Without a strategy, security plans are almost impossible to implement, and C-suite engagement can be jeopardized
Global security risks are mounting, creating a nightmare for senior security executives. From cyber threats to terrorism, pandemics to supply chain compromise, companies must contend with a rapidly changing global risk environment. Staying ahead of threats feels more difficult than ever before, and not keeping up can result in your company’s name in the headlines or even personal legal risk.
Traditionally, there have been some go-to options for security leaders interested in mitigating their organization’s global risk exposure. Geopolitical risk subscriptions can keep leaders informed of foreign political developments. Cyber threat intelligence provides IT security teams insight into the latest tactics, techniques, and procedures from the likes of Russia and North Korea. Travel security and business continuity policies aim to keep company personnel safe overseas and minimize business disruptions. The list goes on.
The challenge with these solutions – which the accelerating global threat environment has laid bare – is in their patchwork nature. Each, whether performed in-house or contracted out, is critical to protecting an organization’s assets. But if there is no overarching strategy that integrates these functions, security executives will forever be reacting to contact instead of driving a proactive risk management agenda.
Revisiting the Value of Strategy
“Strategy” has become one of the most meaningless words in the dictionary, used so frequently and in so many ways that it has lost its salience. For some exposition on this, check out the first few pages of Lawrence Freedman’s (no relation) Strategy: A History.
But despite the word’s overuse, strategy is an important business function that makes leaders and organizations more effective and efficient. It is, simply put, “the way in which a business, government, or other organization carefully plans its actions over a period of time to improve its position and achieve what it wants.”
For security executives, who face persistent cost pressures and a highly unstructured risk environment, having a strategy – and doing the daily work of strategy – is especially important. The strategy provides clarity on how money should be spent (and how to ask for more), how team members’ time should be utilized, and how the security function of an organization can be viewed as a value generator rather than a cost center. Without a strategy – or with one that is not implemented – every decision becomes more difficult to make and every ounce of C-suite and board support harder to extract.
How to “Do” Strategy
Security leaders who want to build a new global risk strategy or improve their existing one should start with a current state assessment. This phase of the process is focused on fact-finding. Many of the key questions are probably easily answered: What assets do we have? What’s most important to protect? What does our current security posture look like?
Others may require more time and effort: What is going on in the global threat environment that is impacting us now or could impact us in the future? How might cyber, physical, insider, and reputational threats intersect, especially as technology evolves in the next few years? What is special or unique about our organization that may catch the interest of foreign adversaries?
Once these questions are answered and a baseline is established, it’s time to envision a target future state. When doing so, it’s important to pin a date to the wall. For example, where do we want our organization to be in 2025? Then you can tangibly answer questions like What business objectives need to be accomplished by that time? And what will the security function look like – what will it have achieved – to facilitate those business objectives even in the face of the global risks identified?
Once the current and future states are established, it becomes possible to set goals and objectives. You will have to answer: To reach our target future state by 2025, where do we need to spend money today? Which of our security programs requires more focus, and which can be reduced? What activities do we need to start this month, and which can be launched in the middle of next year? How frequently do we need to engage with key stakeholders to keep our strategy on track?
The strategy formulation process concludes with drafting, coordination, and implementation. It’s important to codify the strategy on paper, share it early with partner offices for their input, and then monitor strategy implementation regularly. Security executives should be proactive in assigning actions to team members and establishing regular check-ins to track progress and course correct where necessary. Global threats are ever-changing, so while having a strategy is essential, it will need to be tweaked routinely to keep pace with emerging issues.
This process can sound simple, but few organizations do it well and consistently. Putting a strategy in place requires dedicated time and a structured approach. Once it’s time to implement, other work tends to get in the way, rendering the daily work of strategy an afterthought, something to be revisited annually or in response to an enterprise-wide tasking.
But for security leaders who want to wake up from the global calamity nightmare, there isn’t an easy fix. Getting serious about strategy is essential.