I've worked a lot in security environments where strategy is unclear. I've worked a little in places where strategy is very clear. I've NEVER worked in a place where the security strategy is clear.
"That sounds like a sweeping statement, Rob", I hear you thinking... Maybe. But someone, who has to remain nameless sadly, said to me (not the rest of the room unfortunately!) recently in a very large strategy meeting: "Why do we need a security strategy? Don't we just need to reduce the risk involved with following the corporate strategy?"
This was said more as a statement than a question. The person "asking" was senior within her organisation, so I should have expected it, but it was one of those moments when someone says something SO obvious with such clarity of thought that it floors you for a response. I nodded and muttered something obvious about risk management, and that I disagreed with what we were discussing in the meeting, but my mind was already elsewhere. I am not usually lost for words, less so an opinion, but this silenced me, both verbally and mentally for some time.
When I had just left University nearly 20 years ago, before phones were ubiquitously mobile in nature. I answered the landline telephone in my parents house and the caller recognising my voice said "Hi Rob, it's Simon" my friend from University, we had lived together for 2 of the 4 years of the course we were both on, so we knew each other well. We chatted for 10 minutes about meaningless things, before a reference to something in my home town made me realise I had never lived with him, but in face he was a Simon I hadn't spoken to since the previous summer, checking to see if I was back from University. A silly digression, but for a couple of minutes my mind went into freefall, trying to work out if I'd said anything that could have revealed me as a pseudo-friend, faux-talker or wrong-Simoner. Realising Simon was still cracking on as though time had never passed, I cracked on. Back in the strategy meeting, my mind was doing the same thing, but over a career spanning 15 years, inspecting strategy documents and management recommendations for evidence of my fraudulence.
I have spent many days, weeks and months of my career, my life, writing long strategy documents, they all talk about process maturity, risk management, control improvement, architectural patterns, blueprints, yada yada... and whilst it's less bullshit than the "we will identify synergies with the Internet of Things and Big Data" type rubbish that consultancies tend to churn out, it always seemed to me to be more mechanical than a strategy.
A strategy, after all, is an OVERALL aim, and a useful business strategy is one which differentiates your business. So whilst a departmental strategy might be to reduce risk, or improve processes, surely that is a) what every security department everywhere should be doing, and b) what the whole business should be doing? In the first instance, it's not a differentiator, in the second it's not a security strategy...
So there you have it. No such thing, I was making it up all along. I'd love to be told (why) I'm wrong.