all right, So when it comes to developing a security strategy, let's get a definition.
So we have Kenneth Andrews from the concept of corporate strategy, and he defines a corporate strategy. But I think if you replace the word security for corporate, I think you'll find this. This works very, very well.
So if we were to say, security strategy is the pattern of decisions in a company
that determines and reveals its objectives, purposes, goals produces the principal policies and the plans for achieving those goals and defines the range of business accompanies to pursuit.
I don't generally like to read slides while I'm doing these classes, but I think that's really very telling and what he's saying. So first of all, it's a pattern of our decisions, and if you examine my decisions, you're going to see what we're really trying to accomplish,
right. If you look at the decision someone makes that tells you what they're what they're trying to do, what they're hoping to gain, So with our strategy, this is sort of our plan of decisions that we make that will get us closer to our goals. Um,
it will help us make decisions about how we spend our resource is how we organ organize our HR personnel
structure. It's gonna be it's gonna drive how we make decisions, economic and non economic. Ultimately, all of this comes together as our security strategy, and it will shape the drive in the focus of our organization.
Okay, so if we don't we look at effective security strategy. So how do I know if I've got a good security strategy? How do I know that it's well written that it really does what I'm expecting it to do because remember, my strategy is gonna be the basis for my security program in my policies.
All right, So one of the most important pieces
is it strategically aligned to the business strategy.
I know we've said that again and again and again, but when it comes right down to it, we all have to realize there is only one reason that any of us have jobs. There's only one reason that any of us are employed, and that's because we support the business. And the better we support the business,
the more likely the business will support us. The longer I'll have a job, the better I'll be paid, the more marketable I am, the higher job satisfaction.
Ultimately, it all comes down to the business. So when I do look at things from an information security perspective, I'm always finding that cost benefit. Okay, And remember that cost comes from many directions other than just money.
You know, certainly some security mechanisms cost money, and some of them cause quite a good deal of money.
But don't forget. Also, another trade off for security is performance, its ease of use. It's backwards compatibility. It's all of those different elements. So what I have to do, really, my question should be. What is the organization trying to do
and how I can help them accomplish that goal
by helping them do this securely? I hope that makes sense, because that will come in a little bit later, when we're talking about really making sure that their other senior officers understand the value of security. All right, so we make sure that we're using a resource is wisely that we're supporting the organization.
Then, like we talked about in the last chapter, we will be effectively managing risks and risks,
you know, come up as a result of threats and vulnerabilities and ideally, as risks materialized, we could see harm to our assets. We know that our stakeholders have entrusted us with the assets of this organization of this business, and it's our job to protect those.
So when we have a good security strategy,
we're proactive. We have mechanisms in place to manage these risks, and it's you and I know the best time to address risks is before they happen, as opposed to after All right, next bullet point resource optimization,
making sure that our knowledge, our funds, our equipment,
our processes are implemented in the best way possible so that we get the most bang for the buck, so to speak. We want to make sure, you know, I've seen organizations that go through incident response situations where they have an incident that they have to respond to, and yet they failed to document at the end of that
Well, what happened? How did it happen? What did we learn from it? Right. That's not optimizing our organizational strategy, right? And sometimes you'll find that every department kind of does their own thing without good communication across those departments. That is not optimization.
What we want to build is an environment which all units coordinate
and communicate effectively across these barriers so that I can take what you've learned and apply it and use it for my benefit as well. So, you know, so many times in an organization. I know this isn't shocking to any of you out there every organization, every department for themselves.
And we've got to create policies and procedures,
communication mechanisms that help us get beyond that for the ultimate in optimization.
All right, on the next slide Ah, some additional outcomes value,
value delivery. You know, all of thes come together and all of these air so tightly related
value delivery. I can justify,
uh, the expenses that you've invested in security. We can go back, and this is tied into performance measurement, and we can go back and look at this documentation and say, Look, you know, here's the amount of money that we saved by implementing these strategies that we've laid out
so again, value delivery. Well, how can I show you? Your value is I've measured the performance and I've documented,
and then finally process assurance that basically, we're gonna integrate our processes and make sure that we have a holistic approach to security within the organization, that it flows from one end all the way through and that ultimately we approach security
with the common goal of supporting the business. That's what our strategy is designed to do to help us share the philosophy, the principles and the ultimate in Goa of helping the organization run smoother and more efficiently.