Strategy and Strategic Planning Strategy Strategic planning and

Strategy and Strategic Planning: Strategy, Strategic planning and security strategy, the information security lifecycle and Architecting the enterprise by Erlan Bakiev, Ph. D.

The Role of Planning Precursors to Planning Values Statement Vision Statement Mission Statement Strategic Planning Creating a Strategic Planning Levels Planning and the CISO(Chief Info Security Officer) Planning for Information Security Implementation

Identify the roles in organizations that are active in the planning process Grasp the principal components of information security system implementation planning in the organizational planning scheme.

Planning Influences Employees Management Stockholders Outside stakeholders Physical environment Political and legal environment Competitive environment Technological environment

Information Security Professionals that support the information security program Chief Information Officer (CIO) Chief Information Security Office (CISO) Security Managers Security Technicians Data Owners Data Custodians 6 Data Users Slide 6

Planning Definition Planning is creating action steps toward goals and then controlling them Provides direction for the organization’s future Allows managing resources Optimizes the use of the resources Coordinates the effort of independent organizational units 7

Precursors to Planning Values Statement Vision Statement Mission Statement 8

Values Statement Principles Qualities Benchmarks What your company is? Microsoft: Integrity, honesty, passion, and respectfulness are significant parts of Microsoft’s corporate philosophy 9

Vision Statement Ambitious Best-case scenario Future goals Where your company wants to be? Microsoft: A personal computer in every home running Microsoftware 10

Mission Statement Organization’s business Areas of operation Internal External How your company is going to get there? Google: Organize the world's information and make it universally accessible and useful. 11

Strategic Planning Strategy lays out the long-term direction to be taken by organization It guides organizational efforts, and focuses resources toward specific, clearly defined goals. Strategic planning includes Mission statement Vision statement Values statement 12 Coordinated plans for sub units

Creating a Strategic Plan Organization Develops a general strategy Creates specific strategic plans for major divisions Each level of translates those objectives into more specific objectives for the level below 13

Top-Down Strategic Planning 14

Creating a Strategic Plan Strategic goals are translated into tasks Specific Measurable Achievable Realistic Timely 15

Planning Levels Strategic Planning Five or more year focus Strategic plan separated into strategic goals for each department Tactical Planning One to three year focus Breaks strategic goals into a series of incremental objectives 16

Planning Levels Operational Planning Organize the ongoing, day-to-day performance of tasks Includes clearly identified coordination activities across department boundaries Communications requirements Weekly meetings Summaries Progress reports 17

Planning Levels 18

Strategic Plan Elements Introduction by senior executive Executive Summary Mission Statement and Vision Statement Organizational Profile and History Strategic Issues and Core Values Program Goals and Objectives Management/Operations Goals and Objectives Appendices (optional) Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets 19&etc

10 Tips For Strategic Planning 1. 2. 3. 4. Create a compelling vision statement Embrace the use of balanced scorecard approach Deploy a draft high level plan early, and get input from stakeholders Make the evolving plan visible 20

10 Tips For Planning (cont. ) 5. 6. 7. 8. 9. 10. Make the process invigorating for everyone Be persistent Make the process continuous Provide meaning Be yourself Have fun 21

Planning For Info. Sec Implementation Commonly the CISO directly reports to the CIO. The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans CISO plays a more active role planning the details 22

CISO Job Description Creates strategic information security plan with a vision for the future of information security Understands fundamental business activities performed by the company Suggests appropriate information security solutions that uniquely protect these activities Improves status of information security by developing action plans schedules budgets status reports top management communications 23

Planning for Information Security CIO: translates strategic plan into departmental and Info. Sec objectives CISO: translates Info. Sec objectives into tactical and operational objectives Implementation can now begin Implementation of information security can be accomplished in two ways Bottom-up Top-down 24

Bottom-Up Approach Grass-roots effort Individual administrators try to improve security No coordinated planning from upper management No coordination between departments Unpredictable funding 25

Top-Down Approach Strong upper management support A dedicated champion Assured funding Clear planning and implementation process Ability to influence organizational culture 26