Usually this movie ends with a war of epic proportions, in which the people overthrow the tyrants and the hero is memorialized for all eternity. But sometimes, before the final victory, we get a glimpse of an alternate universe – one that may be closer to reality. Every now and again, the hero gives his speech, and the people, invigorated, agree to fight, but they are quickly and soundly defeated. When this happens, they usually blame the hero. “Why did you drive us to this?” “We aren’t fighting people.” “Look at the damage you’ve caused!”

Now think of this in terms of a security program. You are the incoming director of corporate security. You walk in and see all manner of problems – evident risks unaddressed, policy gaps, inappropriate handling of events, lack of employee and management awareness, and a general malaise surrounding security. These are your oppressed people.

So you work feverishly to develop an amazing new security plan. You set your strategic direction and mission and you build from there, conducting a thorough risk assessment and lining up every type of mitigation program that the current system lacks. You consider industry-specific concerns and talk with peers and colleagues and integrate their experience-driven recommendations. You research technology and prepare to propose new applications. In short, you do everything right. When you’re finished, you sit back and bask in the gleam of the best plan you could imagine.

And then you take it in to present to management.

Scenario 1: They love it. They agree to give you carte blanche. You implement every proposal, and over time the company becomes a model for corporate security in its industry.

Scenario 2: They love it. They agree to give you carte blanche. You implement every proposal, and over time the company begins to erode. Funding is gone, programs languish, the culture becomes hostile to security recommendations and management turns to you and says, “Look at the damage you’ve caused!”

Scenario 3: They listen patiently, look you in the eye and ask you to reconsider this plan, revise it and bring them something they can accomplish. You leave the room knowing your credibility has taken a hit.
Which scenario you get might depend upon your company’s degree of readiness.

Organizational readiness is an oft-overlooked but radically important element in strategic planning. Fortunately, it’s a relatively simple concept.

In our movie analogy, the oppressed people who suffer an initial defeat generally lose because they are underprepared, they have fewer resources than the enemy, or they simply don’t have the confidence to win. It can be the same with a company. If an organization is too financially strapped to invest in new programs, if its culture is anti-change or anti-security (e.g. if employees are used to a very open, permissive atmosphere), or if it has no experience with security programs the size and scale of what you’re proposing, it may not be ready for your proposal.

This does not mean the company needs to change to fit your plans. You need to change to work with your company to provide the best programs you can under the circumstances, and hopefully your positive leadership will guide them into a position to implement stronger proposals down the road.

If your security strategic plans don’t meet with the enthusiasm you expect, your organization may be telling you, “Look, we don’t need another hero. We need a leader who will partner with this organization to set and accomplish realistic goals.”

That doesn’t mean you can’t push the envelope; it doesn’t mean you have to scrap the best security plan 

you can imagine. It just means you need to be aware of how ready your organization is for that grand plan, and you need to be ready to prioritize its elements, putting some portions on the backburner while you focus first on others.