Strategic risk management

There's an old old joke about a passing stranger asking for directions to Limerick.  "Well," says the farmer, "If oi was you, oi wouldn't start from here".

So it is with infosec strategies. Regardless of where your organization may be headed, by definition you set out from a less than ideal starting point. If it was ideal, you wouldn't be heading somewhere else, would you? That naive perspective immediately suggests two alternatives:

1. Given where you are today, planning your route accordingly.
   
   
2. Regardless of where you are today, focus exclusively on the destination and how best to get there.

Actually, those are just two of many possibilities. It's even possible to do both: strategic thinking generally includes a good measure of blue-sky idealist thinking, tempered by at least a modicum of reality and pragmatism. 'We are where we are'. We have a history and finite resources at our disposal ... including limited knowledge about our history, current situation and future direction. What's more, the world is a dynamic place and we don't exist in a vacuum, hence any sensible infosec strategy needs to take account of factors such as competitors, compliance and other challenges ahead - situational awareness plus conjecture about how the situation might conceivably change as we put our cunning strategy into practice (as in chess). 

That's risk, information risk in fact, amenable to information risk management in the conventional, straightforward, systematic manner:

• Identify and characterise the risk/s, both negative and positive (opportunities, the possibility that things might turn out even better than planned);
• Quantify and evaluate the risk/s;
• Decide what to do about them;
• Do it! Finalise the strategy, negotiate its approval (with all that entails) and make it so;
• Manage and monitor things as the strategy unfolds and changes inevitably happen;
• Learn new stuff.

That final bullet is usually an implicit part of the process. We discover flaws in our strategy, things that don't quite go to plan, activities that take longer or go in different directions for all sorts of reasons. 'We are where we are' as a result of past and current strategies, successes and failures, and there's a load of learning points there if you think about it:

• Do we often over- or under-estimate things? How much variation is there, and is it biased one way or the other?
• Are we frequently blind-sided by unexpected events?
• Is it always a struggle to get anywhere, with too little energy to overcome the organization's inertia?
• Are we resource-constrained/ Which are the tightest? Is there any slack we might redeploy?
• Do we almost always achieve what we set out to achieve? Are we pushing hard enough?
• Are we creative? Are we early, middle or late adopters, ahead, within or behind the curve? Do we miss out on opportunities, and if so what kinds, typically? Compared to our peers and competitors, are we usually in the right place at the right time?

That's all in addition to learning about our strengths and weaknesses in information risk and security management, controls, threats, vulnerabilities, impacts, governance, compliance, assurance and so forth: I'm waffling on about gaining knowledge of the process of strategic risk management, figuring out why we ended up right here, lost, floundering about in this b(l)og, searching for Limerick ...