Opinion: Can we plan security strategically?
Last year brought e-Cards that got around our spam filters. There were unexpected zero-day attacks causing a half-day network outage. We even had a surprise phone call from a reporter tipping us off that parents were teaming-up with hacktivists to launch a denial-of-service attack against our Michigan.gov portal. None of these incidents could have been predicted a year ago. All of them had us scurrying in another direction.
And yet, I still believe that strategic security planning is not an oxymoron. The French writer Antoine de Saint Exupéry once said, “A goal without a plan is just a wish.” While there are always operational cyber surprises that come our way, we can even have plans for those inevitable emergencies.
In Michigan, we published our strategic security plan last January for 2007-2010, and the document is still pretty accurate one year later. We keep a running four year plan, and update the document every two years. We also use our strategic planning process to level set expectations with our customers and set our budgets. There are a myriad of good reasons to “just do it,” but perhaps the most important benefit to publishing a plan is improved internal and external communications.
One more thing, I've found that “significant unplanned” security incidents usually provide new opportunities and bring executive support if handled well. While no one wants to uncover a security breach or experience an outage due to some unexpected event, your team's professional response is paramount. Everyone is watching, so if you have a well-thought-out plan, you'll be more effective even in the unplanned activities.
For those who perform well in a crisis, the dollars and resources will flow your way following headline-grabbing events. Seize that moment. Oftentimes, that support is just what you need when things get back to normal. Wonder what you can do with that new mandate and resources? That's right, implement your strategic plan.
From the - January 2008 Issue of SCMagazine »