What are the tactical concepts provided in chapters 8 through 13 of the Security Strategy book?

  

Chapters 8 through 13 in the Security Strategy book provide
different tactical concepts that apply to information technology.
Again, even though these are focused on security, each applies to IT.
While you need to be familiar with all of them, for this assignment you
should choose one to explain in your own words. Include an example that
explains the concept. Justify why the principle is important for IT
Strategy or Tactics. Find at least one additional reference for each one
you choose. Rather than providing a paper, you are to create a
PowerPoint presentation explaining the concept. It should contain 10-15
slides, including a title slide and a reference slide. You may include
pictures, graphs, figures, or charts to help your discussion of the
topic. Your final presentation product should be professional in format
as if you are going to present it to upper management.
Requirements:
10 – 15 slides of PPT
Proper attention to formatting, spelling, grammar, and punctuation.
Security
Strategy
From Requirements to Reality
TAF-K11348-10-0301-C000.indd i
8/18/10 2:44:55 PM
TAF-K11348-10-0301-C000.indd ii
8/18/10 2:44:57 PM
Security
Strategy
From Requirements to Reality
Bill Stackpole and Eric Oksendahl
TAF-K11348-10-0301-C000.indd iii
8/18/10 2:44:57 PM
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
2011 by Taylor and Francis Group, LLC
Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number: 978-1-4398-2733-8 (Paperback)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Library of Congress CataloginginPublication Data
Stackpole, Bill.
Security strategy : from requirements to reality / Bill Stackpole and Eric Oksendahl.
p. cm.
Includes bibliographical references and index.
ISBN 9781439827338 (alk. paper)
1. Computer security. 2. Information technologySecurity measures. 3. Data protection. 4.
BusinessData processingSecurity measures. I. Oksendahl, Eric. II. Title.
QA76.9.A25S684 2011
005.8dc22
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the Auerbach Web site at
http://www.auerbach-publications.com
2010025968
To my father who always pushed us to be the best we could be.
William Bill Stackpole
To my wife Elaine who has always stood beside me and encouraged
and supported my eorts. I am truly a blessed man.
Eric Oksendahl
TAF-K11348-10-0301-C000e.indd v
8/18/10 3:00:42 PM
TAF-K11348-10-0301-C000e.indd vi
8/18/10 3:00:42 PM
Contents
Acknowledgments ………………………………………………………………………………………………… xv
Introduction ……………………………………………………………………………………………………….xvii
Preface ………………………………………………………………………………………………………………..xxi
Authors ……………………………………………………………………………………………………………. xxiii
SECTION I
STRATEGY
1 Strategy: An Introduction ………………………………………………………………………………..3
Strategic Planning Essentials…………………………………………………………………………………. 3
Strategic Planning Process Evaluation…………………………………………………………………….. 5
Security Leadership Challenges……………………………………………………………………………… 6
Getting Started …………………………………………………………………………………………………… 7
Value Proposition………………………………………………………………………………………… 8
Other Challenges for Security and Strategic Planning ………………………………………………. 8
When Strategic Planning Should Be Conducted………………………………………………………10
Metaphor Analysis and Strategic Planning………………………………………………………………10
Strategic Planning as a Process………………………………………………………………………13
Requirements for Successful Strategic Plans…………………………………………………….14
Creating a Security Culture…………………………………………………………………………………..15
Security Continuum (Moving toward a Security Culture)…………………………………………15
Conclusion…………………………………………………………………………………………………………16
2 Getting to the Big Picture ………………………………………………………………………………17
Background (Why Should Security Bother with Strategic Planning?)………………………….17
Menu of Strategic Planning Methods and Models ……………………………………………………18
Which Strategic Planning Tools?………………………………………………………………………….. 20
What Are Security Plan Essentials? (Analysis, Planning, and Implementation) ……………. 20
Learn the Big Picture of the Extended Enterprise……………………………………………..21
Include a High-Level Risk Assessment as Input ……………………………………………….21
Link Your Strategic Plan to the Organization Strategic Plan…………………………….. 22
Develop Flexibility and Fluidity in Your Department……………………………………… 22
When Should Strategic Planning Be Done?……………………………………………………………. 23
Six Keys to Successful Strategic Planning………………………………………………………………. 24
Simplicity…………………………………………………………………………………………………. 24
vii
TAF-K11348-10-0301-C000toc.indd vii
8/18/10 3:20:00 PM
viii
Contents
Passion (Emotional Energy) and Speed of Planning and Adapting……………………..25
Connection to Core Values …………………………………………………………………………. 26
Core Competencies……………………………………………………………………………………. 27
Communication………………………………………………………………………………………… 28
Implementation…………………………………………………………………………………………. 29
Myths about Strategic Planning …………………………………………………………………………… 30
Barriers to Strategic Planning………………………………………………………………………………..31
Pushing through to the Next Level of Strategic Breakthrough (Inside/Outside
Organizational Input/Output)………………………………………………………………………..31
Going Slow to Go Faster, or Dont Just Do Something, Sit There (Honing
Organizational Strategic Planning Skills)………………………………………………………. 32
Think Ahead, Act Now………………………………………………………………………………. 32
Strategic Business Principles and Workplace Politics……………………………………….. 32
Looking for Niches, Voids, Under-Your-Nose Advantages………………………………….33
Overcoming Negative Perceptions of Security………………………………………………………….33
Averse to Outsourcing………………………………………………………………………………… 34
Reluctant to Change Quickly……………………………………………………………………… 34
Stovepiped Organization Out of Touch with Business Realities ………………………… 34
Always Looking for the Next Magic Technology Bullet…………………………………….35
Promises, Promises You Cant Keep……………………………………………………………….35
Developing Strategic Thinking Skills ……………………………………………………………………..35
Create Time for Thinking…………………………………………………………………………… 36
Scan ………………………………………………………………………………………………………… 36
Inquire …………………………………………………………………………………………………….. 37
Focus Long Distance/Practice Short Distance………………………………………………… 37
Anticipate ………………………………………………………………………………………………… 38
Communicate …………………………………………………………………………………………… 38
Evaluate …………………………………………………………………………………………………… 38
Practice Flexibility……………………………………………………………………………………… 39
Conclusion……………………………………………………………………………………………………….. 40
3 Testing the Consumer …………………………………………………………………………………….41
Introduction……………………………………………………………………………………………………….41
Dening the Consumer Buckets ………………………………………………………………………….. 42
What Historic Issues Are We Trying to Resolve or Avoid?………………………………… 42
What Are the Challenges?…………………………………………………………………………… 43
Customer Relationship Management (CRM)…………………………………………………. 43
Customer Value Management (CVM) ………………………………………………………….. 44
When Should You Collect Consumer Data?…………………………………………………….45
Quick Customer Assessment……………………………………………………………………………….. 46
Managing Key Internal Relationships…………………………………………………………… 46
Conducting Face-to-Face Interviews………………………………………………………………47
Guidelines for How to Solicit Feedback ………………………………………………………….47
Designing Customer Feedback Surveys…………………………………………………………………. 48
Online Survey Guidelines…………………………………………………………………………… 49
Focus Group Guidelines …………………………………………………………………………….. 49
Deploying a Survey ……………………………………………………………………………………………. 50
TAF-K11348-10-0301-C000toc.indd viii
8/18/10 3:20:00 PM
Contents
ix
Measuring Customer Satisfaction Results ……………………………………………………………… 50
Integration of Consumer Data …………………………………………………………………………….. 50
Conclusion…………………………………………………………………………………………………………52
4 Strategic Framework (Inputs to Strategic Planning)…………………………………………..53
Introduction……………………………………………………………………………………………………….53
Environmental Scan…………………………………………………………………………………………… 54
Regulations and Legal Environment ………………………………………………………………………55
Industry Standards…………………………………………………………………………………………….. 56
MarketplaceCustomer Base ………………………………………………………………………………..59
Organizational Culture………………………………………………………………………………………. 60
National and International Requirements (Political and Economic)…………………………….61
Competitive Intelligence …………………………………………………………………………………….. 62
Business Intelligence ………………………………………………………………………………………….. 63
Technical Environment and Culture…………………………………………………………………….. 63
Business Drivers ………………………………………………………………………………………………….65
Business Drivers for the Enterprise……………………………………………………………….. 66
Additional Environmental Scan Resources………………………………………………………………67
Scenario Planning ……………………………………………………………………………………………… 68
Futurist Consultant Services ……………………………………………………………………………….. 69
Blue Ocean Strategy versus Red Ocean Strategy …………………………………………………….. 70
Future (the Need to Be Forward Looking)…………………………………………………………….. 71
Conclusion……………………………………………………………………………………………………….. 72
5 Developing a Strategic Planning Process ………………………………………………………….73
Roles and Responsibilities …………………………………………………………………………………….74
Process and Procedures ………………………………………………………………………………………. 75
Get Ready to Plan for a Plan …………………………………………………………………………………76
Planning, Preparation, and Facilitation…………………………………………………………………. 77
Building a Foundation for Strategy (High, Wide, and Deep) ……………………………………. 79
In the Beginning ……………………………………………………………………………………………….. 79
Vision, Mission, and Strategic Initiatives……………………………………………………….. 80
Vision Statement ……………………………………………………………………………….. 80
Mission Statement ………………………………………………………………………………81
Strategic Initiatives………………………………………………………………………………81
Analysis……………………………………………………………………………………………………. 82
Strategy Formation (Goals, Measurable Objectives)………………………………………… 83
Implementation (a Bias toward Action and Learning) ……………………………………………… 84
Keys to Success for the Implementation Stage of Strategic Planning …………………… 84
Feedback, Tracking, and Control…………………………………………………………………………..85
Completion ………………………………………………………………………………………………………. 87
Best Strategies (Strategies That Work) …………………………………………………………………… 87
Conclusion……………………………………………………………………………………………………….. 88
6 Gates, Geeks, and Guards (Security Convergence)……………………………………………..91
Introduction……………………………………………………………………………………………………….91
Terms and Denitions ……………………………………………………………………………….. 93
Benets of Security Convergence …………………………………………………………………………. 93
TAF-K11348-10-0301-C000toc.indd ix
8/18/10 3:20:00 PM
x
Contents
Cost Savings …………………………………………………………………………………………….. 93
Improved Security and Risk Management…………………………………………………….. 94
More Eective Event/Incident Management………………………………………………….. 95
User Experience ………………………………………………………………………………………… 96
Regulatory Compliance ……………………………………………………………………………… 96
Improved Business Continuity Planning……………………………………………………….. 96
Other Improvements………………………………………………………………………………….. 97
Convergence Challenges …………………………………………………………………………………….. 97
Success Factors………………………………………………………………………………………………….. 98
Conclusion……………………………………………………………………………………………………….. 99
SECTION II TACTICS
7 Tactics: An Introduction……………………………………………………………………………….103
Tactical Framework……………………………………………………………………………………………103
FacilitiesPhysical Attack Scenarios……………………………………………………………104
IT SystemsLogical Attack Scenarios …………………………………………………………106
Objectives Identication …………………………………………………………………………………….107
First Principles ………………………………………………………………………………………………….108
Observation Principle…………………………………………………………………………………108
Response Principle …………………………………………………………………………………….109
Timeliness Principle…………………………………………………………………………………..109
Preparedness Principle………………………………………………………………………………..110
Economy Principle ……………………………………………………………………………………. 111
Maintenance of Reserves (Coverage) Principle ……………………………………………….112
Redundancy Principle ………………………………………………………………………………..113
Least Privilege Principle……………………………………………………………………………..114
Commonality Principle……………………………………………………………………………… 115
Conclusion……………………………………………………………………………………………………….116
8 Layer upon Layer (Defense in Depth) ……………………………………………………………. 119
Introduction…………………………………………………………………………………………………….. 119
Defense-in-Depth Objectives Identication …………………………………………………………..121
Information Environments………………………………………………………………………………… 122
Threats …………………………………………………………………………………………………………… 122
Environmental Objectives…………………………………………………………………………………. 123
In-House Objectives ………………………………………………………………………………… 123
Limited and Controlled Boundary Access Points………………………………….. 123
Eective Logging, Detection, and Alerting Capabilities ………………………….125
Operational Excellence for Security Controls………………………………………. 126
Superior Personnel Supervision, Training, and Skills Management………….. 127
High Assurance Identity Management………………………………………………… 127
Timely Incident Response and Resolution…………………………………………… 128
Shared-Risk Environments………………………………………………………………………….129
Hosted Objectives……………………………………………………………………………………..129
Consumer Scenario……………………………………………………………………………129
Provider Scenario………………………………………………………………………………132
TAF-K11348-10-0301-C000toc.indd x
8/18/10 3:20:00 PM
Contents
xi
Hybrid Objectives……………………………………………………………………………………. 136
Consumer Objectives……………………………………………………………………….. 136
Provider Objectives……………………………………………………………………………139
Conclusion……………………………………………………………………………………………………….141
9 Did You See That! (Observation)……………………………………………………………………143
Introduction……………………………………………………………………………………………………..143
Observation Objectives ………………………………………………………………………………………144
Observation Elements………………………………………………………………………………………..145
Reconnaissance …………………………………………………………………………………………145
Sentry ……………………………………………………………………………………………………..146
Physical Security……………………………………………………………………………….146
IT Security……………………………………………………………………………………….149
Alarming………………………………………………………………………………………………….152
Command………………………………………………………………………………………………..154
Summary ………………………………………………………………………………………………… 155
Drivers and Benets for Excellence in Observation…………………………………………………156
Observation Challenges ……………………………………………………………………………………..157
Success Factors and Lessons Learned ……………………………………………………………………158
Reconnaissance…………………………………………………………………………………………158
Surveillance………………………………………………………………………………………………158
CCTV Surveillance Lessons Learned……………………………………………………159
Physical Detectors Lessons Learned ……………………………………………………..159
IT System Security…………………………………………………………………………………….159
IT System Security Lessons Learned…………………………………………………….159
Excellence in Observation Control Objectives……………………………………………………….160
Reconnaissance …………………………………………………………………………………………160
Surveillance………………………………………………………………………………………………160
Event Detectors…………………………………………………………………………………………161
Pattern and Anomaly Detectors …………………………………………………………………..163
Conclusion……………………………………………………………………………………………………….165
10 Trust but Verify (Accountability)……………………………………………………………………169
Introduction……………………………………………………………………………………………………..169
Unmatched Value of Accountability……………………………………………………………………..169
Comprehensive Accountability Challenges ……………………………………………………………172
Identity Challenges ……………………………………………………………………………………172
Audit Challenges……………………………………………………………………………………….173
Best Uses for the Accountability Tactic…………………………………………………………………174
Comprehensive Accountability Identity Objectives…………………………………………………175
Identity Control Requirements for Accountability………………………………………….176
Domain and Local Account Management…………………………………………….176
Name Collision…………………………………………………………………………………176
Identity Retention……………………………………………………………………………………..178
Identity Verication …………………………………………………………………………………..179
Local System Accounts……………………………………………………………………………….180
TAF-K11348-10-0301-C000toc.indd xi
8/18/10 3:20:00 PM
xii
Contents
Shared Accounts ……………………………………………………………………………………….181
Comprehensive Accountability Audit Objectives……………………………………………………182
Current State ……………………………………………………………………………………………182
Audit Requirements for Accountability…………………………………………………………183
Domain and Local Audit Management………………………………………………..183
Complete …………………………………………………………………………………………184
Temporal …………………………………………………………………………………………185
Consistent………………………………………………………………………………………..185
Relevant…………………………………………………………………………………………..185
Understandable…………………………………………………………………………………186
Simple……………………………………………………………………………………………..186
Sequential ………………………………………………………………………………………..186
Correlated………………………………………………………………………………………..187
Tamperproof…………………………………………………………………………………….187
Traceable………………………………………………………………………………………….187
Retained ………………………………………………………………………………………….188
Conclusion……………………………………………………………………………………………………….188
11 SDL and Incident Response…………………………………………………………………………..189
Introduction……………………………………………………………………………………………………..189
Terms Used in This Chapter ……………………………………………………………………….190
Security Development Lifecycle (SDL) Overview……………………………………………190
Security Incident Response Overview …………………………………………………………..191
Tactical Objectives…………………………………………………………………………………….193
Elements of Application Development and Response ………………………………………195
Application ………………………………………………………………………………………………………195
Phase 1Requirements ……………………………………………………………………………..196
Phase 2Design ………………………………………………………………………………………197
Threat Modeling ……………………………………………………………………………….197
Phase 3Development ……………………………………………………………………………..197
Phase 4Verication ………………………………………………………………………………..197
Phase 5Release ………………………………………………………………………………………198
Phase 6Support/Service ………………………………………………………………………….198
(SDL)2Software as a Service Extensions (SaaS)……………………………………………………198
Security Development Lifecycle Drivers and Benets ……………………………………..199
Security Development Lifecycle Challenges…………………………………………………. 200
SDL Success Factors and Lessons Learned …………………………………………………… 202
Application Control Objectives………………………………………………………………….. 203
Observation/Recognition ………………………………………………………………….. 203
Passive Detection Control Objectives………………………………………………….. 204
Active Detection Control Objectives…………………………………………………… 204
Transition Objectives ……………………………………………………………………………………….. 209
Common Collection and Dispatch…………………………………………………………….. 209
Transition Drivers and Benets…………………………………………………………………..210
Transition Challenges ………………………………………………………………………………..211
Transition Success Factors and Lessons Learned …………………………………………….212
TAF-K11348-10-0301-C000toc.indd xii
8/18/10 3:20:00 PM
Contents
xiii
Lessons Learned………………………………………………………………………………..212
Transition Control Objectives……………………………………………………………………..212
Rapid Response…………………………………………………………………………………………………214
Incident Response Procedures ……………………………………………………………………..215
Automated Responses………………………………………………………………………………..217
Nonincident-Related Response Procedures (Reporting)…………………………………..218
Reporting as a Response……………………………………………………………………………..218
Rapid Response Drivers and Benets ……………………………………………………………219
Response Challenges………………………………………………………………………………….221
Response Success Factors and Lessons Learned………………………………………………221
Response Control Objectives…………………………………………………………………….. 223
Conclusion……………………………………………………………………………………………………… 223
12 Keep Your Enemies Closer…………………………………………………………………………….225
Introduction……………………………………………………………………………………………………. 225
Hire a Hacker Objectives ………………………………………………………………………………….. 227
Oensive Objectives ………………………………………………………………………………… 227
How to Use This Tactic for Oense……………………………………………………………. 228
Defensive Objectives ………………………………………………………………………………… 229
How to Use This Tactic for Defense……………………………………………………………. 230
Summary …………………………………………………………………………………………………231
The Hire a Hacker Controversy…………………………………………………………………………..231
Success Factors and Lessons Learned ……………………………………………………………………233
Control Objectives …………………………………………………………………………………………….233
Countering Insider Threats (Malicious Insider)…………………………………………….. 234
Competent Supervision ……………………………………………………………………………..235
Supervisor Attributes ……………………………………………………………………….. 236
Supervisory Attributes ……………………………………………………………………… 238
Employee Screening…………………………………………………………………………..241
Target Retaliation ……………………………………………………………………………………..245
Target Deception ………………………………………………………………………………………247
Malicious Code Implantation ……………………………………………………………. 248
Conclusion……………………………………………………………………………………………………….251
13 Hire a Hessian (Outsourcing)………………………………………………………………………..253
Introduction……………………………………………………………………………………………………..253
Security in the Outsourcing of IT Services…………………………………………………………… 254
Outsourcing ProsBenets………………………………………………………………………..255
Outsource ConsChallenges……………………………………………………………………..255
Success Factors and Lessons Learned…………………………………………………………….256
Outsourcing Control Objectives ………………………………………………………………….257
Security in the Outsourcing of Security Services …………………………………………………….261
Commonly Outsourced Services………………………………………………………………….261
Security Auditing………………………………………………………………………………261
Penetration Testing, Vulnerability Assessment……………………………………… 262
Systems Monitoring …………………………………………………………………………. 262
Incident Support……………………………………………………………………………… 263
TAF-K11348-10-0301-C000toc.indd xiii
8/18/10 3:20:00 PM
xiv
Contents
System Management/Administration………………………………………………….. 263
Security Ocer Services…………………………………………………………………… 263
Outsourcing of Security Services Objectives………………………………………………… 264
Challenges to Outsourcing Security Services…………………………………………………265
Success Factors and Lessons Learned ………………………………………………………….. 266
Outsourcing Security Services Control Objectives………………………………………….267
Maintain the Condentiality of Results………………………………………………..267
Prevent the Disclosure of Events………………………………………………………… 268
Preserving Evidence …………………………………………………………………………. 269
Avoiding Retention/Discovery Liabilities…………………………………………….. 269
Elevated Privilege and Intellectual Property Loss ……………………………………270
Conclusion……………………………………………………………………………………………………… 272
14 Security Awareness Training …………………………………………………………………………275
Introduction……………………………………………………………………………………………………..275
Sta Development Training………………………………………………………………………………. 277
General Sta Security Training………………………………………………………………….. 277
Security Sta Training……………………………………………………………………………… 278
Security Sta Training Requirements …………………………………………………………. 279
Security Awareness Training ……………………………………………………………………………… 280
Awareness Training Objectives ………………………………………………………………….. 280
Awareness Training Elements…………………………………………………………………….. 282
Awareness Training Drivers and Benets …………………………………………………………….. 283
Industry Training Trends and Best-Practices Examples………………………………………….. 284
Training Resources…………………………………………………………………………………………… 286
Awareness Training Challenges………………………………………………………………………….. 289
Success Factors and Lessons Learned…………………………………………………………………….291
How Do You Know if Your Training Is Successful? ………………………………………………. 292
Conclusion……………………………………………………………………………………………………….293
References…………………………………………………………………………………………………………..295
Appendix ……………………………………………………………………………………………………………303
Physical Security Checklists ………………………………………………………………………………. 303
Index………………………………………………………………………………………………………………….313
TAF-K11348-10-0301-C000toc.indd xiv
8/18/10 3:20:01 PM
Acknowledgments
The authors wish to thank the following people for their hours of reviews, suggestions, and encouragement throughout the process of putting this book together.
Greg Gwash
Elaine Oksendahl
Dave Komendat
Carl Davis
Tim McQuiggan
Lt. Col. Thomas Stackpole, U.S. Army
Dave Cook
Butch Moody
Verdonn Simmons
Peter Oksendahl
Patrick Hanrion
A special thank you to Jennifer Reed who taught Bills science class for six weeks so he could
nish the book, and to Tim Lorenz who graciously gave him the time o.
xv
TAF-K11348-10-0301-C000f.indd xv
8/18/10 2:47:32 PM
TAF-K11348-10-0301-C000f.indd xvi
8/18/10 2:47:32 PM
Introduction
I need you to nd a way to keep compliance from putting us out of business!
Ron Markezich
Corporate Vice President, Microsoft Online
Security as a businesswhat a concept! And to many security professionals its a concept that few
have had time to consider or have needed to consider. Compliance changed all that; it pushed
information security into the executive suite where its not only a jail sentence but a huge drag on
the bottom line. Combine that with a major economic downturn and one has a lot of incentive to
make security a value proposition. Both of us have watched this requirement develop in corporations and have witnessed security professionals struggle to get a handle on what it means to be a
valued business partner.
We see two recurring themes: rst is the lack of good business processes on the security side
and second, a diminished understanding of the value of security on the executive side. It is these
two issues that have inspired us to write Security Strategy: From Requirements to Reality. Our primary goal in writing this book is to teach security leadership and security practitioners how to
select, develop, and deploy a security strategy appropriate to their organization. Our secondary
goal is to support the implementation of strategic planning initiatives, goals, and objectives with
a solid set of security tactics. It is also our hope that executive managers, marketing, and other
business units will use this book to better understand the value security brings to the organization
in the compliance-centric 21st century.
Businesses cannot survive in todays marketplace without information technology (IT), and
IT cannot survive in todays computing environments without security. Todays leading companies are those that have solved the security conundrum and learned to leverage security to promote innovation, grab market share, and enhance brand. When Microsoft was being ogged by
the industry for poor security, Bill Gates created a trustworthy computing initiative that united
the company behind a single strategic goal: to focus our [Microsofts] eorts on building trust
into every one of our products and services. In less than 10 years Microsoft propelled itself from
whipping boy to market leader through innovation, commitment, and solid strategic planning.
One of Microsofts key initiatives was to consolidate security services into a single-customer-facing
entity (the Microsoft Security Response Center). This is a strategy that we see as critical to the
future success of security management. There should be one person to contact, one number to call,
one website to visit, and one operations group to receive and respond to security events. It should
never be the customers responsibility to gure out who to call while dealing with a dicult or
emergency situation.
xvii
TAF-K11348-10-0301-C000g.indd xvii
8/18/10 2:48:01 PM
xviii
Introduction
We also believe in building a culture of security. Employees are your rst line of defense; none
of them leave their houses in the morning without locking the door, and none of them should leave
their worksites at night without locking their computer and sensitive documents away. If you really
want your employees to be your rst line of defense, you need to teach them how, and you must be
readily available, helpful, and responsive when they call. When the quality of Ford products began
to diminish, the company moved Quality Assurance from a business unit to a business culture.
Quality became job one for everyone working at the company from Bill Fords Quality Council
to the autoworker at the St. Paul assembly plant. This is our view of security; it is job one for every
employee, and it needs to be promoted as such.
The challenges are substantial but not insurmountable. It will require a lot of eort on the part
of the security group to build the strategic planning skills required, and it will take a fair amount
of forbearance on the executive management side as things stumble forward. But the end results
in cost reductions, brand enhancement, and operational eciency are well worth the eort. Lets
get started!
Approach
This book presents business strategy for security groups and tactics for implementing that strategy.
It is unique in its approach because it focuses entirely on security strategy planning and execution.
The book is about nding the strategy that works in your organization, building it, and implementing it to see real results. You wont nd any point solutions here, no silver bullets, no magic
formulas. What you will nd is a comprehensive look at the structures and tools required to build
a security program that really does enable and enhance business processes in your organization.
The book is based on our experiences in working with large security groups to build and implement strategic plans and tactical solutions, but the book is equally applicable to smaller organizations looking for long-term security solutions.
We have divided the book into two parts. The rst part is about business strategy. Although
it is security-centric, executive managers reading this portion of the book will totally understand
it. The second portion of the book is about tacticsthe means needed to implement strategy.
Security professionals will completely understand this portion of the book. The real value for
both groups of readers will be reading the portions of the book that are not familiar to them. It is
our hope that in so doing a viable synergy will develop between the two groupsone that allows
security to take its place as a valued partner and contributor to the success of the enterprise.
Much of the security conundrum organizations nd themselves in didnt develop overnight; it
has been a long time in the making. While corporate (facilities) security is a long-standing discipline, information security, especially in the network arena, is a relatively new discipline, one that
has been in an almost nonstop ght against an onslaught of attacks and a continuously changing
landscape. It has taken time to develop the tools, processes, and skills needed to build eective
security solutions. Although much remains to be done, the security industry has nally found
itself in a place where it can begin to be proactive. A major part of that proactive eort is learning
how to become a full-edged partner in the business.
Security must become part of an organizations standard business processes and a partner in
the promotion and protability of the business. For years security professionals have been talking
about how security enables the business; well, now its time to step up and prove it. So roll up your
sleeves, bolt on your armor, and get ready for some giant-killing ideas. Welcome to the business
of security.
TAF-K11348-10-0301-C000g.indd xviii
8/18/10 2:48:01 PM
Introduction
xix
SIDEBAR: HOW TO READ A BUSINESS BOOK
1. Decide, before you start, that youre going to change three things about what you do all day at work. Then,
as youre reading, nd the three things and do it. The goal of the reading, then, isnt to persuade you to
change, its to help you choose what to change.
2. If youre going to invest a valuable asset (like time), go ahead and make it productive. Use a postit or two,
or some index cards or a highlighter. Not to write down stuff so you can forget it later, but to create marching orders. Its simple: if three weeks go by and you havent taken action on what youve written down,
you wasted your time.
3. Its not about you, its about the next person. The single best use of a business book is to help someone
else. Sharing what you read, handing the book to a person who needs itpushing those around you
to get in sync and to take actionthats the main reason its a book, not a video or a seminar. A book
is a souvenir and a container and a motivator and an easily leveraged tool. Hoarding books makes
them worth less, not more.
Seth Godin
Terms Used in This Book
Business unitTo eliminate confusion between the organization as a whole and the business
suborganizations such as departments and divisions, the term business unit has been chosen
to refer to these suborganizations.
Consumer/CustomerThe terms consumer and customer are used in a general sense. These
terms include those external entities that purchase products or use services from the organization as a whole, as well as those external or internal entities that use the services of a
business unit within the organizationfor example, business units that use security services
and/or products and are subject to security governance.
Core CompetenciesCore competencies are the specic strengths of an organization that
provide value in a market space.
Core ValuesCore values are the operating principles that guide an organizations conduct
and relationships.
Corporate securityThe terms corporate, physical, and facilities security refer to the group
that manages the security of physical assets such as facilities, equipment, and inventory.
Corporate security is typically responsible for surveillance, building access controls, security
ocers, loss prevention, and associated events.
IT securityIT security refers to the group that manages the security of information assets
stored, processed, and transferred on computer-based technologies. IT security is typically
responsible for the condentiality, integrity, and availability of digital information, compliance with statutory, regulatory, and industry requirements, and business continuity/disaster
recovery planning for IT services.
OrganizationThis term, used in a generic sense, refers to for-prot and nonprot businesses
(companies, corporations, and enterprises) and government entities/agencies.
SecurityThis book takes a holistic approach to security, so the terms security and security
group encompass both corporate and IT security functions.
Security groupTo eliminate confusion between the organization as a whole and the security
suborganization, the terms security group or security function have been chosen to refer to the
security suborganization.
StakeholderA stakeholder is a party who is or may be aected by an action or actions taken
by an organization, for example, employees, managers, board members, shareholders, customers, contractors, vendors, and partners.
TAF-K11348-10-0301-C000g.indd xix
8/18/10 2:48:01 PM
TAF-K11348-10-0301-C000g.indd xx
8/18/10 2:48:01 PM
Preface
The CEO looked up from his desk and said, Im sure you are all aware of our plans to form a
joint venture with Coral Reef; this is a great opportunity for us but to be honest I have some real
concerns about it. If you will pardon the pun, these guys are some real sharks. If we give them
access to our network, they could steal us blind. I need you guys to tell me what the risks are.
The CIO looked over his shoulder, Matt? With a slight grin, Matt, the CSO, replied, Theres
no additional risk sir; well set up a SharePoint site for the project and thats the only thing theyll
have access to. The CEO was about to express his delight when the CFO interrupted, Well that
might be true for remote access, but what about when theyre here on campus? Its not any different, Matt replied, Their laptops arent part of our domain so they cant connect to any of our
systems except e-mail, Instant Messenger, Web conferencing, and the project SharePoint. But
wont they look like one of our employees if they have e-mail and IM accounts? asked the CFO.
Matt replied, Nope, all external parties have identities that start with F dash and their badges
have a dierent color so our employees know they are foreigners. The CFO continued, But
they will have access to our oces and workspaces; isnt that a risk? Theres always a risk that
someone might go snooping around, but our identity and building access control systems are tied
together. They will only have access to the buildings they will be working in, and we can track all
other access attempts. We run a weekly report of all F dash building and computer accesses just to
make sure they are behaving. If we suspect they arent, we can always review the video surveillance
to see what they were up to, Matt replied. But they could still steal stu ! the CFO exclaimed.
Matt replied, Yes they could, but not for long! Theyd be violating the security policy they agreed
to uphold and thats reason enough to send them packing. Thank you gentleman, I believe were
good to go, said the CEO as he dismissed the meeting with a smile and a hint of disbelief. Was
his security really that good?
The answer is yes. In three short years, Matt had managed to build a security program that not
only protected the companys assets but also anticipated the companys future business requirements and security needs. And he did it with a modest capital investment and no increases in
operational costs. Impossible, you say! Not at all. Matt was able to save a substantial amount of
money by converging the facilities and information security groups into a single team and converting older expensive video and building access controls technologies to IP network-based devices.
He used these savings and the reductions in operating costs to train and cross-train his sta to
improve eectiveness and coverage. He also got capital monies to make improvements to the identity management system and to implement some new control technologies.
Successes like this are rare in the security community, so how did all this come about? Security
strategy. Matt took the time to analyze the companys vision, goals, and business strategies, and
xxi
TAF-K11348-10-0301-C000h.indd xxi
8/18/10 2:48:45 PM
xxii
Preface
then he sat down with the key stakeholders to identify existing issues, understand their goals, and
learn what their expectations were for security. Next, Matt (with the help of his team and these
stakeholders) created a three-year Security Strategic Plan aligned with and supporting the overall
business strategy. Finally, he went out and sold that plan, implemented it, and demonstrated securitys value to the business.
Security strategy is the missing gem in many security programs. Its not a common skill set
among security practitioners and there isnt a lot of guidance on how to do strategic planning for
security management. It was the authors goal to remedy that situation by providing you with a
practical set of tools and guidance to get you started down the planning path (Section I) and to
help you build the processes and controls for implementing that plan (Section II).
There are a large number of strategic planning methodologies; trying to cover them all would
be unrealistic. Fortunately, they all follow a similar pattern so we have addressed those components and compiled an exhaustive set of references you can use to further study the method you
settled on for your company.
It is our sincere hope that this book will contribute to your success and make the practice
of security strategic planning a common discipline in the industry. Welcome to security as a
business!
Bill Stackpole
Eric Oksendahl
TAF-K11348-10-0301-C000h.indd xxii
8/18/10 2:48:45 PM
Authors
William Bill Stackpole, CISSP/ISSAP, CISM, former Principal Security Architect for Microsoft
Online Services, has more than 25 years of IT experience in security and project management.
In his past position, Bill provided thought leadership and guidance for Microsofts Secure Online
Services Delivery architecture. Before coming to Microsoft, Bill was a principal consultant for
Predictive System, an international network consultancy where he was the architect and promoted
the application security business. Bill holds a B.S. degree in Management Information Systems,
a CISSP with an Architecture Professional endorsement. He is coauthor of Software Deployment,
Updating, and Patching (Auerbach, 2007) and a contributing editor to Auerbachs Handbook on
Information Security Management (Krause and Tipton). Bill is a former chair for the CISSP Test
Development Committee and a current member of the (ISC)2 Common Body of Knowledge committees for the CISSP and ISSAP certications.
Eric Oksendahl, former Security Strategist for Boeing, has more than 25 years of experience as
a business management consultant, senior facilitator, teacher, and program manager. At Boeing,
Eric facilitated strategy development and implementation for the Security and Fire Protection
division, including physical and information security. He designed and coordinated the use of
strategy development and initiative deployment to integrate security practices into key business
processes (e.g., international sales campaigns). Prior to that, Eric was a program manager at the
Boeing Leadership Center where he conducted leadership development courses around the world
that included Boeing management, supplier management, and customer management. Eric holds
a B.A. from Montana State University and an M.A. in Communications from the University of
Washington.
xxiii
TAF-K11348-10-0301-C000i.indd xxiii
8/18/10 2:49:12 PM
TAF-K11348-10-0301-C000i.indd xxiv
8/18/10 2:49:12 PM
STRATEGY
I
This section of the book is about the selection, creation, and implementation of security strategy.
Strategy is planning in any eld: a carefully devised plan of action to achieve a goal, or the art of
developing or carrying out such a plan long term (a year or more). In other words, a strategy is a
plan for what work will be done and by whom.
Strategic planning is a discipline designed to encourage long-term thinking about an organization. Strategy is a creative act that combines both analysis and creative choices in future actions;
it utilizes a structured process to create a formal, integrated enterprise plan. A strategic plan is
NOT a tactical roadmap. However, strategic planning is both strategy development and implementation. Strategy realization requires leadership throughout all phases of the strategic planning
process, which includes performance, monitoring, evaluation, and adjustment.
Although strategic planning tries to anticipate possible future environments in which the
organization will be functioning, it does not attempt to make day-to-day operational decisions.
Without well-executed implementation plans, strategy eorts remain, at best, wishes. Security
managers must still manage and make decisions on a daily basis using good judgment, while
retaining a sense of future direction. Some of these day-to-day decisions will cause a rethinking
of strategic direction. This is normal and does not negate the need for a robust strategic planning
process. There will be multiple planning iterations, and strategic plans may need to be adjusted
to accommodate emergent strategic objectives. The roller-coaster ride of lifes exigencies does not,
however, cancel the need for good strategic planning.
TAF-K11348-10-0301-S001.indd 1
8/18/10 3:14:52 PM
TAF-K11348-10-0301-S001.indd 2
8/18/10 3:14:52 PM
Chapter 1
Strategy: An Introduction
If you cant describe your strategy in twenty minutes, simply and in plain language,
you havent got a plan. But, people may say, Ive got a complex strategy. It cant
be reduced to a page. Thats nonsense. Thats not a complex strategy. Its a complex
thought about the strategy.
Larry Bossidy
Chairman, Honeywell International
Strategic Planning Essentials
Can you describe your current strategy in a clear, compelling manner in less than 20 minutes?
Behind every compelling description of strategy that a CEO, CFO, CIO, CSO, or any other
corporate executive might present is a strategic planning process. There are several basic elements
and core principles in a strategic plan. The following is a brief overview of the basic elements;
each of these elements and their subelements will be discussed in greater detail in the subsequent
chapters.
1. Preparation to PlanThis element includes allocation of essential resources, coordination
of personnel, and clear RAA (responsibilities, accountability, and authority) for the planning
process. Herein lies the crucial rst step of strategic planning requiring discipline, focus,
and a willingness to ask tough questions while organizations prepare to face uncertainties,
consider new possibilities, and decide on fundamental change. First eorts in strategy arent
perfect, but one should prepare to plan anyway. This is the rst step of many little steps to
follow in planning. You may want to engage an outside facilitator at the very beginning if
you havent done much strategic planning as a group.
2. Big Picture Renewal/Creating a Strategic FoundationHere the cornerstones of any strategic plan are set, vision and mission are claried, and reviews and analysis are conducted
on data from environmental scans or other sources. Internal and external examinations are
completed as an organization seeks to understand and prioritize inuences and opportunities.
3
TAF-K11348-10-0301-C001.indd 3
8/18/10 3:01:46 PM
4
Security Strategy: From Requirements to Reality
Here also is where the hard questions you have prepared in planning get asked questions
such as Where do we want to play? What do we do best? What is our business? What
are critical success factors? How will we communicate our plan and to whom?
3. Strategies and Actions or Focusing the PlanThis is where the steps for how an organization will reach its vision are created. This may include elements like strategic objectives, goals,
initiatives, actions, and/or critical success factors for getting there. Here is often where strategy
maps or other tools help rene plans, prioritize requirements into specic goals, and link them
to measures and initiatives. The goal of this stage is to map elements of strategy into daily
operations. This is where the operational business plans are linked to overall strategic direction.
This is where business goals, operational objectives, action plans, and performance measures
are linked together. If an organization is not successful here, many groups may not understand
how strategy impacts their organization, and, in fact, they may work at cross purposes. At
this stage, it is imperative to tie together strategic goals, improvement objectives, action plans,
and key performance measures. These will work together to guide an organization during the
implementation of strategic plans. This element, too, is where a security group must relate
overall business strategy to operations strategy and tactical objectives to tactical action plans.
4. Implementation ScheduleTypically, the implementation schedule is prioritized with
specic RAA as the steps for implementation are determined. A schedule is documented
with start, milestone, and completion dates for each major strategy. Strategic actions are
linked to individuals with time frames and budget allocations.
5. Metrics for the PlanThe measures are created that will ensure the organization is headed
in the right direction and determine whether it is successfully implementing the strategic plan. Metrics are integrated into a foundation for the business plan. The business plan
should be linked to key performance metrics and compensation and, nally, integrated into
a balanced scorecard or some other tracking document for regularly scheduled reviews.
Metrics are acknowledged to be an important requirement for success, both strategically
and operationally, but are often ignored. Several levels of good metrics are usually required
for eective strategic planning. The top-level metrics that executive leadership consider are
the roll-up enterprise dashboard or balanced scorecard metrics that usually entail key compliance and risk indicators, as well as key performance indicators such as return on investment (ROI), resource management, value delivery, and response times. As strategic plans
move into initiatives, goals, specic objectives, and the like, obviously the metrics grow more
specic and detailed to the organization and objectives as objectives become organizational
tactics. Typically, security metrics are fashioned from two main sources, strategic initiatives
and external standards required by audit results. Often, as a security group moves from a
reactive posture to more of a planned posture, metrics from external standards will become
a subset of strategic security metrics. Security metrics will become dened by strategic goals
and not just audit results. (Eric watched a security group get hammered by audit results for
two years. It was a lot better when the group came up with a successful strategic plan!)
Dening metrics that work to move a strategic initiative forward are not easily attained.
Take, for example, the discussion on cloud-based security metrics in a recent article in CSO
magazine, Clear Metrics for Cloud Security? Yes, Seriously, by Ariel Silverstone, CISSP.
In her article she discusses the diculty of developing metrics for the storage availability
and integrity of Cloud utilization-type initiatives. Her conclusion is that only time will tell
whether data from/in the Cloud will be deemed trustworthy by such metrics.
Typically, as processes improve and organizations learn from each round of planning,
metrics will become more specic, useful, and relative as success indicators. Metrics are a
TAF-K11348-10-0301-C001.indd 4
8/18/10 3:01:46 PM
Strategy: An Introduction
5
dicult issue to manage in the strategic planning process. These diculties include linking
strategic objectives with the key metrics and establishing the feedback loops required to eectively monitor the progress (success or failure of those objectives). The Information Security
and Control Association (ISACA) recommends performance measurement monitoring and
reporting on information security processes to ensure strategic objectives are achieved.
The performance metrics that ISACA recommends for IT security typically concern measures like number of incidents, number of systems where security requirements are not met,
response times, violations, types of malicious codes, security incidents, unauthorized IP
addresses, port and trac types denied, access rights authorized, revoked, reset, or changed,
and so on. You will nd a number of examples of these types of metrics in the chapters of
this book on tactics.
Captured metrics should also include the less quantiable, but equally important, people
aspects of security such as badging, social engineering, and workplace violence. IT metrics
must also capture the harder-to-capture people aspects of computing such as sabotage, data
theft, and misuse of computing resources. These statistics can be much harder to gather,
quantify, and assess, but they are key issues IT security must face. This is made even more
dicult in organizations where corporate and IT security are managed by dierent stovepiped functions in the organization and data are not rolled up into a common knowledge
base. Good performance metric determination, monitoring, and assessment help inform
and lay the foundation for the next cycle of strategic planning.
6. Communication Plan EnactedA communication plan is put into eect, including clear
communication strategies and dissemination plans for each predetermined target audience.
Key messages, executive summary, and strategy documents are created, and the implementation plan is scheduled, with clear benchmarks established for evaluating success. Tactical
objectives are employed throughout the organization and measured for success.
7. CompletionResults of the strategic planning cycle implementation are analyzed, and the
lessons learned are incorporated into following planning cycles. Here is where unanticipated
consequences, as well as unrealized and emergent strategies, should be reviewed, and key
performance indicators and metrics rened. Often, while one strategic planning cycle is in
completion, another planning cycle is being implemented, and perhaps plans are made for a
following one.
Strategic Planning Process Evaluation
EXERCISE 1.1
If you are reading this book, it is likely that you are already part of a security group. To help you better understand where strategic planning ts into the security management process, we have devised
this short self-assessment quiz. Before you continue reading, take a few moments to reect on your
current organizational status quo by answering the following questions:
1. Where is your security group spending the majority of its time right now, working to create
change or reacting to change?
2. In the past year have you spent more time chasing situations or implementing your strategic
goals and objectives in a systematic manner?
3. Is security viewed as a separate functional business unit or as a partner who contributes to the
success of the overall strategic plan for your organization?
4. Do other parts of your organization consider you to be an enabler of organizational business
strategies or a roadblock?
TAF-K11348-10-0301-C001.indd 5
8/18/10 3:01:46 PM
6
Security Strategy: From Requirements to Reality
5. Do you have plans in place for possible changes in the marketplace so that you will be able
to quickly course-correct?
6. Can your security leadership articulate a clear business purpose and function that the leadership of your organization understands and accepts?
7. What opportunities does the security group have now that it didnt have a year ago?
8. What problems or unintended consequences has your security group created for itself?
9. Are your corporate and IT security functions integrated around your organizations business
needs or functioning as related organizational stovepipes?
10. Hows your security group skill set depth (bench-strength) in strategic planning and
implementation?
11. Is your security group better prepared to do analysis, planning, and implementation of your
strategic plan than it was last year?
12. Are you quicker at all three functions?
13. What information and knowledge did you uncover last year that you didnt know you needed
to know?
14. How good have you been at implementing your strategic plan this year? By what measures?
15. Are your metrics for implementation of your strategic plan better than they were the year before?
16. Are your metrics clearly linked to strategic goals?
17. Is your security group in regular conversation with the other functions of the organization to
improve relationships and better understand business objectives?
Answering these questions may help you focus in on the concepts in this book that will be most
useful in your security group. As you answered these questions, a number of organizational challenges undoubtedly came to mind. Here is a partial list of ongoing challenges for security groups:

Economic uncertainties and limited security funding
Stricter statutory and regulatory compliance requirements
Increased audits and audit requirements
Outsourcing and cloud-based service risks
A growing number of application breaches
A need for better tracking of incident responsiveness and resolution
Increased needs for third-party risk assessments and penetration testing
Stricter privacy requirements in every aspect of business (including increasingly complex customer relations management systems that now reach throughout an extended enterprise)
If that isnt enough pressure, at the same time strategic planning cycles need to be shorter in
order to be responsive in much of organizational life. Cycles are shifting from years to months,
months to weeks, weeks to days, and days to hours. Shorter cycle times for strategic thinking create a demand for leadership that understands not only the basics of strategic planning, but also the
art of working within the organizational culture.
Now is the time to be preparing your organizations strategic plan and response or to adjust
the plan you already have in place. Security is a function that requires good strategic leadership
capable of setting strategy, communicating vision, and leading passionately. With strong strategic
planning and execution skills, security will more likely be seen as a key enabler of business.
Security Leadership Challenges
Today, security leadership has to face new challenges every day in an environment that seems to
present increasing unpredictability in economics, technology, and global threat trends. Absorbing
new information that is produced at ever-increasing speeds, while coordinating the protection of
TAF-K11348-10-0301-C001.indd 6
8/18/10 3:01:46 PM
Strategy: An Introduction
7
people, property, and information on a day-to-day basis, is at the very least challenging, at the
worst overwhelming. How enterprise leaders learn to cope, adapt, and process information is
helped to some degree by new software and technology applications, but even that produces more
data that have to be understood and acted upon.
Todays business environment demands security executives with keen business savvy, solid risk
management fundamentals, and a whole systems understanding of the organization within which
they focus. The current business reality is that security groups must balance the security needs of
an extended enterprise that includes all elements in a value stream they support (from customer
requirements to company processes and supplier inputs), while also meeting the requirements of
an ever-increasing number of governance and regulatory agencies.
The role of security governance, ever-increasing compliance requirements, and the demands
of eective integration of sound security practices into business processes and risk management
eorts, requires strong leadership and the ability to communicate well beyond traditional business
stovepipes. A holistic security management approach is required to create a comprehensive security
strategy that aligns security goals with corporate/organizational goals. In addition, it is imperative
for organizations that want to resolve ongoing security issues to engage multiple stakeholders in
an eort to create a security-conscious culture.
The business case for enterprise security architecture has already been well made. Organizations
need to develop and implement a security strategy that is integrated with the enterprise strategic
plan. Good security strategy requires:
Having the time and perseverance to plan
Continual alignment of the plan with emerging business requirements
An ability to design and implement an architecture supporting the plan (along with processes
and policies required to implement and enforce the plan)
Reporting and measurement methodology to track the plan
Specic metric indicators of the plans success or failure
Despite their importance, these key elements remain hard won and elusive for many organizations. Strategic planning is becoming increasingly important in a hypervelocity world. Thinking,
planning, and moving quickly while controlling risk are essential skills. Todays security leadership must be able to continuously demonstrate the business acumen needed to move from concept
to endgame for new business initiatives.
Getting Started
Strategic planning is essentially a process of gathering and analyzing information, and envisions
ways to act on that information to better the business. It begins by understanding where the
security group ishow it functionswithin your organization. The fundamental question concerning security that must be asked is as follows: Is security simply a servant of a corporate, organizational, or business strategy, or does it serve a greater purpose?
In many organizations, people inside and outside of security would answer this question with
a resounding Yes, it is simply a servant! Their primary rationale: Security is a service provider
within the organization, and services are not a source of strategic guidance for an organization.
That being said, there are certainly many people inside security groups who are not only willing
but more than capable of providing organizational strategic input, even if they are not a formal
part of the organizational strategic process.
TAF-K11348-10-0301-C001.indd 7
8/18/10 3:01:47 PM
8
Security Strategy: From Requirements to Reality
EXERCISE 1.2
If you havent already read every organizational strategic plan you can get your hands on, get started
now! If you are going to build a successful security strategy, you need to get a sense of the big picture
in which your organization functions.
Value Proposition
From a systemic perspective, a secure workforce, secure facilities, and well-protected information
resources are actually part of the organizational brand, both product and service. The security of products and services is now part of the organizations promise to the marketplace, enterprise stakeholders, and shareholders. It is imperative that organizations deliver on that promise, or they will soon
become irrelevant. Organizational strategic planning can readily benet from the security practitioners viewpoint. Whether security is part of the organizational brand or has developed its own brand,
it must be part and partner in the organizations strategic discussions. Brand is critical to security
because the process of building a brand helps to convey important fundamentals that link security
explicitly to the intent and promise an organization makes to its internal and external customers.
In the authors experience, often other organizational functions view security as a roadblock
to ecient business practices. However, leaving the security group out of the strategic planning
process can result in a number of unintended consequences. One example of these unintended
consequences is, perhaps, the decision to outsource back-oce types of transactions to sourced
companies in another country without including security in a strategic conversation. While economically that may be the right strategy, several important elements may be overlooked such as
creating vulnerabilities to Personally Identiable Information (PII) data or providing industrial
espionage opportunities for data mining. There may be easy solutions, at a lesser cost, if security is
included in the original planning, than managing these risks after the fact.
Conversely, if security wants a place at the strategic planning table, it will need to examine the
strengths of its own leadership and answer these two fundamental questions:
1. How can security help the organization achieve strategic goals? In other words, What
will it take from security to enable the business/organization to get where it wants to go?
2. How can the security strategic plan be a living document updated periodically to reect
changes in organizational priorities based on industry trends, marketplace, or emerging
technologies?
The advantages of including security in organizational strategic planning and the Enterprise
Risk Management (ERM) components of strategic planning are:
Better understanding of potential risks in any strategic direction
More accurate planning for budget allocations to manage those risks
Quicker movement in strategic objectives for security integration into product, infrastructure, desktop, and business continuity processes
Other Challenges for Security and Strategic Planning
Another crucial issue for the security group in any organization is: How is the strategic plan (or
portions of an organizational strategic plan) to be developed, updated, and what groups will participate? After the strategic plan is drafted, the fundamental questions of how to communicate,
TAF-K11348-10-0301-C001.indd 8
8/18/10 3:01:47 PM
Strategy: An Introduction
9
integrate, align, and update the strategic plan come into play. The bottom line for any security
strategic plan is that other parts of the organization must understand it, or it will be dicult to
achieve eective results protecting the organizations assets (people, material, and information)
at an acceptable cost.
While a business/organization strategy is aimed at organizational vision, purpose, mission,
strategies, execution, and measurement of success, an IT security strategy often focuses mainly
on information security architecture. It is shaped by the organizational goals, environment,
and technical capabilities the business requires in order to achieve its vision. Corporate (physical/
facilities) security strategy focuses on policies and procedures for loss prevention and the protection of people and property. Corporate security is also guided by organizational goals, environment, and technology advances.
Often, issues arise in this natural tension between the organizational business philosophy
(and business architecture) and the more pragmatic aspects of IT architecture. Ralph Whittle
and Conrad Myric, in a white paper titled Enterprise Business Architecture: The Formal Link
between Strategy and Results, outline the formal link between architecture and strategy. In their
words, These bold new enterprises are not building some static, rigid new architecture, with a
moat around the castle. Quite the opposite, they are building uid, dynamic, integrated architectures capable of evolving with and supporting the corporate strategy. A fundamental requirement
of the integrated architecture is that it must have the capability to evolve, change, and adapt in a
predictive way. The problem for IT architecture achieving this goal, as Whittle and Myric dene
it, is that when it comes to organizational strategic planning and IT strategic planning, most IT
architecture has not been funded or developed to the needed levels. Th is results in tensions for IT
architecture including, but not limited to:
1. Unclear understanding of business/organizational requirements
2. Inexible architecture that is unable to respond to environmental challenges
3. Piecemeal local approaches to architecture and security practices rather than integrated
eorts, including lack of corporate and IT security integration
4. Unclear linkage to organizational strategy and metrics for successful implementation, scalability, and usability of security services
5. Piecemeal tactical eorts rather than a systemic architectural approach
6. Unmanaged costs or insucient funding
7. Ineective risk management eorts
8. IT security that hobbles the business
Fixing the problems that arise from these tensions is not an eort for the faint of heart. One
of the requirements of security leadership is a well-constructed security strategy that aligns the
strategy, vision, and objectives of the enterprise and answers these questions:
What is the business reason for doing this?
What are we trying to achieve?
How do we enable and support the enterprise achieving its strategic objectives?
Explicit answers to these questions help everyone in the organization, including those involved in
security architecture, to make reasoned decisions for their pieces of the strategic puzzle. Without
clear answers to these questions, it is dicult to acquire the upper management support needed to
advance security strategy. Without explicit upper management support, security eorts are seldom
TAF-K11348-10-0301-C001.indd 9
8/18/10 3:01:47 PM
10
Security Strategy: From Requirements to Reality
successful. Gaining this support for strategic eorts is not only a critical success factor, but is often
one of the most dicult things a security leader will do.
When Strategic Planning Should Be Conducted
Strategic planning should be part of organizational planning in the following situations:

Don't use plagiarized sources. Get Your Custom Essay on
What are the tactical concepts provided in chapters 8 through 13 of the Security Strategy book?
Just from $13/Page
Order Essay

When an organization is newly formed.
When reenvisioning is required.
Before and during mergers or acquisitions.
In preparation for a new venture, product(s), or service(s).
When exogenous or outside shocks to your organizational environment require adaptation
or renement of a potential strategic scenario. (Scenario planning creates more than one
option for an organization to pursue based on future impacts and may require more exploration when an unexpected event drastically changes the environment.)
At the very least strategy should be conducted on an annual basis to t within your organizations business planning cycle, before monies are allocated for a given year in order to fund organizational requirements for accomplishing strategic goals and objectives. Throughout the year there
should be organizational reviews of the strategic planning inputs, adjustments, updated action
plans, and metrics. Strategic planning should be a planned part of organizational life throughout
the calendar year, not as a once-a-year, put-a-plan-in-a-binder and put-it-on-a-shelf until next
year activity. Security leadership should formally conduct a quarterly review.
Regardless of when your organization is engaged in strategic planning, paying attention to the
language that is used in strategic planning can often help planners understand the organization
and by utilizing new language, transform the organization.
Metaphor Analysis and Strategic Planning
Metaphors reveal how organizations think of themselves and are a window into organizational
culture, attitudes, and beliefs. Metaphors can also be an important tool in transforming organizations and will often appear in the communication strategies for strategic change. A whole literature has evolved around analyzing organizational culture by the metaphors found in the everyday
conversation on how organizations conduct business; an example is Donald Schons concept of a
generative metaphor. A generative metaphor is an implicit metaphor that can cast a kind of spell
on a community. In an implicit metaphor, the full subject is not explained, but is implied from
the context of the sentence. Much of our daily communication in organizational life contains
implicit metaphoric language. A branch of this literature assumes that ones approach to strategy
is best caught by the metaphors employed in strategic planning sessions.
David Sibbit, president and founder of Grove Consultants International, has worked on strategic
planning with organizations for many years by utilizing story maps that he and his consultants generate from the conversations held among strategic planning groups. Sibbit, in an article titled Strategizing
with Visual Metaphors, made the following observations about the power of metaphors:
I serendipitously picked up a 2005 article Id clipped from the Harvard Business Review
called How Strategists Really Think: Tapping the Power of Analogy. (Its available
for $6.50 through the HBR website.)
TAF-K11348-10-0301-C001.indd 10
8/18/10 3:01:47 PM
Strategy: An Introduction
11
Gavetti and Rivkin argue that there is a middle ground between formal, deductive analysis, which works well in information-rich, more mature industries, and trial
and error, almost a necessity in very dynamic, untested emergent industries. Many,
perhaps, most strategic problems are neither so novel and complex that they require
trial and error nor so familiar and modular that they permit deduction. Much of the
time, managers have only enough cues to see a resemblance to a past experience. They
can see how an industry theyre thinking about entering looks like one they already
understand, for example. It is in this large middle ground that analogical reasoning
has its greatest power.
The frame of strategy by analogy is dierent from visual thinking. These labels
are metaphors that provide a framing context that directly a ects what a viewer or listener
pays attention to. And within the visual work the choices of what to illustrate, and most
critically, the organizing graphic metaphor and its emphasis, open and close opportunities for engagement, discussion and interpretation.
Over the years we have heard many such metaphors, similes, and strategy analogies in our
work with strategy groups, consultants, and educators. Metaphors can help employees look at
old issues with a new lens or become a compelling new image of how an organization sees itself.
During our careers, we have heard the following metaphors for strategy:

A battle (and other military metaphors)
A revolution
A chess match
Sailing a ship
Sports strategy
A game metaphor
The solving of a puzzle
A city-state, kingdom, domain, or enclave
An organic system
Conducting a symphony
Part of the value chain or system
Sailing a blue ocean, red ocean, purple ocean
BBQ sauce
Pizza
Organizations themselves can also be described by metaphors such as running a tight ship,
part of a family, a dynasty, or parts of the body (e.g., IT is described as the nervous system, management as the brain, etc.). Learning to examine anything through a variety of metaphors often
helps bring new insight and clarity to participants. A strong use of metaphor can galvanize quick
understanding and provide dierent mental models with which to examine a topic.
Security strategy lends itself particularly well to these metaphors, and we use several in our
own approaches. Bill Stackpole will frame the tactics chapters of this book in the metaphors of
military tactics and enclaves (a distinct political geography, territorial culture, or social unit) and
will discuss the principles behind his use of them. Erics own favorite metaphor for conducting
strategy sessions remains a strategy jam (see Figure 1.1). In fact, a musical jam can get cooking as well when ideas are being generated and integrated. A consulting colleague at Boeing,
Andrew Moskowitz, and Eric conducted several strategy jam sessions for a newly formed group
TAF-K11348-10-0301-C001.indd 11
8/18/10 3:01:47 PM
12
Security Strategy: From Requirements to Reality
Figure 1.1
Strategy jam.
of support organizations. Strategy jam as a metaphor became very useful for conducting strategic planning for several reasons. Lets now examine three of the relevant principles behind the
metaphor strategy jam.
Need for ResponsivenessIn todays environment, older methodologies for conducting
strategy sessions are top heavy, have long lead times, and usually exclude inputs from the
people who have the information and creativity needed for successful strategic planning.
Consequently, these approaches may have little buy-in from employees and usually just end
up as pieces of inert information bound in glossy folders or stored in a database somewhere.
Employees have little knowledge of whats in the strategic plans and even less interest. Next
year when the next round of planning begins, someone will blow the dust o the old plans,
and the process will repeat itself.
Need for CollaborationOur industries and organizations have been permanently
impacted by Total Quality Management and Productivity-LEAN systems, Process
Management rollouts, and Enterprise Risk Management integration, and we are currently
trying to understand and assess the impact of Security Convergence on our industry. Never
has there been a greater need to engage every ounce of creativity available in our organizations. And yet, for too many organizations, strategic planning remains the providence of executives or senior management. The problem is one of participation. When you try to tell or sell
an organizational plan to employees who have had no opportunity to provide their thoughts
and ideas, you get little buy-in, commitment, follow-through, or impact. A strategy jam, on the
other hand, is an ongoing strategic conversation that is exible, collaborative, and focused.
Need for Adaptive SkillsCreativity and intuition are the main focus when people and
organizations need to adapt their organizational tactics to a Big
Life is like a band. We need not all play
the same part, but we MUST all play in Picture Vision and/or changing business model. Adapting and
harmony.
changing directions with continuous adjustments while executing
are important aspects of jamming. This type of strategic jam sesUnknown author
sion most often occurs in business in new product creation, new
divisions, and start-ups. But even in more traditional strategic planning, there is still an
ongoing requirement for these skills in a more orchestrated context. Ned Herrmann, author
TAF-K11348-10-0301-C001.indd 12
8/18/10 3:01:47 PM
Strategy: An Introduction
13
of The Creative Brain, puts it this way: In the corporation of the future, new leaders will not
be masters, but maestros. The leadership task will not be masters, but maestros. The leadership task will be to anticipate the signs of coming change, to inspire creativity. Lou Gertsner,
former chairman of IBM, also referred to the need to be adaptive in strategic planning when
he stated, You have to be fast on your feet and adaptive or else a strategy is useless.
It is in that spirit that we approach strategic thinking. Every brain in an organization is part
of the solution; yet, when asked, most managers estimate they were only tapping 20% of available creativity. (In some organizations that might be a little optimistic.) In a strategy jam session,
each instrument has an input. Participants, like musicians in a musical jam session (blues, jazz,
orchestra etc.), need to know the basics of strategic planning (i.e., the notes, chording, and frets of
music), and, at the same time, they must be able to listen to the other musicians, pick up on what
they are playing, and blend into a new creation, while responding to the audience (customers/
stakeholders). So it is in a strategy jam: The players come with an understanding of the basic structures and components of strategic planning, listen to the other players, and create a new direction
for the organization. Our goal for this book is to provide you with the scales and notes of strategic
planning. The artistry and creativity with which those components are applied depend on you and
on your approach to the art of strategy formation and execution and the requirements that match
the organization in which you work. Whether your strategy jam is in the form of jazz, blues, or a
more formal orchestra, it is our hope that you will be engaged, learning, curious, and optimistic.
Somehow I cant believe that there are any heights that cant be scaled by a man who
knows the secrets of making dreams come true. This special secret, it seems to me, can
be summarized in four Cs. They are curiosity, condence, courage, and constancy,
and the greatest of all is condence. When you believe in a thing, believe in it all the
way, implicitly and unquestionably.
Walt Disney
Strategic Planning as a Process
One of the key paradigms or mental models that should be established early in any strategic planning process is that strategic planning is NOT an event; rather, it is a process (ongoing, year round).
Security managers have to know the strategic planning process, take it seriously, and be involved in
integrating the plan into the day-to day activities of the security group. Remember, the process has to
be linked to next years budget as well. There are many processes for approaching strategic planning,
and while they may have dierent steps, stages, or phases, the goal is still to produce a strategic plan
that moves the organization forward in the right direction. For a basic understanding of strategic
planning, perhaps the most widely known model of strategic planning is John Bryson and Farnum
Alstons Strategic Planning for Public and Nonprot Organizations: A Guide to Strengthening and
Sustaining Organizational Achievement and the companion workbook Creating and Implementing
Your Strategic Plan. In their workbook, the authors outline the following basic process:
1.
2.
3.
4.
Identify a strategic planning process that the organization will use.
Identify organizational mandates.
Clarify the organizational mission and values.
Assess the organizations external and internal environments to identify strengths, weaknesses, opportunities, and threats.
TAF-K11348-10-0301-C001.indd 13
8/18/10 3:01:47 PM
14
5.
6.
7.
8.
9.
10.
Security Strategy: From Requirements to Reality
Identify the strategic issues facing the organization.
Formulate strategies to manage these issues.
Review and adopt the strategic plan or plans.
Establish an eective organizational vision.
Develop an eective implementation process.
Reasse…

Introduction:

Information technology plays a critical role in today’s world of business operations, and with this, security strategies have become increasingly important to protect the digital infrastructure. The Security Strategy book provides practical concepts that apply to information technology and help organizations safeguard their data and information. Chapters 8 through 13 of this book discuss different tactical concepts that apply to IT, and this assignment requires us to choose one of these concepts, explain it, and provide an example. We will also justify the significance of the principle in IT Strategy and Tactics. In this presentation, we will be discussing the importance of security strategy and sharing some vital tactical concepts to improve it.

Description:

This assignment requires us to create a professional PowerPoint presentation that explains one of the chapters (8 through 13) concepts of the Security Strategy book. The presentation should contain 10-15 slides and include a title slide and a reference slide. We are free to include pictures, graphs, figures, or charts to help our discussion of the topic, and the final product should be professional in format, as if we are presenting it to upper management.

To complete this task, we need to choose one of the tactical concepts discussed in the book and provide an explanation in our own words. We should also include a relevant example to clarify the concept, and justify its significance in IT Strategy and Tactics. Additionally, we need to find at least one additional reference for each concept we choose. By the end of the presentation, we should have demonstrated an understanding of the critical tactical concepts to improve security strategy in IT, emphasizing why these concepts matter in organizational activities.

Objectives:
1. To understand the different tactical concepts in information technology security strategy
2. To choose a tactical concept and explain it in own words with relevant examples
3. To justify the importance of the principle in IT strategy or tactics
4. To find additional references to support the chosen tactical concept.

Learning Outcomes:
1. By the end of the presentation, learners will be able to identify the different tactical concepts used in information technology security strategy.
2. Learners will be able to select one tactical concept and explain it in their own words with relevant examples.
3. They will be able to justify why the principle is important for IT strategy or tactics.
4. Learners will be able to find additional references to support the chosen tactical concept.

Note: These objectives and learning outcomes will be achieved through the creation of a 10-15 slide PowerPoint presentation on one tactical concept in IT security strategy, including the presentation of examples and justifications, and the use of additional references. The presentation should be professional in format and suitable for an upper management audience.

Heading 1: Introduction
– Brief overview of objectives and learning outcomes.

Heading 2: Tactical Concepts in Information Technology Security
– Overview of the different tactical concepts in IT security strategy
– Explanation of each concept

Heading 3: Choosing a Tactical Concept
– Selection of one tactical concept to focus on
– Explanation of the concept in own words
– Presentation of an example to illustrate the concept

Heading 4: Importance of the Principle for IT Strategy or Tactics
– Justification for why the chosen principle is important for IT strategy or tactics
– Explanation of the benefits or risks associated with the principle
– Presentation of additional references to support the principle

Heading 5: Conclusion
– Summary of the presentation
– Recap of main points
– Explanation of how the presentation aligns with the objectives and learning outcomes.

Solution 1:

One of the important tactical concepts in Chapters 8 through 13 of the Security Strategy book is vulnerability management. This principle involves identifying, assessing, and mitigating vulnerabilities in the IT system to prevent security breaches. It is important for IT strategy and tactics because without an effective vulnerability management program, organizations are more likely to fall victim to cyber-attacks leading to data loss, system damage, and financial costs.

For example, imagine a small business that uses outdated software in their IT system. This software may have vulnerabilities that make it easy for hackers to exploit, leading to a data breach. By implementing a vulnerability management program, the business can identify these weaknesses and take steps to mitigate them, such as updating the software, reducing the risk of falling victim to cyber-attacks.

One additional reference for vulnerability management is the SANS Institute’s guide on “Effective Vulnerability Management for Improved Cybersecurity”. It provides a comprehensive overview of the vulnerability management process and offers practical tips for organizations looking to improve their vulnerability management system.

Solution 2:

Another tactical concept in the Security Strategy book is access control. Access control refers to the process of ensuring that only authorized personnel have access to sensitive information and resources within the IT system. This principle is crucial for IT strategy and tactics because unauthorized access can lead to data breaches and other forms of cybersecurity threats.

For instance, imagine a hospital that stores confidential patient records in their IT system. By implementing access control measures, the hospital can restrict access to this sensitive data to authorized personnel, such as doctors and nurses. This reduces the risk of unauthorized access to patient data, protecting both the hospital and its patients.

An additional reference for access control is the National Institute of Standards and Technology (NIST) publication on “Access Control”. This publication provides guidance on access control policies, procedures, and technologies, among other things, to help organizations develop effective access control strategies.

Suggested Resources/Books:

1. Security Strategy: From Requirements to Reality by Bill Stackpole and Eric Oksendahl
2. Implementing the ISO/IEC 27001 Information Security Management System Standard by Edward Humphreys
3. NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations by National Institute of Standards and Technology

Similar asked questions:

1. What are the key concepts in IT security strategy?
2. Why is it important to have a security strategy for IT systems?
3. How can we ensure the effectiveness of IT security strategy?
4. What are the types of risks that IT security strategy should address?
5. What are the best practices for developing and implementing IT security strategy?

Explanation of tactical concepts and their importance for IT Strategy:

Chapter 8 in the book Security Strategy: From Requirements to Reality discusses the concept of Risk Management Framework (RMF) for IT security. RMF is a six-step process that helps organizations manage risks and ensure the effectiveness of their security strategy. The six steps are 1) Categorization, 2) Selection, 3) Implementation, 4) Assessment, 5) Authorization, and 6) Monitoring.

Importance of RMF for IT Strategy: RMF is important because it provides a structured approach to managing risks and helps organizations make informed decisions about security controls. By following the RMF process, organizations can identify and prioritize risks, select appropriate security controls, and continuously monitor and improve their security posture. This approach can help organizations reduce the likelihood and impact of security breaches, protect sensitive information and systems, and comply with regulatory requirements.

Additional Reference: NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations by National Institute of Standards and Technology.

Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more
× How can I help you?