MYTH: A traditional story, especially one concerning the early history of a people or explaining some natural or social phenomenon, and typically involving supernatural beings or events.
Source: dictionary[.]cambridge[.]org
INGRESS
Security favors preparedness and preparedness comes in a couple of different forms. To simplify stuff, I would say that there are mainly two forms:
- Current preparedness
- Future preparedness
They both are self-explaining. We as security leaders need to prepare our organization to take on the current things happening, such as targeted attacks, new regulations, vulnerabilities, awareness, and so forth. And the same goes for the future. We can not and shall not sit on our asses and wait for the future to appear in front of us as a surprise. This is in fact how many organizations do it when it comes to security strategy.
Why not learn from the current and past things we have taken on to prepare our organizations for what is about to happen and what is in front of us? Everything in the future is not unknown to us, some things are but not everything. We know some things are coming our way and some stuff is here to stay. I don’t think that future preparedness needs to be that hard. But it requires at least one thing, which is:
Time to contemplate
I think that many security leaders can emphasize what I am about to write. We need time to sit down and contemplate to take on the future. This can take place in a quiet space or in a more organized form with colleagues or people outside of your own organization. And if we, as security leaders, do not take responsibility for doing this work no one will do it for us. No one else knows our organizations better than we do. So why not invest the time to contemplate about the future? This is one of those things that is an absolute requirement if we as security leaders shall be able to help and support our organization to take on what is coming our way.
Ingress is completed, and some words of wisdom dropped. Let’s jump into part 2 of the security strategy myth-buster!
MYTH-BUSTER: PART 2
You must have an MBA, CISM, CISSP, and/or similar certification to develop a security strategy.
No. These may though be helpful but they do not ensure that a person will be capable to pull of the development of a security strategy.
Only organizations with critical infrastructure, assets, intellectual properties, and similar need a security strategy.
No. Security favors preparedness which goes hand in hand with the subject “strategy”. Planning and preparing for what an organization needs from a current and future perspective is something each and every organization should do.
Small organizations do not need a security strategy.
No. The size of the organization does not eliminate the need for a security strategy but it will, most likely, be a factor that determines the application of it.
Only large organizations and enterprises need a security strategy.
No. See the above answer. In a large organization, the security strategy will most likely, look a bit different compared to a small organization. A security strategy does not come in a fixed format that looks the same for each and every organization.
A security strategy can be outsourced.
No. This:
Accountability for security can never be outsourced.
If your IT environment and security capabilities are managed by a third party, they are accountable and responsible for your organization’s security strategy.
No. See the above answer, the same principles apply.
A security strategy will ensure your organization is secure.
No. The security strategy will point out the long-term plan and direction for the organization. It is the execution of the strategy that will make things secure. That cool-looking PowerPoint will not do the work or make things secure on its own.
A security strategy will stop breaches and data leakages from happening.
No. See the above answer. It is the operationalization of the activities within the strategy that will do the magic.
A security strategy is a one-time investment and exercise.
No. There should be some form of room to adjust the operationalization security strategy along the road, i.e. the security program and projects executed. The world around us is not static and for that reason, it is a good move to keep this in mind. You can not control what is happening around you or outside of your organization. Adjust accordingly if needed.
A security strategy is very expensive.
No, this is also bull sh*t. It requires investment and resources, as with everything else. The opposite is rather more true. It can be very expensive to not have a security strategy and just go out swinging and hoping for the best. I would not recommend any organization, independent of size, industry, geography, etcetera doing so, to approach security as something that is a pure firefight or with a very short perspective in terms of planning.
EPILOGUE
To prepare for the future time and resources need to be invested and sanctioned. There are no crystal balls or magic wands out there, or not at least to my knowledge, that do the job for us. But at the same time, we have never been equipped with better capabilities to prepare ourselves and our organization to take on the future. What is available out there is loads of valuable information that can be used to better understand what is coming our way. The majority of the information is also available for free, for example through different experts who share their knowledge or through podcasts, webinars, reports, websites, blogs, and so forth.
I think that with very little time and effort almost any organization can achieve significant improvements in their future preparedness. And one of the best ways to do so is through having informed and intelligent conversations about what is coming our way. To widen our perspectives as security leaders. Gaining perspectives through picking the brains of a collective group of people will for sure add value to better understanding those potential future things that are coming our way and how they may impact our organization.
If you want to know more about how to improve your organization’s future preparedness, this is a good starting point:
I am a strong believer in doing things together and having a strong team around you when it comes to security. And this is especially true when it comes to security strategy and future preparedness. This is not something that a bunch of security people should do in isolation or on their own in a basement. Doing it this way will most likely leave out valuable information that your organization could benefit from. Security does not exist in isolation. Security has as a purpose to support the organization, it is not something that has its own self-existence.
And those future things that are coming our way, and that will have an impact on security will not only come from the security industry itself. New trends and changes related to technology, geopolitics, economy, and society are just a couple of subjects that will, directly or indirectly, impact security. And, trying to at least stay a little bit ahead of the curve will put you and your organization in a much better spot compared to doing the opposite. Invest time and resources in preparing for the future. Doing something is far better compared to doing nothing. The future is coming. And we can not stop it but we can prepare for it.
Question:
Are you and your organization prepared for the future?
Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com
Comments