In Depth

Five Steps to an Effective Strategic Plan

Stop lurching from crisis to crisis. Take the long view to find business value in security by forming a strategic plan.

By Sarah D. Scalet

July 01, 2005CSO

Stan Gatewood has a litany of reasons why CSOs might not bother with strategic planning. Just ask.

"You have the economy playing against you," says Gatewood, CISO of the University of Georgia. "You have social behavior playing against you. You have technology. You have laws and regulations." And don't bother looking for specialized books or seminars to help you apply business strategic planning principles to security. There aren't any.

Despite all this, Gatewood is here to say that you need to do strategic planning. "If you have no plan, how will you know if you're doing it right?" he asks. "You will be reacting to every little thing that bumps in the night."

After all, that's how most corporate and information security groups have operated for years: Break glass, pull handle. Security departments could hardly control their future, the thinking went, when they were so incident-driven.

But all this is changing, as CSOs and CISOs begin to see the value of using established strategic planning principles to guide their efforts. At its core, strategic planning is nothing more than a formalized process for setting goals based on business objectives and then mapping out how to accomplish those goals—over the coming years, not months.

Sure, many of you have high-level mission statements. And sure, most of you have year-ahead tactical plans tied to your budgets. A truly strategic plan, however, sits in the sweet spot in between those two levels. CSOs who have figured out how to create and implement a tactical plan claim that it helps them spend resources wisely, gather support for security initiatives and gain alignment with the business. No glass broken.

"It's really about putting the big C in CSO," says James Quinnild, a security partner in the advisory practice at PricewaterhouseCoopers. "CSOs are managing a lot more funding, their visibility within the organization is a lot higher, and there are a lot more people asking the CSO, How are you doing? What are you doing? How did you prioritize what you're doing?" A well-thought-out plan helps answer those questions.

Especially in the rapidly changing information security field, planning for the future can be perilous. Technologies change, and new threats emerge. But despite the challenges, the strategic planning process is crucial if you want to get your organization out of crisis mode. Here are five steps to getting started. As you'll see, this isn't an arcane discipline. It's Business 101, applied to security.

1: Begin with the business's big-picture plan

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Rolling the dice with your security? Take the Self-Assessment Test now

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Configuration Assessment: Choosing the Right Solution

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Solving Online Credit Fraud Using Device Reputation