Corporate Strategy, Business Strategy, and Information Security Strategy

In Contemporary Strategy Analysis, Robert Grant describes successful strategy as the combination of "clear goals, understanding the competitive environment, resource appraisal, and effective implementation."

He also makes a strong case that strategy is not a plan: "Strategy is not a detailed plan or program of instructions; it is a unifying theme that gives coherence and direction to the actions and decisions of an individual or organization."

Corporate Strategy looks at industry attractiveness and asks "what industries should we be in?" while Business Strategy aims for competetive advantage by looking at "How should we compete?"

If you have an Information Security Strategy, what is it, and how does it relate to your corporate and business strategy?

To a large extent it depends on the view of how strategy is made and how to characterize it: as intended strategy (authored by management) realized strategy (actual implementation) or emergent strategy: "decisions that emerge from the complex processes in which individual managers interpret the intended strategy and adapt..."

Some published examples of Information Security Strategy fall in the intended category, such as:

• Comprehensive Strategy on Information Security: Executive Summary (Japan)
  "To enhance competitiveness and national security for Japan: Building economic and cultural power through realization of world-class "highly reliable society"
• NATIONAL INFORMATION SECURITY STRATEGY PROPOSAL (Finland)
  "Finland will be an information-secure society that everyone can trust in and that enables all parties to manage and communicate information safely."
• Tulane Comprehensive Information Security Program (Tulane University, US) "To secure Tulane University Information and Information systems from cyber attacks while complying with legal, statutory, contractual, and internally developed requirements."

Interestingly, the State of Colorado has an Information Security Strategy that explicitly recognizes the resource appraisal consideration and the emergent nature of security strategy:

"The State of Colorado does not have integrated cross departmental information security architecture. As in most large governmental environments information technology has been deployed in a hap hazard [sic] as funding was available. The integrated enterprise approach has been an after thought. This methodology results in many disparate information technology systems..." And: "This document outlines the Information Security Strategy for the State of Colorado. It is an iterative process that will continue to change as we move forward."

So much for 'building security in' from the outset. But isn't that the case for every organization?

In Competetive Strategy Michael Porter describes three generic strategies for achieving competitive advantage: cost leadership, differentiation, and focus.

Are there generic strategies for Information Security? In terms of intended strategy, probably so but for the good of our industry the emergent strategy differs from these approaches. They deserve better titles, but for now I think of them as:

• Bodyguard Security - identify the goals of the organization, and map security activities against each of these goals
• Martial Law Security - implement industry best practices of defense in depth, least privilege. Make exceptions difficult to approve, to discourage non-standard configurations.
• Lifeguard Security - minimize restrictions on user activity. Monitor the environment in real time, and move swiftly to respond to detected problems.

Does your organization explicitly take a different approach?