As a CISO, you are developing the information security strategy that needs to be aligned with the corporate strategy and business objectives. Which of the following task should be done first? (Wentz QOTD)
A. Conduct the SWOT analysis
B. Develop a portfolio of initiatives
C. Issue information security policies
D. Determine the gap between the desired and current state
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Conduct the SWOT analysis.
I introduce strategic management in this post. My book, The Effective CISSP: Security and Risk Management, has details.
A policy stands for the management intention. Once the strategy is formulated or developed, policies are issued to direct the strategy execution/implementation.
Strategy is a buzzword. Everybody uses it but may not use it with a consistent definition. Generally speaking, a strategy is a plan to achieve long-term or overall objectives derived from organizational mission and vision. It can be developed at the corporate, business, or functional levels by different levels of managers.
- plan to achieve a long-term or overall objective (ISO 9000:2015)
- plan to accomplish the organization’s mission and achieve the organization’s vision (ISO 21001:2018)
- organization’s overall plan of development, describing the effective use of resources in support of the organization in its future activities
Note 1 to entry: involves setting objectives and proposing initiatives for action (ISO/IEC/IEEE 24765:2017)
- organization’s approach to achieving its objectives (ISO 30400:2016)
Strategic management, a crucial element of corporate governance, comprises three phases: strategy formulation/development (strategic thinking, external and internal analysis, gap analysis), strategy implementation/execution, and strategy evaluation.
Strategy formulation typically starts with strategically thinking about organizational mission and vision, which shapes its long-term and overall nature. Strategic goals and objectives are derived from the mission and vision. Strategic thinking helps define the desired state.
External and Internal Analysis
External and internal analysis is typically conducted to scan the macro and micro environments and industries for opportunities and threats, identify stakeholders, understand their needs and requirements, determine the constraints and resources, and so forth. SWOT analysis is one of the most well-known tools for external and internal analysis; it helps determine the current state and may contribute to the desired state.
Determining the gap between the desired and current state implies that the desired and current state have been determined. Once the gap has been identified, a roadmap with milestones and initiatives is defined to move from the current state to the desired state. A strategy can be expressed as portfolios of initiatives. A business case evaluates an initiative in terms of cost and benefit and other feasibility dimensions. If the business case is approved, the initiative is turned into a project. A portfolio, evaluated by return on investment, can comprise one or more programs or projects.
Strategy Evaluation (Performance Measurement)
- What is “Strategy?”
- Strategic Management & Strategic Planning Process
- McKinsey 7-S Framework
- TOWS Analysis: A Comprehensive Guide
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為CISO，您正在開發需要與公司戰略和業務目標保持一致的資訊安全戰略。 首先應完成以下哪個任務？(Wentz QOTD)