What do we mean when we say strategic?. Usually the people talking about strategic effort are more interested in effects than in the actual activity of strategic decision making. Most assuredly, strategic leadership that is poor can have just as much strategic effect as positive leadership. We just don’t like the result as much. Defining this concept of strategic information security for the enterprise is parsed a few different ways.
When we say strategic we are talking about the idea of creating a thought process that is mitigative of a problem. When the system has been breached and the mongol horde or Washington Post are at the gates to the data center. You aren’t going to be able to be strategic. That is time for a short, sweet, and hopefully well thought tactical response to assure mission success. The place you get to be strategic is in the peace and quiet lulling leadership and operational entities in the data center into somnolence. Unfortunately the calm is the exact time we look at cutting head count and removing resources. Enterprise risk management is about spending the right resources on the right tasks for the best result and is one of our tools for strategic success. The day of the breach you aren’t going to be able to redirect those resources fast enough to fix what is already broke.
Strategic information security comes with a price. The first price is the credibility of the concept itself. If you want to be relevant with this concept. Then you need to be aware of the current state of the enterprise assets you control. Pick an over all strategy for operational control of the enterprise that aligns with your organizational capability and risk acceptance. More than an architectural decision on whether you use a flat or hierarchical model in your security mechanisms the concept of strategic is trying to be predictive or patterns of events. There is lots of ink already spilled on the hacking path and various chains of events written about in detail. This is where you start thinking about mitigation strategies and how you want to deal with a breach in the future to keep the breach from happening.
If you want to cut through the buzz word carnage sit down with your incident response team and specifically the incident handlers and write your breach notification. Write a breach notification for each of your regulatory agencies, then write one for the customers, and then write a detailed assessment of a breach including root cause analysis. “Wait!” You say. We haven’t been breached. Exactly, and if you have been breached the following is even easier.
Take incidents that have happened where you have stopped a possible breach, the evidence of those breaches, and work through the process using them as the pattern. Where are the holes in the process? What does senior or general counsel say about the breach notifications? This is substantially more than just doing an exercise. You are not just testing a system under some artificial constraint. If you take it seriously you are using a worst case scenario to build a strategic plan based on a simple principle of “assumption of breach.”
Strategic information security requires getting in front of the problem and considering your operational and tactical capabilities before you get to the breach. Notification stage planning for strategic information security is looking at your available resources and perceived risks and gaming out their utilization to mitigate the breach or remediate your current systems to keep the breach from happening. Strategic information security is what you do before things go sideways and you are calling general counsel at 2AM with the bad news.
There is the reality of regulatory and acute tactical response, and there is the reality of chronic operations and engagement. If you are running an enterprise of any size the harsh reality is that you have been breached. Whether the breach is fundamentally a regulatory issue is not the question. The reality is that malware, shadow information technology, phishing, user password and information security fatigue, and so many more reasons are the evidence of assumption of breach. You have had malware on your systems, and you have had users click on bad links. Whether that was catastrophic or not does not undermine that you have had breaches. Only luck may have kept you out of the headlines.
The strategic response is to prepare and assess as breached in thinking about plans and operational contexts. That allows the strategic information security leader to rise above the fray and consider the larger picture. If the worst case is handled then you can play chess in reverse from that point. When we play chess in reverse we start with the win and make sure all of the operational and tactical choices are aligned with that goal. This is resource preserving and part of good strategic leadership.
Strategic information security is not a response within the confines of your operational context. It is not what you do day to day as part of your standard operating plan. Strategic information security is not a plan or capability. Your enterprise security team can have strategic effects but you should not be expecting them to keep your, “bacon out of the fire.” There job is work within the operational context of your day to day activities making the best decisions you have empowered them with. How you empower them, how you define their roles, and more importantly how you treat them are all strategic imperatives a senior enterprise owner should consider.
There is a final piece to the little puzzle of strategic information security and how we define it and how we implement some of the ideals. Your vendors are not strategic assets. If your vendors have some kind of hold over your information posture that can be both a good and bad thing. The choice you made to get wherever you are with vendor support was a strategic direction or decision. How all of that power and bias flows through the enterprise afterwords is tactical all the way.