It’s not only a good idea it is one that most people will never understand making it absolutely the next buzzword at security conventions. Strategy is often misunderstood. It simply isn’t an easy term for most people to get there minds around. John Wylder in 2004 wrote a book called, Strategic Information Security for Auerbach publishers. The book is actually quite good and discusses some key concepts.
Strategic information security is:
- Leadership driven
- Has leader buy in and support
- Has an equal footing with other business processes
- Has a probabilistic approach to management
- Uses standardized definitions and practices
- Focuses on the holistic cost and benefits
- More….
There will be an attempt to bend the strategic underpinnings of the discussion to Clausewitz, Sun Tzu, or Boyd. Those reflect military strategy and decisions sciences. In a conflict domain that is appropriate but reflect a key misunderstanding of strategy at a larger scale. Deduct two IQ points for each use of Clausewtiz/Sun Tzu by speakers discussing strategic information security outside of the context of the military.
Two programs currently run strategic information security graduate programs. The Information Resources Management College at the National Defense University (I taught there) and The University of Washington/Tacoma. There is a substantial literature on this topic but it is often overshadowed by the tactical layer. Inherent in any discussion though is the absence of a good operational layer of discussion as discussed by various authors.
Most security conventions focus simply on the tactical and the capabilities. Tactics is best described as tools, techniques, procedures and methods of accomplishing some task. All the military guys go nuts when you say that because they simplify to tactics, techniques and procedures (TTPs). Strategy though doesn’t belong to the military and neither does the military do it best. There are a huge number of non-military examples of strategy. That being said don’t mistake blind luck and chance resulting in profit for grand strategy.
Operations is the component where logistics and plans come together to inform the strategic level or leadership. I have grand designs and a stated strategy to be secure but even given the ways and means I don’t necessarily have a management or project plan. The operational level is the planning and process layer.
Tactics are well known to hackers and security professionals. Most of the work of tactics is the implementation of plans and the processes that have been defined to secure an organization. The “do” of security is the tactical layer. That does not mean a strategic level leader is not doing something, but that different “do” is more about direction.
Short and sweet. The topic has several books written about it. As is the past history the ideas come around again and again, but are always built on the shoulders of others.