Weaving strategies with policies

I mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today.

Warning: your blinkers are coming off. Prepare for the glare.

Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel), it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technologies - in particular the cloud (since about 2000) and, of course, IT (since about 1970). 

Thinking about it, the very concept of 'office work', or indeed 'work', stretches back still further, along with 'business', 'commerce', 'profit' and 'money'. Gradual shifts in human society on an almost evolutionary scale have led to where we are right now ... and will continue going forward, presenting strategic challenges and opportunities to those who are awake to the possibilities ahead (both positive and negative), sufficiently resilient to cope with adversity yet resourceful, strong enough and well-positioned to surge forward when it makes sense.

In some organisations, policies and practices for home/virtual working were hastily developed and adopted during and in response to the COVID outbreak. In others, either the policies and practices were already in place, or there was no specific need for them since flexible, tech-enabled working was very much the norm already. A few laggards are still struggling to catch up even today, and failing to thrive in adversity may mean failing to survive in perpetuity. 

[Aside: how on Earth can today's politicians justify holding a climate change conference as a physical, in-person event, during COVID no less, rather than virtually, on-line? Are we even on the same planet? Shakes head in disbelief.]

The relation goes both ways: policies can prompt strategic changes, and vice versa. Thinking forward, virtual working presents opportunities for global collaboration on an unprecedented scale, with reduced costs, increased efficiencies, access to a global talent pool and of course global markets. 'Globalization' is not just about establishing a widespread physical presence and brands: it's also about harnessing a widely distributed and culturally diverse workforce, harnessing technology to link, leverage and exploit the very best of the best.
 
From the information risk and security perspective, virtual working is both a nightmare and, again, an opportunity ... so, how things going with your security strategy development, dear CISO? What can be done to facilitate secure virtual working? How can virtual working benefit information risk and security? How will you satisfy the changing governance, compliance and assurance requirements in a virtual world? What about the technology risks, not least our ever-increasing dependence on the Internet? And are you looking to exploit information security knowledge and expertise in all corners of the world, or are you still chasing the evaporating pool of local talent? As well as infosec policies, what are your business policies for managing the information risk security function?
 
Virtual working is just one of several strategic issues. What else is going on in the world of information risk and security? I have in mind the Internet of Things, of course, the proliferation of smart, autonomous devices raising all sorts of security concerns and, again, opportunities for smart execs (e.g. additional streams of security-related information from distributed, mobile networks of things, like for instance monitoring the locations and activities of the virtual workforce, and all its digital gizmos, for anomalies). So-called artificial intelligence and machine learning are gaining traction, with robotics no longer the realm of science fiction. Automation and technology, in general, have been driving societal changes on an evolutionary timescale, ever since our primitive ancestors started wielding rocks and sticks as tools and weapons, harnessing animals to carry loads and pull wheeled carts. What's to come, and how can we be a part of it, actively driving innovation and exploiting changes rather than purely being driven and exploited?
 
[Aside 2: I pity those of you with "cyber" on your business cards, particularly if you report to the CIO, CTO or some other manager swimming endlessly around the IT fishbowl. Technologies are just tools to craft things of beauty, utility and value. Sure, shiny tools help get the job done, but aside from the glint they are pale and insignificant compared to the products. Context matters.]

Having mentioned 'exploitation' in a positive sense a couple of times already, I can't help but think about the flip-side i.e. our being exploited by third parties, or indeed by malicious insiders. This is an area where information risk and security professionals have specialist knowledge and expertise ... but we are not the only ones. We have plenty to learn from our colleagues working in physical security, fraud prevention, law enforcement, audit and assurance, privacy and compliance, human resources and behavioural science, to name but a few - and, again, virtual working opens us to global collaboration ... just as virtual working among the criminal fraternity opens us to global exploitation, prompting yet another potential thread to our information risk and security strategy. What controls are appropriate to contain the risks in this domain? Which security policies would best help us dodge the hail of bullets coming from all directions? What about the residual risks, not just those we consciously accept but those we don't even appreciate exist?

And that's another thing. Do international standards and methods feature in your security strategy? Are you looking to ignore, adopt, comply with, be certified against, proactive exploit or even get engaged with the ongoing development of the ISO27k standards, for instance? There's a substantial range of possibilities with strategic, tactical and operational elements and, for sure, business implications. Are you going to be forced, kicking and screaming, into ISO/IEC 27001 certification by insistent business partners and legislation for fear of losing out on lucrative contracts and sales, or will you seize the initiative in 2022 to invest in a more systematic, structured approach to information risk and security management, on your own terms, under your own control?

As you consider the threads I've brought up and others in the context of your own organisation and personal situation, remember that we are not the only ones thinking strategically at this time of year, preparing our cunning plans, proposing initiatives and often requesting substantial financial investments to make real progress in information risk and security. 'Protecting information against information risks' is a necessary but insufficient strategic goal without something along the lines of 'and enabling the legitimate exploitation of information to add value to the business' ... which hooks firmly into the strategy development going on all at the same time around us. Are our colleagues in IT, finance, HR, operations, marketing and other functions even considering the information risk and security aspects to their cunning strategic  plans? Wider still, what about our (global!) business partners, suppliers, customers, prospects and regulators? How can we help and support each other? What about those opportunities to exploit third parties' strategic weaknesses (being oblivious to the business value of ISO27k, for instance)?

Good luck weaving your way through the maze of possibilities!

I'll leave you to contemplate the challenge of building a policy pyramid on the moon. Seen from space, the Earth is a rather small, insignificant planet, 'mostly harmless' indeed.  Even 'Think global, act local' seems somewhat parochial these days, so what is your vision for the future, your rallying cry as you lead the troops to new horizons and beyond? Are you thinking broadly enough? What excites you so much about the future that it can't help but engender enthusiasm and support from your executive colleagues and (we hope!) the budget to 'make it so'? Is 2022 your year to go on the offensive, shrugging off the defensive, reactive, backward-looking cloak of more traditional approaches to information and even cyber security?