The warrior Achilles is one of the great heroes of Greek mythology. According to legend, Achilles was extraordinarily strong, courageous and loyal, but he had one vulnerability–his “Achilles heel.” Homer’s epic poem the Iliad tells the story of his adventures during the last year of the Trojan War.

www[.]history[.]com

INGRESS

One of the least talked about and underestimated parts of security strategy is leadership. I think that this is something that needs more attention when it comes to strategy in general. And leadership goes into so many different aspects of a security strategy. All the way from the development of a strategy to aligning the strategy towards your organization’s mission, vision, and objectives. You as a security leader need to be able to ensure the security strategy is embraced by your stakeholders. By those in your security team and those outside of it, i.e. your organization. You are the one that needs to influence them. Without leadership skills, this will become hard. Not impossible but it will become challenging.

You may be able to create the best security strategy out there but if you can not communicate it, visually and verbally, the true value of it becomes very slim. In the worst case, it will become a cool paper dragon sitting somewhere that no one knows or cares about. And the sad thing is that I have seen this happen. Many organizations spend crap tons of resources to create those world-class strategies but too often they become useless due to that they are never communicated, explained, aligned with the organization, or operationalized adequately.

You as a security leader need to:

KNOW THE WAY, SHOW THE WAY & GO THE WAY.

There is tremendous power in a security strategy if you as a security leader can ensure that you get the support of your key stakeholders to embrace it. You are the one who needs to be able to influence those in your organization who need to be influenced. Inspire those who need to be inspired. It is not enough to do that strategy presentation once and then say: “The strategy is completed, the only thing that remains is the execution.”. Yes, I have seen this happen IRL.

I think that from a security point of view, developing and managing a security strategy is one of the most honorable tasks a security leader can be given to take on. If you are given this opportunity and task, treat it with respect. You have now been given the opportunity and power to potentially influence your organization and everyone within your organization in an infinite positive trajectory.

Developing a security strategy is not a PowerPoint exercise that is about you. A security strategy does not hold a self-existence on its own. It is developed for your organization. Not for the cybersecurity team. Yes, the cybersecurity team needs to support it and execute parts of it. For this reason, make sure to develop the security strategy together with your team. It is not a one-man show but someone needs to be leading the way. And this is the role of a security leader. You are the one that needs to lead the way.

MYTH-BUSTER: PART 3

A security strategy can only be created through a top-down driven approach.
This is not the truth. It can start from the middle or the bottom. This is less optimal and may leave some things in the strategy unaddressed. In any case, it needs to go up to the top and involve the key stakeholders in your organization, i.e. executives and senior leaders. And it needs to cascade down through your organization, to involve the key stakeholder in your organization on this level.

ISO 27001 and NIST CSF are equivalent to a security strategy.
No. ISO 27001 is a standard. NIST CFS is a framework. They both may be a part of the strategy in one or another way but they do not equate to a security strategy.

Small organizations do not need a security strategy.
No. The size of the organization does not eliminate the need for a security strategy but it will, most likely, be a factor that determines the application of it.

Only security subject matter experts are needed to develop a security strategy.
Totally no. They are one of the stakeholders, for example, parts of those who will operationalize the tasks needed to accomplish the desired outcome of the strategy.

A security strategy doesn’t need support from executive management, the board, or key stakeholders in the organization.
No. This is key to success. Make sure that you have support from your key stakeholders and include them in the development process of your security strategy. This can be done in many different ways.

A security strategy is the same as a security road-map.
No. A security strategy is the long-term plan and the road-map is the tactical plan, i.e. also referred to as the security program here and there.

A security strategy does not need to take external circumstances into consideration.
Not true. The industry the organization is operating in, the regulatory requirements, geo-political trends, threat landscape are just a few examples of external factors that need to be considered.

A security strategy should be a part of the IT strategy.
No. Security is not and shall not be a subordinate or a part of the IT strategy. They both support the organization but from different perspectives. IT will though be one of the key stakeholders.

Physical security does not need to be considered in a security strategy.
No. Physical security is one aspect that will influence the security strategy and needs to be considered.

There is only one way and/or method for how to develop a security strategy.
No. The development can be conducted in different ways and with the help of many different methods. There are though better and less good ways to develop one.

EPILOGUE

Developing a security strategy is not rocket science. Sure, if one has never done so before it will be a bit more challenging but it’s still doable. The task itself doesn’t require any special gifts or superpowers. One of the most important ones, i.e. leadership, was mentioned in the ingress. Another highly important “skill”, or let us call it attitude rather, is that you find it fun. If you do not find the task fun, I think the security strategy will suffer and so will your organization.

Going into a task with a less positive attitude and mindset will most often set the tone for the outcome. If you as a security leader do not find this part fun or that you have someone else in your team or network who you think is better suited for the task, there is nothing wrong in handing over the responsibility to that person. Doing so comes down to self-leadership. Know what you are good at and don’t be afraid of delegating responsibilities or tasks to people around you who might do it better. You as a security leader are the one accountable for the security strategy and still need to take ownership of the outcome. This part can’t be outsourced.

 

As I stated in the ingress, leadership skills are one of the most important skills for a security leader. This is especially true when it comes to the subject of security strategy. Don’t put yourself up on that pedestal and make it into an ego game where the task is about you. It is about your organization. And you need to do what is best for your organization. If this comes down to asking for help or letting someone else lead the work, do that. Don’t let yourself fall into the trap of limiting what your organization needs due to that you are afraid of asking for help.

Developing a security strategy is a teamwork exercise. It is not a one-man show and shall never be conducted as such. That teamwork exercise also provides a very beautiful platform for you as a security leader to develop and make sure there is inclusiveness. Make sure to spend time together with your team and stakeholders in the development phase and you will have it back multiple times throughout the execution phase. Very often I see and hear organizations downplay this part. Many rush through the strategy development phase and want to get out on the other end and start executing things. This is one way of doing it but I think that not spending “enough” time together with your security team and stakeholders will backfire.

Security strategy development is not about:

“This is how it is going to be, I have decided!”

Security strategy development is about:

“This is what WE have developed together and committed to as a team. We will make epic shit happen that will support our organization to become successful.”.

Which approach do you think will be most successful? Yes, it is a no-brainer. I recommend you as a security leader pick the one that you think will be the most successful for your organization.

Choose to become a legend, like Achilles. Choose to become the type of security leader that your organization will speak about when you are no longer there. The security leader who made an impression on your team and organization resulting in stories of you being told to others.

Achilles might have been a myth, but the stories about him are still told. Wouldn’t it be cool to become that security leader who sets those trails and creates those stories? I think it would. And I also think that it is up to each one of us as security leaders to choose how we want the stories about us to be told. We own the responsibility for the way we lead our organizations and how we want to become remembered. Choose how you want to become remembered. As a legend or not, the choice is up to you.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com