A Strategy Map for Security Leaders: Taking the Next Step — Linking Strategy and Execution

February 17, 2016
| |
4 min read

This is the final installment in our six-part series on creating a strategy map for security leaders. Be sure to read Part 1, Part 2, Part 3, Part 4 and Part 5 for the full story.

The time has come to review our strategy map for security leaders and talk about taking the all-important next step of linking strategy with execution. This includes orchestrating activities and allocating resources to drive results.

13 Strategic Elements, One Highly Effective Information Security Leader

Working from the bottom up, here are 13 strategic elements of a highly effective information security team and its leader, as described in this first five installments of this series:

  • Make intelligent use of a security controls framework.
  • Identify and implement a context-specific mix of security controls, which includes technical, administrative and physical controls.
  • Establish effective processes for security governance as the basis for efficient processes for security management.
  • Proactively contribute to the cross-functional management of third-party risk.
  • Foster deep expertise in risk management, particularly in identifying, assessing and communicating effectively about security-, privacy- and compliance-related risks.
  • Hire and develop an information security team with a mix of aptitudes and attitudes that are optimized for the organization.
  • Create and sustain a security-conscious culture throughout the organization.
  • Develop skills as builders with a commitment to team building, community building and stewardship.
  • Develop skills as strategists with strengths in awareness, conceptualization and forward thinking.
  • Develop skills as effective communicators with the ability to listen, empathize, overcome divisions and build consensus.
  • Be seen as subject matter experts with respect to the technical landscape, including information technologies, threats and vulnerabilities and regulatory requirements.
  • Be seen as trusted advisers to the business based on up-to-date knowledge of line-of-business strategies and objectives; the needs and preferences of employees, partners and customers; and the capabilities of competitors.
  • Help the organization make effective business decisions about security-related risks, including the unrewarded risks of protection and defense and the rewarded risks of enablement and value creation.

Left Side, Right Side, Both Sides

By design, our generalized strategy map for security leaders has been depicted with a definite left/right split. The left side represents the old guard of IT and information security — highly technical, motivated by subject matter expertise and focused almost exclusively on the unrewarded risks of threats, vulnerabilities, exploits, technologies and regulatory compliance.

The right side represents the additional attributes needed by the next generation of information security leadership. This includes having solid business acumen, the ability to be seen as a trusted adviser by the business decision-makers and a focus on both unrewarded risks and the rewarded risks of enablement and value creation.

To be clear, the point being made here is not about bad and good or old and new; it’s about having both. Both sides of our strategy map are needed for the next generation of information security teams and their leaders. As expressed by the wisdom of one professional recruiter: The skills that got you where you are now are not the skills that are going to get you where you need to go next.

Putting it in different terms, Wayne Gretzky once said, “A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.” Information security leaders and their teams need to adapt and change for the future.

Strategy Without Execution Is Meaningless

As we have seen, a strategy map can be an effective tool to align the four perspectives of a good strategy. It helps capture and communicate a specific hypothesis for translating activities into excellence at critical capabilities, ensuring accurate perception by key stakeholders and driving business value and results.

If a strategy isn’t clear and well-communicated to the people who are responsible for execution, confusion is the predictable result. Successful initiatives have the support and buy-in of key stakeholders, and a lack of alignment and motivation tends to manifest itself as resistance to the strategy, whether passive or overt. A strategy map can help to bring about clarity, alignment and motivation.

Metrics With Meaning

With alignment and communication of a strategy for information security firmly in place, the organization’s fervor to establish measures and targets can finally start to make more sense. The most appropriate thing to do is to start with a jumping-off point for selected aspects of each row of the strategy map. For example, based on the current level of performance, establish realistic objectives for “how much, by whom, by when” going forward.

Here’s one additional benefit of the strategy map: It helps make clear why popular metrics initiatives that focus primarily on work progress — such as the details of how many vulnerabilities were identified, how many systems were patched and so on — are of very little interest or value to senior business leaders. These metrics unquestionably have their place and utility in row four of the strategy map, but they are not at all appropriate for the individuals seated at the table in row one. These people want to know about risk.

Fund for Success (and No Unfunded Mandates)

Another additional benefit of the strategy map is that capturing your strategy in this framework helps identify overlaps or gaps in the activities required for successful execution and in the resources necessary for those activities to be carried out. Hope is not a strategy. Anyone who has been expected to deliver outcomes without being allocated the necessary resources has undoubtedly experienced the frustration of such unfunded mandates.

Organizations that confuse activity with results — often under the guise of well-intentioned bias towards action — tend to fall victim to frequent and momentum-killing false starts. On the other hand, successful enterprise initiatives have a comprehensive and well-integrated strategy, achievable measures and targets and an identified and funded plan of action.

Make Your Own Strategy Map

Like all frameworks, the balanced scorecard framework is simply a tool. If it can be helpful to you and your organization, use it. If the generalized strategy map for security leaders described in this series can help you and your organization get to its own strategy map for information security more quickly, personalize it. If your organization has a completely different approach that works well for you, share it!

In the ongoing battle between attackers and defenders in cybersecurity, the defenders can only gain the upper hand through increased sharing and cooperation. Information security must up its game to defeat these sophisticated threats.

Derek Brink
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

Derek Brink helps individuals to improve their critical thinking, commuication skills and leadership skills by teaching graduate courses in information secur...
read more