I introduce strategic management in this post. My book, The Effective CISSP: Security and Risk Management, has details.
Strategy is a buzzword. Everybody uses it but may not use it with a consistent definition. Generally speaking, a strategy is a plan to achieve long-term or overall objectives derived from organizational mission and vision. It can be developed at the corporate, business, or functional levels by different levels of managers.
The following are common definitions of strategy:
- plan to achieve a long-term or overall objective (ISO 9000:2015)
- plan to accomplish the organization’s mission and achieve the organization’s vision (ISO 21001:2018)
- organization’s overall plan of development, describing the effective use of resources in support of the organization in its future activities
Note 1 to entry: involves setting objectives and proposing initiatives for action (ISO/IEC/IEEE 24765:2017)
- organization’s approach to achieving its objectives (ISO 30400:2016)
Strategic management, a crucial element of corporate governance, comprises three phases: strategy formulation/development (strategic thinking, external and internal analysis, gap analysis), strategy implementation/execution, and strategy evaluation.
Strategy formulation typically starts with strategically thinking about organizational mission and vision, which shapes its long-term and overall nature. Strategic goals and objectives are derived from the mission and vision. Strategic thinking helps define the desired state.
External and Internal Analysis
External and internal analysis is typically conducted to scan the macro and micro environments and industries for opportunities and threats, identify stakeholders, understand their needs and requirements, determine the constraints and resources, and so forth. SWOT analysis is one of the most well-known tools for external and internal analysis; it helps determine the current state and may contribute to the desired state.
Determining the gap between the desired and current state implies that the desired and current state have been determined. Once the gap has been identified, a roadmap with milestones and initiatives is defined to move from the current state to the desired state. A strategy can be expressed as portfolios of initiatives. A business case evaluates an initiative in terms of cost and benefit and other feasibility dimensions. If the business case is approved, the initiative is turned into a project. A portfolio, evaluated by return on investment, can comprise one or more programs or projects.
A policy stands for the management intention. Once the strategy is formulated or developed, policies are issued to direct the strategy execution/implementation. Once the management intention of strategy implementation is explicitly expressed through a policy, a project charter is then established to authorize the project formally.
Strategy Evaluation (Performance Measurement)
Goals and objectives, measured by KGIs and KPIs, are typically organized hierarchical levels or dimensions. The balanced scorecard (BSC) is a strategy evaluation or performance measurement tool that typically uses four perspectives/dimensions: learning and growth, internal processes, customer, and financial perspectives.
A business case is not only developed to evaluate the feasibility of an initiative and make the go/no-go decision in the initiation phase but also to track the benefits realized and value created across the whole life cycle.
- What is “Strategy?”
- Strategic Management & Strategic Planning Process
- McKinsey 7-S Framework
- TOWS Analysis: A Comprehensive Guide
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.