, purple ocean BBQ sauce Pizza Organizations themselves can also be described by metaphors such as running a tight ship, part of a family, a dynasty, or parts of the body (e.g., IT is described as the nervous system, management as the brain, etc.). Learning to examine anything through a variety of metaphors often helps bring new insight and clarity to participants. A strong use of metaphor can galvanize quick understanding and provide different mental models with which to examine a topic. Security strategy lends itself particularly well to these metaphors, and we use several in our own approaches. Bill Stackpole will frame the tactics chapters of this book in the metaphors of military tactics and enclaves (a distinct political geography, territorial culture, or social unit) and will discuss the principles behind his use of them. Eric’s own favorite metaphor for conducting strategy sessions remains a “strategy jam” (see Figure 1.1). In fact, a musical jam can get cooking as well when ideas are being generated and integrated. A consulting colleague at Boeing, Andrew Moskowitz, and Eric conducted several “strategy jam” sessions for a newly formed group TAF-K11348-10-0301-C001.indd 11 8/18/10 3:01:47 PM 12 ◾ Security Strategy: From Requirements to Reality Figure 1.1 Strategy jam. of support organizations. “Strategy jam” as a metaphor became very useful for conducting strategic planning for several reasons. Let’s now examine three of the relevant principles behind the metaphor “strategy jam.” Need for Responsiveness—In today’s environment, older methodologies for conducting strategy sessions are top heavy, have long lead times, and usually exclude inputs from the people who have the information and creativity needed for successful strategic planning. Consequently, these approaches may have little buy-in from employees and usually just end up as pieces of inert information bound in glossy folders or stored in a database somewhere. Employees have little knowledge of what’s in the strategic plans and even less interest. Next year when the next round of planning begins, someone will blow the dust off the old plans, and the process will repeat itself. Need for Collaboration—Our industries and organizations have been permanently impacted by Total Quality Management and Productivity-LEAN systems, Process Management rollouts, and Enterprise Risk Management integration, and we are currently trying to understand and assess the impact of Security Convergence on our industry. Never has there been a greater need to engage every ounce of creativity available in our organizations. And yet, for too many organizations, strategic planning remains the providence of executives or senior management. The problem is one of participation. When you try to tell or sell an organizational plan to employees who have had no opportunity to provide their thoughts and ideas, you get little buy-in, commitment, follow-through, or impact. A strategy jam, on the other hand, is an ongoing strategic conversation that is flexible, collaborative, and focused. Need for Adaptive Skills—Creativity and intuition are the main focus when people and organizations need to adapt their organizational tactics to a “Big Life is like a band. We need not all play the same part, but we MUST all play in Picture Vision” and/or changing business model. Adapting and harmony. changing directions with continuous adjustments while executing are important aspects of jamming. This type of strategic jam sesUnknown author sion most often occurs in business in new product creation, new divisions, and start-ups. But even in more traditional strategic planning, there is still an ongoing requirement for these skills in a more orchestrated context. Ned Herrmann, author TAF-K11348-10-0301-C001.indd 12 8/18/10 3:01:47 PM Strategy: An Introduction ◾ 13 of The Creative Brain, puts it this way: “In the corporation of the future, new leaders will not be masters, but maestros. The leadership task will not be masters, but maestros. The leadership task will be to anticipate the signs of coming change, to inspire creativity.” Lou Gertsner, former chairman of IBM, also referred to the need to be adaptive in strategic planning when he stated, “You have to be fast on your feet and adaptive or else a strategy is useless.” It is in that spirit that we approach strategic thinking. Every brain in an organization is part of the solution; yet, when asked, most managers estimate they were only tapping 20% of available creativity. (In some organizations that might be a little optimistic.) In a strategy jam session, each instrument has an input. Participants, like musicians in a musical jam session (blues, jazz, orchestra etc.), need to know the basics of strategic planning (i.e., the notes, chording, and frets of music), and, at the same time, they must be able to listen to the other musicians, pick up on what they are playing, and blend into a new creation, while responding to the audience (customers/ stakeholders). So it is in a strategy jam: The players come with an understanding of the basic structures and components of strategic planning, listen to the other players, and create a new direction for the organization. Our goal for this book is to provide you with the scales and notes of strategic planning. The artistry and creativity with which those components are applied depend on you and on your approach to the art of strategy formation and execution and the requirements that match the organization in which you work. Whether your strategy jam is in the form of jazz, blues, or a more formal orchestra, it is our hope that you will be engaged, learning, curious, and optimistic. Somehow I can’t believe that there are any heights that can’t be scaled by a man who knows the secrets of making dreams come true. This special secret, it seems to me, can be summarized in four Cs. They are curiosity, confidence, courage, and constancy, and the greatest of all is confidence. When you believe in a thing, believe in it all the way, implicitly and unquestionably. Walt Disney Strategic Planning as a Process One of the key paradigms or mental models that should be established early in any strategic planning process is that strategic planning is NOT an event; rather, it is a process (ongoing, year round). Security managers have to know the strategic planning process, take it seriously, and be involved in integrating the plan into the day-to day activities of the security group. Remember, the process has to be linked to next year’s budget as well. There are many processes for approaching strategic planning, and while they may have different steps, stages, or phases, the goal is still to produce a strategic plan that moves the organization forward in the right direction. For a basic understanding of strategic planning, perhaps the most widely known model of strategic planning is John Bryson and Farnum Alston’s Strategic Planning for Public and Nonprofit Organizations: A Guide to Strengthening and Sustaining Organizational Achievement and the companion workbook Creating and Implementing Your Strategic Plan. In their workbook, the authors outline the following basic process: 1. 2. 3. 4. Identify a strategic planning process that the organization will use. Identify organizational mandates. Clarify the organizational mission and values. Assess the organization’s external and internal environments to identify strengths, weaknesses, opportunities, and threats. TAF-K11348-10-0301-C001.indd 13 8/18/10 3:01:47 PM 14 ◾ 5. 6. 7. 8. 9. 10. Security Strategy: From Requirements to Reality Identify the strategic issues facing the organization. Formulate strategies to manage these issues. Review and adopt the strategic plan or plans. Establish an effective organizational vision. Develop an effective implementation process. Reassess...
Purchase answer to see full attachment