How often do you sit down to enjoy a sporting event and witness a total change in team attitude and performance from the first half to the second? The players, coaches, stadium, fans and game officials are the same. So are the team mission, vision and goal: to win the game. So what’s the difference? Most often it is a change in the game plan or strategic direction. Like a sports team, a security organization must have a clear direction and mission as well as a well-planned strategy with multiple options.
To every security professional who has figured out the importance of establishing their vision and mission before tackling the task of creating a strategy, I have one word: congratulations. Security practitioners often misunderstand the differences between a mission, vision, strategy and goals. Quite simply, the strategy is the “how” or means by which you will fulfill the “what.” Goals are the measurable activities you perform to get to the end result or the “what” – your vision and mission.

Planning Takes Time

Some critics will point to mission and vision statements as something created in the late hours of an off-site staff meeting which never get restated, memorialized or put into practice. They would rather get to the task of “making things happen” with quick responses and practical solutions. Granted, many impressive visions never get the wind behind them. However, this element is critical and worth the effort to define. Frankly, the mission and vision is what I have looked to when times have been most confusing and difficult. A mission and vision gives pain a purpose. 
Only after the mission and vision have been defined should the strategy be developed. A good strategy aligns with your company’s form, language and values. Take the time to get input from trusted peers who have had success in developing, gaining approval for, and implementing strategic plans within your organization.      
While many companies’ goals and strategies have commonalities with others, each company’s overall business strategy, culture and mission will determine its priorities and emphases. 
Most organizations are matrix oriented – they have lots of dotted and blurring lines in the organizational chart – and this means you will not be able to depend on a hierarchal structure to make things happen. In this case, teaming with other functions will give you more influence and potential for success than remaining in your own silo.
Options Welcome
Leave yourself some options. Devise and communicate your preferred plan with one or two different options in mind for management to consider and approve. This was a hard one for my ego when I first started drafting and implementing strategic plans. It’s easy to take rejection personally, yet I found more often than not that the old adage is true: Business is business. 
Your three year strategic plan may end up taking five years to complete, but you have gained favor with key decision makers by putting yourself in their shoes and envisioning the big picture. Let’s be honest, how many organizations actually remain consistent enough over a five-year period to see their business plan come to fruition? Executive leadership changes, economic environments fluctuate and risk tolerances vary over relatively short periods of time.
I am not suggesting that we don’t present risks and solutions with confidence and conviction. I have done my best to clearly inform management of the risks associated with decisions and indecisions. Every great executive decision-maker I have worked with eats risk for breakfast. At times, their tolerance level for risk may border on the irresponsible in my mind, yet they will ultimately make the decisions and take responsibility for them.      
Finally, be concise in your documentation and delivery. Choose three to four memorable cornerstones to build everything around. For instance, my most recent strategic plan was developed around four key ideas.
  • Create security ownership at every level of the organization
  • Partner with other functions to gain traction and integration of security solutions
  • Raise security issues to appropriate levels to gain quick and decisive action
  • Create solutions that are understandable, affordable, and align with business objectives.
This seemed to be a good strategic framework for an organization that was somewhat matrix-oriented, relied heavily upon multi-disciplined teams to reach common goals, and required non-security professionals to manage day-to-day.
Developing a successful strategic plan can be challenging; however, you will be rewarded for your efforts. It’s an organization’s roadmap to success.