Strategy without the ability to execute is destined to fail, and execution without forethought will face the same fate.
Most individuals find it difficult to think in terms of direction and action, so what happens when you have to juggle the two priorities? How do security executives strike the right balance, while aligning to business priorities, operational capabilities and their threats?
Security organizations today find themselves in one of two camps. Some focus their energy on day-to-day fighting of security issues while others—a significantly smaller portion—sacrifice today’s operations for the ability to plan for tomorrow. It does not take a rocket surgeon to figure out neither of these modes are operationally viable on their own. But, many find it difficult to mix the right blend of strategy and execution, especially when it feels like your corporate leadership has little appetite for strategy. While “just keep things from falling over” may feel like the task you’ve been given, the reality is that, at some point, you need to plan to maintain forward momentum.
I work with a wise gentleman who, using his years of experience, fairly regularly reminds me that “No strategy survives contact with the enemy.” This quote is an adaptation from Helmuth von Moltke, the Elder who talks about strategy essentially being a preparation of the many ways things could possibly go and that thinking through those outcomes will minimize surprises.
To better understand this idea, check out the whole quote:
“Moltke’s main thesis was that military strategy had to be understood as a system of options since only the beginning of a military operation was plannable. As a result, he considered the main task of military leaders to consist in the extensive preparation of all possible outcomes. His thesis can be summed up by two statements, one famous and one less so, translated into English as “No plan of operations extends with certainty beyond the first encounter with the enemy’s main strength” (or ‘no plan survives contact with the enemy’) and “Strategy is a system of expedients.”
The idea that you only can plan the beginning of a military operation almost perfectly carries through to the cyber realm. Just because you have a plan to achieve an outcome doesn’t mean that your plan will go perfectly. You must anticipate possible variations, setbacks and failures as the plan executes. Herein lies the magic of experience.
I almost can guarantee that security leaders who previously have served in leadership roles have seen plans fall apart on day one or 100 of the plan’s execution. Those individuals fully understand that strategy development is an exercise in planning for things you can’t expect. They understand that strategy must be supported with tactical lessons learned to stand a chance. It is essential for security leaders to keep in constant contact with the blue teams – whom every day defend against attacks – to extract their tribal knowledge and to develop a strong strategy tempered in reality. This method increases the odds that the strategy formulated will adapt and survive into execution.
As many of you reading this look ahead to the rest of the year and over the horizon, think about how your organization operates today. Do you have a strategy in place that gives your security organization purpose and alignment to corporate mission? If you have a strategy, have you tested it against the lessons learned from years of security operations and tactical security measures? If you don’t have a strategy, what has prevented you from putting one together? Let’s be clear: everyone is busy and no one ever has enough time. But, without a strategic vision of your security organization, the hamster wheel of security operations gets harder with every revolution. Security leaders should not ignore their operations teams when putting together their strategy. They have years of expertise, domain-specific knowledge and aggregate real-world experience.
The bottom line – you should never preach strategy from an ivory tower but base it off corporate alignment, domain expertise from your tactical operations teams, and regularly execute and adjust it. The alternative is more of the same, which I think we all can agree isn’t good.
Related: Learn More at the 2016 CISO Forum
