Charting the best strategic method for your organization

Pretend you are a CISO asked to deliver a compelling, three-minute narrative on how your company is effectively meeting data security compliance requirements. Many CISOs would struggle to do so because there’s so much information to cover. CISOs frequently spend too much time explaining technical details and being involved in the time-consuming task of managing a multitude of security vendors. To successfully deliver that compelling narrative, you need a framework that distills a response down to the most essential components: clarity on goals, requirements (their success factors and necessary conditions) and constraints.

Too many CISOs are still stuck in approaches from 20 to 30 years ago. They are decades behind in the way they should operate, much as Rolf M. von Roessing pointed out in 2010:

This does not have to be the case today. CISOs and security departments can overcome constraints that are impeding success by applying the correct frameworks and overall approaches. By rethinking and reframing your approach to data security and compliance, methods, and priorities—and how you communicate them to executive teams and boards of directors—you gain control of the security direction of the organization and areas of internal operational investments.

If you’re struggling to develop your security and compliance strategy and create a strategic plan that you are confident will deliver the required objectives and goal, you may be missing an effective method.

Why is it important to create a method or proven process for designing a strategic plan? Some of the most successful, sustainable products and procedures incorporate a proven process. Dentists adhere to a series of fail-proof steps when filling teeth. Builders prepare the land and have a secure method for building a foundation before constructing a house. Why wouldn’t security professionals apply a method of control design for security systems? What many organizations lack is a logical method to deconstruct the complexity of establishing clear goals and objectives, and the capacity to achieve them. Applying logical thinking is the ability to achieve progress in incremental, clear and predictable steps.

Defining goals is the first step in dealing with a complex problem.

For a surprisingly large number of organizations across the payment card industry, it’s not immediately obvious what they need to achieve with their data security and compliance programs. For many, this will become increasingly important with PCI DSS v4.0, which is why we are introducing a cohesive method to separate the most essential from the peripheral. In short, organizations need an LTP to clearly establish their goals, requirements and constraints. Developing the capability to determine root causes and formulate solutions to factors (constraints) that negatively influence the performance and outcome of the environment is an increasingly essential and unavoidable management task in the evolving security matrix. For more detailed information on goals, requirements and constraints, see page 21.

Focusing on your goals provides mastery over the problem.

It’s common for security teams to be spread thin and feel overwhelmed—as if they’re always just treading water. Increasing staffing can be difficult and is often only part of the solution. There seems to be too little time to focus on strategy and goals.

"A wealth of information creates a poverty of attention!”²⁶

—Herbert A. Simon, economist, psychologist and Nobel prize winner

The reality is that strategic planning, coordination and execution at an operational level have become paramount for security and compliance approaches and programs to succeed—and avert costly data breaches. We’re not talking about annual task lists outlined by executive management. We’re referring to focus: application of scarce resources on clearly prioritized activities to drive outcomes that are of strategic, long-term benefit to the organization. Security teams need to remain focused on clearly defined goals with very specific objectives and stop being busy with tasks that don’t promote sustainable control effectiveness. Of course, this is easier said than done. The reality for most security teams is the daily battle of people and departments pulling them toward distractions and chipping away at the time available to work on activities that have higher long-term value and contribute to security and compliance strategic goals.

"There is nothing as useless as doing efficiently that which should not be done at all.”²⁷

—Peter F. Drucker

Focus often means knowing when and how to say “no” to competing activities and tasks. Achieving focus requires avoiding distractions. For many security teams, this requires a deliberate reduction in scope of what others expect them to undertake. The security team’s attention must be diversified enough to cover the broad scope of security and compliance responsibilities, yet concentrated enough to maintain consistent progress toward the achievement of objectives. It requires the development of the team’s collective decision-making skills to triage requests based on risk (impact, probability and asset value) and relevance to the accomplishment of the strategic objectives. It’s imperative to focus on core strategic data security objectives, stay alert to unwarranted distractions, categorize secondary and tertiary objectives, and prioritize activities that contribute most to the sustainable effectiveness of the control environment.

Ideally, you should have a one- to five-year plan to focus on, though many organizations benefit from strategies that map out a program over an even longer period—up to 10 years. Strategies should be revisited several times throughout the year— even monthly—to make both large and incremental improvements. For additional information on security strategy, see page 43 of the 2020 PSR.²⁸

²⁴ Rolf M. von Roessing, The Business Model for Information Security, ISACA, 2010, https://www.isaca.org.

²⁵ “Learned helplessness,” Oxford Lexico, https://www.lexico.com/en/definition/learned_helplessness.

²⁶ “A Wealth of Information Creates a Poverty of Attention!” influencepeople, Oct 15, 2018, https://www.influencepeople.biz/2018/10/wealth-information-creates-poverty-attention.html.

²⁷ Peter F. Drucker, “Managing for Business Effectiveness,” Harvard Business Review, May 1963. Reproduced with permission from the Drucker 1996 Literary Works Trust.

²⁸ 2020 Payment Security Report, Verizon, 2020, https://www.verizon.com/business/resources/reports/payment-security-report/.