Like the leaders of any other business function, CISOs need a strategy. We’re not talking about a specific plan to mitigate some specific threat or vulnerability. We’re talking about a strategy map for the organization’s information security team: what value it provides, who it provides value for, what capabilities this requires, how much these capabilities cost and how the necessary resources will be allocated and organized over time.

For those who like to say that “information security should be run like a business,” the strategy should have some concrete examples of what a CISO needs to communicate clearly to senior business leaders. It would also be a strategy map for the role of CISO itself.

Hope Is Not a Strategy

“Hope is not a strategy” is a provocative phrase of unknown origin that has become commonplace in business and politics. Hope is about achieving goals, and your strategy is also about achieving goals — but hope is not a strategy.

Both have to do with the achievement of desired objectives in conditions that are uncertain and constantly changing. However, hope has to do with a belief that these outcomes are possible. Strategy has to do with a plan of action required to achieve these outcomes along with the resources necessary to execute the plan. Hope is necessary but not sufficient.

A Bias Toward Action Is Not a Strategy

Since Tom Peters first published the book “In Search of Excellence in 1982 — in which a bias toward action was No. 1 on a list of eight attributes of excellence in business — the notion that being busy means adding value has become deeply ingrained in our culture. For example:

  • “You miss 100 percent of the shots you don’t take.” – Wayne Gretzky
  • “Just do it.” – Nike
  • “Do or do not. There is no try.” – Yoda

This idea rightly emphasizes that outcomes are achieved though execution. But as CEOs are fond of saying, “Let us not confuse activity with results.” Likewise, CFOs may say, “Execution does not mean that everyone should simply mount horses and ride hard in all directions.” Strategy is the combination of leveraging resources and executing a plan of action to achieve a set of desired outcomes.

Unfortunately, Most Strategies Fail

Underscoring the importance of linking strategy with execution, studies have shown that a majority of strategies do not succeed. One big reason is that strategies must be executed in uncertain and ever-changing conditions that can interrupt even the most thorough strategies. As heavyweight boxing champion Mike Tyson famously said, “Everybody has a plan until they get punched in the mouth.”

Some common failure modes to successful execution of strategies may be:

  • Strategic objectives are not clear and well-communicated.
  • Leadership talks the talk but doesn’t walk the walk, leading to cynicism.
  • There’s a lack of buy-in and alignment of key stakeholders.
  • Departments are missing skills, capabilities or enabling technologies.
  • There is a lack of accountability and incentives.
  • Resources needed to execute are inadequately allocated.
  • An incomplete plan of action leads to momentum-killing false starts.

These seven points directly correlate to seven strategies that can help self-diagnose what’s gone wrong with your security or compliance initiatives, but these will have to be the topic for another blog.

Strategy Is a Hypothesis

Perhaps the most important thing for CISOs to appreciate is that strategy is always a hypothesis. A strategy is typically described from the top down (i.e., starting from the objectives to be achieved), but all strategies must be executed from the bottom up (i.e., starting with the allocation and alignment of the people, processes and technologies necessary to carry out a plan of action).

Since 1992, the Balanced Scorecard framework has helped organizations describe and execute their strategies by focusing on cause-and-effect relationships. Made famous by Robert Kaplan and David Norton in the Harvard Business Review and subsequently in a series of best-selling books, the Balanced Scorecard framework has been extensively used by industries, the government and nonprofits to align day-to-day activities with the vision and strategy of the organization.

The Balanced Scorecard

Traditionally, the Balanced Scorecard describes the cause-and-effect linkages between four high-level perspectives of strategy and execution. Those four perspectives can be applied to a generalized information security organization:

  • Value is an expression of the information security organization’s strategic objectives and the value that it provides to the organization.
  • Customers is an expression of how the security leader believes the security team should look to its target customers or stakeholders in order to achieve its strategic objectives.
  • Operations is an identification of the handful of critical capabilities at which the security team needs to excel in order to look the way the security leader believes it should to its target customers.
  • Learning and growth is an identification of the most critical people, processes and systems that will enable the security team to be excellent at the most important operational capabilities.

A Strategy Map for Security

A generalized strategy map for security leaders is shown below.

Ultimately, the objective is to help CISOs be more successful at communicating the business value of information security and at linking the strategy with execution.

A pseudo-formula for how to do it: Strategy Map + Measures and Targets + A Set of Funded Initiatives = A Complete Program of Action.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…