Opinion: Can we plan security strategically?

Another year and another set of new resolutions. But can we plan cybersecurity strategically? Some colleagues say no. They insist events are moving too fast. Anything beyond tactical product installation plans are a waste of time. They point back to examples in 2007 to prove their point.

Last year brought e-Cards that got around our spam filters. There were unexpected zero-day attacks causing a half-day network outage. We even had a surprise phone call from a reporter  tipping us off that parents were teaming-up with hacktivists to launch a denial-of-service attack against our portal. None of these incidents could have been predicted a year ago. All of them had us scurrying in another direction.

And yet, I still believe that strategic security planning is not an oxymoron. The French writer Antoine de Saint Exupéry once said, “A goal without a plan is just a wish.” While there are always operational cyber surprises that come our way, we can even have plans for those inevitable emergencies.

In Michigan, we published our strategic security plan last January for 2007-2010, and the document is still pretty accurate one year later. We keep a running four year plan, and update the document every two years. We also use our strategic planning process to level set expectations with our customers and set our budgets. There are a myriad of good reasons to “just do it,” but perhaps the most important benefit to publishing a plan is improved internal and external communications. 

One more thing, I've found that “significant unplanned” security incidents usually provide new opportunities and bring executive support if handled well. While no one wants to uncover a security breach or experience an outage due to some unexpected event, your team's professional response is paramount. Everyone is watching, so if you have a well-thought-out plan, you'll be more effective even in the unplanned activities.

For those who perform well in a crisis, the dollars and resources will flow your way following headline-grabbing events. Seize that moment. Oftentimes, that support is just what you need when things get back to normal. Wonder what you can do with that new mandate and resources? That's right, implement your strategic plan. 
Dan Lohrmann

Dan Lohrmann is an internationally recognized cybersecurity leader, technologist and author. Starting his career at NSA, Lohrmann has served global organizations in the public and private sectors in many leadership capacities. As a top Michigan Government technology executive for seventeen years, Dan was national CSO of the Year, Public Official of the Year and a Computerworld Premier 100 IT Leader. He is currently CSO & Chief Strategist at Security Mentor, where he advises global and local corporations and governments on cybersecurity and technology infrastructure strategies and security culture change. He has been a keynote speaker at security conferences from South Africa to Europe and Washington D.C. to Moscow.

Dan’s award-winning blog:
CSO Magazine articles:

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.