Information security strategy development tools

In keeping with the long-held tradition of Information Security professionals appropriating tools from other disciplines (Schneier: attack trees, Open Group: security design patterns, Jaquith: Balanced Scorecard for security) I'll offer that as a starting point, "SWOT" is one of the best lightweight strategy development tools available.

SWOT stands for Strengths, Weaknessess, Opportunities and Threats. It is an analysis framework used in many different business disciplines, but marketing seems to make the best use of it.

Strategy adds value by clarifying the scope and role of security in the organization, improves effectiveness, and enables a coherent response to changes in the business and threat environment.

So, to be useful, a security strategy development tool ought to be:

1. Easy to use - so that the facilitator, subject matter experts and stakeholders are up and running quickly without fighting with the idiosyncracies and limitations of the tool.

2. Low resource requirements - so that it can be repeated as necessary, instead of as an annual off-site exercise. This will enable an effective strategy to adapt as organizational needs change.

3. Good fit for the problem - analysis results should generate action, not just reports. And preferably, those actions should add value beyond the obvious.

SWOT Approach

As described by Kerin and Peterson, SWOT analysis is "a formal framework for identifying and framing organizational growth opportunities." Naturally security is concerned about protection rather than growth, but the model still fits. Its easy to understand, apply, and cuts through the noise of threats, vulnerabilities, budgets and line-of-business requests to identify high value approaches to security management.

Here's an example template (borrowing the "TOWS" terminology from Dr. John Nugent's Managerial Forensics class:)

For the "Strengths" section of SWOT, the facilitator should start with a list of security offerings and capabilities. What does the security organization do? Then split the list into things done well, and, for "Weaknesses," the areas that need improvement.

Looking at external factors, what are the goals of the overall organization? What must the security team provide or prevent in order to be successful? These items represent the "Opportunities" for security.

Threats are external to the team; they are not weaknesses. Independent of anything the team does, what events, situations or actions of others may prevent the organization from being successful?

In this context, the normal security definition of "threat" is really a SWOT "Opportunity." Without security threats, there is no reason for the security team. SWOT threats are things like budget cuts, organizational restructuring or other actions that can interfere with plans to execute against available opportunities.

While it may start with a listing of functions or goals, SWOT is more than just lists. The results need to be discussed and debated. Bossidy and Charan describe it as "the last chance to get things right before the plan faces the ultimate test of the real world." Before you implement NAC, will your organization support it? By bringing together needs, capabilities and external risk factors, a reasonably thorough SWOT will draw out the non-obvious dependencies and risks that need to be addressed as part of an implementation. And because its such a well known business tool, it enables business-side stakeholders to participate. Getting buy-in at that early stage is never a bad idea.