­
SECURITY STRATEGY – MYTH-BUSTER: Part 1 | Henrik Parkkinen - All Articles - CISO Platform

All Articles

SECURITY STRATEGY – MYTH-BUSTER: Part 1 | Henrik Parkkinen

Posted by Biswajit Banerjee on March 16, 2025 at 8:00pm in Blog
SECURITY STRATEGY – MYTH-BUSTER: Part 1 | Henrik Parkkinen

MYTH-BUSTER: A person, book, etc. that shows that something generally thought to be true is not, in fact, true, or is different from how it is usually described.

Source: dictionary[.]cambridge[.]org

 

INGRESS

One of the powerful things about having been a consultant for many years, in my case +20, is that you get to see many different types of organizations, people, and cultures. What this really gives you as a professional is a broad perspective of security and how it manifests itself in different contexts and industry verticals.

In the two sentences you just read, there is especially one very strong word that I think is rarely contemplated around when it comes to security. The word that I am after is:

 

Perspectives

 

I am a strong believer in simplifying things when stuff is to be explained. If we do so with security, it is mainly about three things –> People, Processes, and Technology. Each of these three things, dependent on the organization may manifest themselves differently.

The different manifestations will, for a consultant who gets to experience them perhaps, add to “more” perspectives. This does not need to be an absolute truth but I think this should be the case. And this should also be a reflection and value-adding attribute that a consultant brings with him/her into the assignments one takes on.

 
13519430690?profile=RESIZE_710x
From which perspective do you look at the glasses? Are they half-full or half-empty? Or maybe it is both, at the same time? Half-full and half-empty.
 
 

From a customer point of view, this is one of those things, in my opinion, that also justifies the price tag for hiring a consultant. A consultant needs to, as I see it, have the capability to add more values and not only those from a subject matter expertise point of view. A customer will expect and also pay that extra price for those added values, i.e. multiple perspectives gathered by that broad and diversified experience.

So, what does this have to do with the subject security strategy? Personally, I think that to become a well-accomplished security strategist, multiple perspectives will be highly-valuable. The reason for this is because each organization is its own creature. Each organization has its own unique characteristics. And the more exposure a security strategist has to multiple different organizations, the more perspectives the person has gained. Now the ingress is completed and the myth-buster will follow. Hang on!

 

 

MYTH-BUSTER: PART 1

 

A security strategy is only about technology.
No. Technology can be a part of it but doesn’t necessarily need to be but this is most often the case to some extent in reality as many security controls are built on technology.

 

A security strategy shall only be built on risks.
No. Risk is one dimension of a security strategy. And risk reduction shall be one of the outcomes of the execution of it.

 

A security strategy shall be based on ISO 27000, or equivalent standard or framework.
No. A standard or framework is or may be a starting point that could be used for inspiration but these things are not and do not equate to a security strategy.

 

A security strategy is not allowed to be adjusted before a new one is developed.
No, this rule does not exist in reality. If there is a need to change the strategy, I strongly recommend doing so but keep your stakeholders, sponsors, and team informed about the change/adjustments.

 

A security strategy does not need to have a roadmap.
No. A strategy, independent of whether it is related to security or another context, must have a roadmap. This:

 

A strategy without a roadmap is like a fast and cool looking car without an engine.

It looks great, like that PowerPoint strategy presentation, but it will not take you anywhere.

 

A security strategy is only created for and owned by the security team.
No. A security strategy is created for the organization. Security in an organization is a supporting function and does not exist in a vacuum.

 

A security strategy can not be created if there is no security policy in place.
No. A security strategy can be created without a security policy being in place. The policy creation might though need to be one of the outcomes if there not one existing.

 

A security strategy can not be created if there is no Information Security Management System implemented.
No. See the above answer. In reality, the same principles apply.

 

A security strategy will make an organization compliant with ISO 27000, NIST CSF, and similar standards and/or frameworks.
No. A security strategy can though include activities, investments, and initiatives that will take an organization closer to or make them compliant with a certain standard or framework.

 

A security strategy must be developed by the CISO.
No. The strategy development does not need to be conducted by the CISO. The CISO will though, in most organizations, be delegated the accountability (from the management team or CxO) to ensure the strategy is developed, implemented, and followed.

 

 

EPILOGUE

One of the most limiting factors for a security leader or professional, in my opinion, is to be locked into absolute ways for how things must be done. This is not only limiting you as a professional to expanding your perspectives but also sets the organization you support in a suboptimal spot that becomes limited to your ways of doing things.

I do not say that one must invent the wheel every single time or come up with new things for each and every situation. Security does not need to strive for “innovation” or to be something creative when solving problems, ensuring protection, or supporting an organization. But there you had it. It is about supporting the organization. This is the primary mission for security.

 
13519430891?profile=RESIZE_584x 
Reality is reality. It is not always perfect. As a security leader, you need to take it on in the form that it’s presented to you. You need to be able to adapt to reality in the form that it is presented to you. It will not always be a paved and straight path. It usually is the opposite, somewhat curvy and hilly.
 
 

Personally, I think that adaptability is key. You as a security leader need to be able to adapt to the reality you are facing. By doing so you will take on the reality in the form as it is presented to you. And the reality is not always perfect. Approach it in the way that it is presented to you. This will lead to a broadening of your perspectives and understanding of security through the collected experience from those multiple and unique situations you are faced with.

And do not get stuck at striving for perfection. Strive to get sh*t done that is thought through and that adds value to your organization.

 

It is easer to adapt to the situation you are taking on compared to trying to adopt the situation to fit into your perception.

 

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

Views: 12
Tags: security strategy, ciso, myth, myth buster
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)