Tactical vs. Strategic Security Program Planning

Rob Kraus

June 12, 2012 - Posted by Rob Kraus to Security Insight

While helping organizations develop a security program, we often come to a point where we need to determine what security controls, processes and policies provide the greatest value with the smallest investment. I mean, we all have budgets to monitor right?

I usually walk clients through an exercise to identify significant gaps in the organization's posture and then determine what controls make sense, based on the organization's goals. Goals? “What, you mean we are supposed to set goals for our security program?” you ask.

Of course!

As Solutionary’s Chief Security Strategist, Don Gray often says: “You won't make it to your destination if you don’t have your trip planned out.”

How do we accomplish this?

• Identify your organization's weaknesses and greatest risks
• Define the controls, process and procedures you need to address and mitigate those risks
• Make your map to get you to your desired security destination

As daunting as it may sound, you will not get anywhere if you don't complete these steps.

When it comes to the “Make your Map” phase, a successful strategy I have used in the past is to break down the efforts into Tactical and Strategic plans.

Tactical planning is designed to be near-term and relatively low-cost improvements providing organizations a significant value.

Strategic planning often requires more time, effort, resources and sometimes cost, but often helps complete the long-term vision for an organizations security goals.

In closing, I offer the following advice:

1. Document a plan for achieving short and long-term security goals
2. Budgets should not be a reason to leave something off your “wish list” for what security should look like for your organization
3. Implement practical controls that help you through your journey
4. Be flexible. Budgets, personnel and objectives change, and so may your plan

See how Solutionary managed security services based on the patented ActiveGuard® Security Compliance Platform combine security intelligence and expertise to provide visibility, threat detection and event response.

Read more on Solutionary Minds about:

comments powered by Disqus

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)