Weaving strategies with policies
I mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today.
Warning: your blinkers are coming off. Prepare for the glare.
Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel), it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technologies - in particular the cloud (since about 2000) and, of course, IT (since about 1970).
Thinking about it, the very concept of 'office work', or indeed 'work', stretches back still further, along with 'business', 'commerce', 'profit' and 'money'. Gradual shifts in human society on an almost evolutionary scale have led to where we are right now ... and will continue going forward, presenting strategic challenges and opportunities to those who are awake to the possibilities ahead (both positive and negative), sufficiently resilient to cope with adversity yet resourceful, strong enough and well-positioned to surge forward when it makes sense.
In some organisations, policies and practices for home/virtual working were hastily developed and adopted during and in response to the COVID outbreak. In others, either the policies and practices were already in place, or there was no specific need for them since flexible, tech-enabled working was very much the norm already. A few laggards are still struggling to catch up even today, and failing to thrive in adversity may mean failing to survive in perpetuity.
[Aside: how on Earth can today's politicians justify holding a climate change conference as a physical, in-person event, during COVID no less, rather than virtually, on-line? Are we even on the same planet? Shakes head in disbelief.]
And that's another thing. Do international standards and methods feature in your security strategy? Are you looking to ignore, adopt, comply with, be certified against, proactive exploit or even get engaged with the ongoing development of the ISO27k standards, for instance? There's a substantial range of possibilities with strategic, tactical and operational elements and, for sure, business implications. Are you going to be forced, kicking and screaming, into ISO/IEC 27001 certification by insistent business partners and legislation for fear of losing out on lucrative contracts and sales, or will you seize the initiative in 2022 to invest in a more systematic, structured approach to information risk and security management, on your own terms, under your own control?
As you consider the threads I've brought up and others in the context of your own organisation and personal situation, remember that we are not the only ones thinking strategically at this time of year, preparing our cunning plans, proposing initiatives and often requesting substantial financial investments to make real progress in information risk and security. 'Protecting information against information risks' is a necessary but insufficient strategic goal without something along the lines of 'and enabling the legitimate exploitation of information to add value to the business' ... which hooks firmly into the strategy development going on all at the same time around us. Are our colleagues in IT, finance, HR, operations, marketing and other functions even considering the information risk and security aspects to their cunning strategic plans? Wider still, what about our (global!) business partners, suppliers, customers, prospects and regulators? How can we help and support each other? What about those opportunities to exploit third parties' strategic weaknesses (being oblivious to the business value of ISO27k, for instance)?
Good luck weaving your way through the maze of possibilities!
I'll leave you to contemplate the challenge of building a policy pyramid on the moon. Seen from space, the Earth is a rather small, insignificant planet, 'mostly harmless' indeed. Even 'Think global, act local' seems somewhat parochial these days, so what is your vision for the future, your rallying cry as you lead the troops to new horizons and beyond? Are you thinking broadly enough? What excites you so much about the future that it can't help but engender enthusiasm and support from your executive colleagues and (we hope!) the budget to 'make it so'? Is 2022 your year to go on the offensive, shrugging off the defensive, reactive, backward-looking cloak of more traditional approaches to information and even cyber security?