Icarus, in Greek mythology, son of the inventor Daedalus who perished by flying too near the Sun with waxen wings.
BALANCE
Throughout my career, I’ve had the opportunity to help many organizations out with operational, tactical, and strategic security things. From hands-on technical operational stuff such as vulnerability management, patch management, identity & access management, infrastructure security, tactical road-maps & improvement plans to long-term security strategies.
My observations through my career and my empiric knowledge have proven to me that most organizations are less good at the strategic aspects. And one of the most common reasons is that it is given far too little attention and resources. This can also be a natural effect that there is a lack of skills related to how a security strategy shall be developed, aligned with the business objectives, and executed.
What I also have learned is that developing a security strategy doesn’t need to be complex but many tend to overthink and overcomplicate it. Of course, if you as a security leader have never developed one it will take a bit more brainpower the first and second time, but see these as learning opportunities. As moments when you go to the “security leadership gym” and practice by doing those reps to build up your strengths.
Don’t let perfect be the enemy of good.
Voltaire, French philosopher
Every day we as security leaders practice at something. Every moment we take on a new task is a moment where we can learn something new. From all these moments when we learn new things we also expand our perspectives. We become less perceptive (our personal and a bit more narrowed viewpoint) and increase our perspectives (the broader viewpoint of things). I believe that a security leader needs to have a broad perspective. And to develop this form of capability I also believe that we as security leaders need to take on tasks that challenge our perception.
If you want to become a good security leader you need to have the capability to view the world from the lenses of your stakeholders and customers. And this is also key to when you develop a security strategy for your organization. You do it for your organization. Your security strategy is not about you. It is about your organization. It is about supporting your organization to become successful to reach the business vision, mission, and objectives.
And I agree with Voltaire, don’t let perfect be the enemy of good. Doing something compared to doing nothing when it comes to the strategic portion of security is for sure a better way of doing it. Don’t let the ambition of perfection hinder your organization’s success.
MYTH-BUSTER: PART 4
There is no point in developing a long-term security strategy, the threat landscape, regulations, and external factors move so fast.
Just because things go fast doesn’t remove the need for long-term planning of security in an organization. This statement is totally wrong.
Long-term planning of security is not necessary, the future is not possible to predict.
Yes and no. The future is impossible to predict but a security strategy is not about predicting the future, it is about future readiness.
A security strategy does not add value to an organization.
Common belief and somewhat true, it is the execution of the strategy that realizes the value creation of security for an organization. A security strategy does not serve a self-existence or operate in a vacuum. A security strategy has the purpose of supporting the organization’s vision, mission, and objectives.
Developing a security strategy is just a waste of time that could be spent on protecting the organization.
Protection is one dimension of what security is about. Only focusing on the protection of the organization will not guarantee that the value creation from security is optimized for the organization.
There is only one way how to operationalize a security strategy.
No, the same principles as mentioned above apply. Pick the one that will support your organization the best so that the horse powers from the initiatives are executed and realized in the most beneficial way.
Our customers don’t care if we have a security strategy. For this reason, we should not develop one either.
This is not a valid reason for neglecting the development of a security strategy. If your customers do not have a security strategy, that could potentially tell you and your organization something about your customer’s security maturity, posture, and cyber resilience. Your customers are a part of your supply chain, who you deliver value to and do business with. If this is true, reflect on what this means for your organization.
We are very confident with our security capabilities, we don’t need a security strategy for our organization.
Security doesn’t work that way. It is not something that is influenced or impacted based on what you feel or think. Security favors preparedness. To be prepared, planning from an operational, tactical, and strategic point of view is needed.
We have a very high maturity in our operational security capabilities, we don’t need to spend time on tactical and strategic security stuff.
This is also wrong, kind of the same answer as above. Many organizations fall into this trap for some reason. They neglect the value of tactical and strategic security work. This usually bites these organizations in their asses later on. Don’t make this mistake.
We develop our security strategy on the latest yearly security reports exposing and describing the attack and threat landscape.
This is for sure one parameter to take into consideration but this should not be how a security strategy is developed. The truth is, there is no external security report out there that knows your organization better than you as a security leader. Base your organization’s on the requirements of your organization.
We have developed our security strategy based on <Partner name/Country/Institute/Competitor/…>, this is great!
No, this is not great. We are there again, you need to create a security strategy that is aligned with your own organization’s needs. Sure, take some inspiration and consider why those or that entity are doing what they are doing from a strategic security viewpoint. But this or that entity doesn’t know your organization as well as you.
EPILOGUE
I think that many security leaders should have as a goal to at least try to reach a point where operational, tactical, and strategic security initiatives are closer to equilibrium, i.e. balanced. It might not be possible to find a total balance where you spend an equal amount of resources on each portion. But going from zero strategic security to at least spend, let’s say, 10% of your annual budget on developing, aligning, and focusing on working on that long-term security strategy for your organization is a direct win. Doing something is far better compared to doing nothing. And one can of course argue what those 10% will do for your organization. I would rather flip that question around and say if you don’t spend any time or resources on developing your security strategy is not something to strive for.
If you as a security leader have a hard time justifying your contribution to your organization and how that realizes value from a business perspective I would say that it is time to spend some time sorting this out. To sort this question out, you can not do it alone without interacting with the stakeholders in your organization. You will not find the answer to this question by running around and focusing all your efforts on operational security initiatives or putting out those “security fiers” burning and flaring up on a day-to-day basis. This is of course also needed but many times, if there is a high pile of operational security stuff popping, there is a high likelihood that this is a symptom of less strategic and tactical security thinking.
Don’t be afraid of testing something else out or seek help from others who can help you climb out from that operational security hole. You as a security leader are the one who needs to start climbing. How you do it, with the help of others or on your own, is up to you. But it all starts with acknowledging you are stuck in that hole. And there is nothing wrong in realizing this is the case. Many organizations and security leaders struggle with exactly this challenge, trust me. And I tend to see that here and there some of these leaders do not ask for help to get out of that hole. As a security leader do not go the path of icarussing yourself, i.e. letting your arrogance stand in the way of the success of your organization.
Start doing those things today, i.e. focusing more on tactical and strategic security, that will benefit you and your organization in the future. You will thank yourself later by taking this advice and by starting to do so. It is not rocket science. With dedication, you can come very far. With dedication and “passion” (for lack of a better word) you can accomplish very, very, very good results. As I said before, reach out and ask for help if you as a security leader need it. There is nothing wrong in doing so, this is also what is expected of you as a security leader. Lead yourself with the help of others who can help you accomplish the goals you have created together with your stakeholders to make your organization successful. Teamwork. Security is a team sport.
Question:
For "who" is a security strategy developed?
a.) The IT department
b.) The cybersecurity team
c.) The local soccer team
d.) all the above options
Hint: The correct answer to the question is found in the article.
Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com
Comments