Information security strategy development tools

In keeping with the long-held tradition of Information Security professionals appropriating tools from other disciplines (Schneier: attack trees, Open Group: security design patterns, Jaquith: Balanced Scorecard for security) I'll offer that as a starting point, "SWOT" is one of the best lightweight strategy development tools available.

SWOT stands for Strengths, Weaknessess, Opportunities and Threats. It is an analysis framework used in many different business disciplines, but marketing seems to make the best use of it.

Strategy adds value by clarifying the scope and role of security in the organization, improves effectiveness, and enables a coherent response to changes in the business and threat environment.

So, to be useful, a security strategy development tool ought to be:

1. Easy to use - so that the facilitator, subject matter experts and stakeholders are up and running quickly without fighting with the idiosyncracies and limitations of the tool.

2. Low resource requirements - so that it can be repeated as necessary, instead of as an annual off-site exercise. This will enable an effective strategy to adapt as organizational needs change.

3. Good fit for the problem - analysis results should generate action, not just reports. And preferably, those actions should add value beyond the obvious.

SWOT Approach

As described by Kerin and Peterson, SWOT analysis is "a formal framework for identifying and framing organizational growth opportunities." Naturally security is concerned about protection rather than growth, but the model still fits. Its easy to understand, apply, and cuts through the noise of threats, vulnerabilities, budgets and line-of-business requests to identify high value approaches to security management.

Here's an example template (borrowing the "TOWS" terminology from Dr. John Nugent's Managerial Forensics class:)

For the "Strengths" section of SWOT, the facilitator should start with a list of security offerings and capabilities. What does the security organization do? Then split the list into things done well, and, for "Weaknesses," the areas that need improvement.

Looking at external factors, what are the goals of the overall organization? What must the security team provide or prevent in order to be successful? These items represent the "Opportunities" for security.

Threats are external to the team; they are not weaknesses. Independent of anything the team does, what events, situations or actions of others may prevent the organization from being successful?

In this context, the normal security definition of "threat" is really a SWOT "Opportunity." Without security threats, there is no reason for the security team. SWOT threats are things like budget cuts, organizational restructuring or other actions that can interfere with plans to execute against available opportunities.

While it may start with a listing of functions or goals, SWOT is more than just lists. The results need to be discussed and debated. Bossidy and Charan describe it as "the last chance to get things right before the plan faces the ultimate test of the real world." Before you implement NAC, will your organization support it? By bringing together needs, capabilities and external risk factors, a reasonably thorough SWOT will draw out the non-obvious dependencies and risks that need to be addressed as part of an implementation. And because its such a well known business tool, it enables business-side stakeholders to participate. Getting buy-in at that early stage is never a bad idea.

Corporate Strategy, Business Strategy, and Information Security Strategy

In Contemporary Strategy Analysis, Robert Grant describes successful strategy as the combination of "clear goals, understanding the competitive environment, resource appraisal, and effective implementation."

He also makes a strong case that strategy is not a plan: "Strategy is not a detailed plan or program of instructions; it is a unifying theme that gives coherence and direction to the actions and decisions of an individual or organization."

Corporate Strategy looks at industry attractiveness and asks "what industries should we be in?" while Business Strategy aims for competetive advantage by looking at "How should we compete?"

If you have an Information Security Strategy, what is it, and how does it relate to your corporate and business strategy?

To a large extent it depends on the view of how strategy is made and how to characterize it: as intended strategy (authored by management) realized strategy (actual implementation) or emergent strategy: "decisions that emerge from the complex processes in which individual managers interpret the intended strategy and adapt..."

Some published examples of Information Security Strategy fall in the intended category, such as:

• Comprehensive Strategy on Information Security: Executive Summary (Japan)
  "To enhance competitiveness and national security for Japan: Building economic and cultural power through realization of world-class "highly reliable society"
• NATIONAL INFORMATION SECURITY STRATEGY PROPOSAL (Finland)
  "Finland will be an information-secure society that everyone can trust in and that enables all parties to manage and communicate information safely."
• Tulane Comprehensive Information Security Program (Tulane University, US) "To secure Tulane University Information and Information systems from cyber attacks while complying with legal, statutory, contractual, and internally developed requirements."

Interestingly, the State of Colorado has an Information Security Strategy that explicitly recognizes the resource appraisal consideration and the emergent nature of security strategy:

"The State of Colorado does not have integrated cross departmental information security architecture. As in most large governmental environments information technology has been deployed in a hap hazard [sic] as funding was available. The integrated enterprise approach has been an after thought. This methodology results in many disparate information technology systems..." And: "This document outlines the Information Security Strategy for the State of Colorado. It is an iterative process that will continue to change as we move forward."

So much for 'building security in' from the outset. But isn't that the case for every organization?

In Competetive Strategy Michael Porter describes three generic strategies for achieving competitive advantage: cost leadership, differentiation, and focus.

Are there generic strategies for Information Security? In terms of intended strategy, probably so but for the good of our industry the emergent strategy differs from these approaches. They deserve better titles, but for now I think of them as:

• Bodyguard Security - identify the goals of the organization, and map security activities against each of these goals
• Martial Law Security - implement industry best practices of defense in depth, least privilege. Make exceptions difficult to approve, to discourage non-standard configurations.
• Lifeguard Security - minimize restrictions on user activity. Monitor the environment in real time, and move swiftly to respond to detected problems.

Does your organization explicitly take a different approach?

GETTING STARTED

On Day One of my Strategic Management class at JMU our professor handed out a table showing the evolution of corporate strategy in the United States from the 1950s through today.

To me the most interesting feature was how closely the entries tracked competitive pressures and innovations in strategic approaches. Business strategy evolved to help organizations become more valuable, even as they faced stronger, more disruptive competitors.

So how does this relate to Information Security?

Competition naturally drives organizations to think and act more strategically, and the most successful organizations have known their capabilities and opportunities, articulated a realistic plan for achieving success, and energized their staff to execute it.

Information Security management faces similar pressures, but also has the ability to apply the same approach to success. Based on current trends I think a strong case can be made that every organization needs an Information Security Strategy, for the following three reasons:
- We don't have unlimited resources.
- Effective risk reduction requires an awareness and response to dynamic threats that actively work to circumvent or overcome deployed controls.
- The natural tendency of security products and processes, absent customer involvement in their design, is to hinder the effectiveness of the organizations we are trying to protect.

In short, a security strategy makes an organization explicitly resource aware, threat aware, and customer aware.