To every security professional who has figured out the importance of establishing their vision and mission before tackling the task of creating a strategy, I have one word: congratulations. Security practitioners often misunderstand the differences between a mission, vision, strategy and goals. Quite simply, the strategy is the “how” or means by which you will fulfill the “what.” Goals are the measurable activities you perform to get to the end result or the “what” – your vision and mission.
Planning Takes Time
Only after the mission and vision have been defined should the strategy be developed. A good strategy aligns with your company’s form, language and values. Take the time to get input from trusted peers who have had success in developing, gaining approval for, and implementing strategic plans within your organization.
While many companies’ goals and strategies have commonalities with others, each company’s overall business strategy, culture and mission will determine its priorities and emphases.
Most organizations are matrix oriented – they have lots of dotted and blurring lines in the organizational chart – and this means you will not be able to depend on a hierarchal structure to make things happen. In this case, teaming with other functions will give you more influence and potential for success than remaining in your own silo.
Leave yourself some options. Devise and communicate your preferred plan with one or two different options in mind for management to consider and approve. This was a hard one for my ego when I first started drafting and implementing strategic plans. It’s easy to take rejection personally, yet I found more often than not that the old adage is true: Business is business.
Your three year strategic plan may end up taking five years to complete, but you have gained favor with key decision makers by putting yourself in their shoes and envisioning the big picture. Let’s be honest, how many organizations actually remain consistent enough over a five-year period to see their business plan come to fruition? Executive leadership changes, economic environments fluctuate and risk tolerances vary over relatively short periods of time.
I am not suggesting that we don’t present risks and solutions with confidence and conviction. I have done my best to clearly inform management of the risks associated with decisions and indecisions. Every great executive decision-maker I have worked with eats risk for breakfast. At times, their tolerance level for risk may border on the irresponsible in my mind, yet they will ultimately make the decisions and take responsibility for them.
Finally, be concise in your documentation and delivery. Choose three to four memorable cornerstones to build everything around. For instance, my most recent strategic plan was developed around four key ideas.
- Create security ownership at every level of the organization
- Partner with other functions to gain traction and integration of security solutions
- Raise security issues to appropriate levels to gain quick and decisive action
- Create solutions that are understandable, affordable, and align with business objectives.
Developing a successful strategic plan can be challenging; however, you will be rewarded for your efforts. It’s an organization’s roadmap to success.