Wednesday, July 04, 2007


On Day One of my Strategic Management class at JMU our professor handed out a table showing the evolution of corporate strategy in the United States from the 1950s through today.

To me the most interesting feature was how closely the entries tracked competitive pressures and innovations in strategic approaches. Business strategy evolved to help organizations become more valuable, even as they faced stronger, more disruptive competitors.

So how does this relate to Information Security?

Competition naturally drives organizations to think and act more strategically, and the most successful organizations have known their capabilities and opportunities, articulated a realistic plan for achieving success, and energized their staff to execute it.

Information Security management faces similar pressures, but also has the ability to apply the same approach to success. Based on current trends I think a strong case can be made that every organization needs an Information Security Strategy, for the following three reasons:
- We don't have unlimited resources.
- Effective risk reduction requires an awareness and response to dynamic threats that actively work to circumvent or overcome deployed controls.
- The natural tendency of security products and processes, absent customer involvement in their design, is to hinder the effectiveness of the organizations we are trying to protect.

In short, a security strategy makes an organization explicitly resource aware, threat aware, and customer aware.

No comments: