I’m often asked why so many IT Security organizations lack an effective strategy and thought I would share with you some of the most frequent reasons I see this occur.
So here are my “Top 10 Reasons IT Security Organization Often Fail with Strategy”:
10. IT Security leaders and often IT leaders will defer to the business to establish strategy and will view their role as implementing the business strategy. However, in order to effectively implement the business strategy, IT Security needs its own strategy that is aligned to strategy of their business.
9. Highly related to #10. Developing an IT Security requires the IT Security organization and its leaders to fully understand and apply business strategies. Frequently, security organizations find themselves too busy running their own operations to engage and learn about the business strategy.
8. Developing business cases for investing in strategy development are difficult to develop and articulate. Ironically, often these are the exact types of business cases that senior business leaders want IT and IT Security to be initiating.
7. When a strategy business case is developed and approved, IT Security leaders have difficulty making progress on their strategies, because their day-to-day responsibilities keep them from being able to invest the required time in their strategies (See #9).
6. Often leaders of IT Security Organizations have grown up as technical subject matter experts and have been promoted by their organizations for their technical knowledge or technology leadership. As such, they simply focus their attention on areas that they have been rewarded to do so in the past – technology.
5. The market offers many more technology solutions to IT Security leaders and organizations than it does sets of capabilities to help them develop strategies. When I was responsible for enterprise risk, security, and compliance in a Fortune 500 company, I very seldom had vendors calling on me to assist me in developing and implementing strategies. Most of the time, they called on me to sell hardware and software products (Driven also by #6).
4. Thought leaders, industry groups, and solutions providers haven’t effectively communicated the value and importance of security strategy as compared to the value proposition of available technology solutions.
3. Truly effective IT security strategies require the full engagement of lines of business and IT Security is unable to marshal the necessary business sponsorship and resources to partner with them on their strategy. This also results in many IT Security Strategies morphing solely into technology strategies.
2. Strategies are not as tangible as other interventions, in particular technology solutions. Their value and return on investment require qualitative measures in addition to quantitative measures to determine their success. Qualitative measures are often more difficult to define and measure, than quantitative measures.
1. And the #1 reason why many IT Security organizations fail to have an effective strategy? They are complex, cross-functional, and often span months to years in their development and implementation. In other words, it’s hard work. IT Security is like any other organization in IT or the business. It is easier to embrace short-term solutions and their incremental gains than taking the long-term view.
I really enjoyed this post, especially #5. As someone at a startup creating a SaaS product aimed at IT managers, I think this one is really important. IT professionals are faced with a constant barrage of vendors selling security and risk-related products. Most of the time, however, it seems we try to shoehorn these products into the existing strategy rather than creating a product that can enhance the security policies.
Great list. I'm glad I found your blog.
Posted by: Nathan | June 07, 2010 at 11:53 AM
Really very useful post. I was searching for e-security tools and technologies and I found your blog. The IT security organization needs a right strategy for their business.
Posted by: Bangalore IT | September 29, 2010 at 05:53 AM
I think it is really better if IT experts would be the one to spearhead the job, and they should also refresh and learn new things. Technology is fast-paced.
Posted by: IT Consultant | October 08, 2010 at 01:29 AM
One thing that i couldn't agree more is it's hard work. The fast-paced technological advancements would always be in our side as a source of glory and misery, at the same time=)
Posted by: Jean | October 12, 2010 at 02:05 PM