Descriptions Are Not Strategies
The sun rises and the sun sets; panting, it returns to its place where it rises.
Gusting to the south, turning to the north, turning,
turning, goes the wind, and the wind returns in its cycles.
All the streams flow to the sea, yet the sea is never full.
The streams are flowing to the place, and they flow there again.
Distance brings perspective. Now that I am in my late 20s*, it is easier to read a book when it is held at arm’s length. I have spent 20 years delivering and leading security and risk for large companies; this has been my passion, pursuit, and career. But when I left that world to start this new journey, a brand new perspective began to grow. I was able to ask questions that closeness had prevented me from knowing I could ask. Why is success elusive in security? Why so much burnout and emotional frustration? You don’t ask many “why” questions when you’re in the fight.
I have been gifted with the friendship of many CISOs, security experts, hackers, fiddlers, bit-twiddlers, lock-pickers, auditors, and policy experts. Many describe themselves and their jobs with heart-felt frustration.
“All the streams flow to the sea, yet the sea is never full.”
If we win, it feels like we win skirmishes but lose battles and wars. Worse, the skirmishes we win are often refought over and again. Some may agonize like Prometheus, knowing tomorrow will look like today. Some try to escape: you saw the survey.
But others. Others seem to have an internal mission. They’re still reacting to circumstances but they are doing so from a direction or purpose that seems to antecedent to the circumstances. I know these people. They have one thing in common: a clear and tested vision. And their vision is strengthened, made supple, and implemented through strategy.
Where there is no vision, the people perish.
Is strategy really that important? Most military generals and staff officers are naturally terrible at strategy. Most CISOs are awful strategists. The first sentence shocks and perhaps offends you. The second gets a shrug and crickets, though, doesn’t it?
But both are true for the same reasons: nearly no one is trained to be a strategist. Those promoted in the military to senior rank have spent their career excelling in drilling and performance of tactics. As they advance they may become experts at small team tactics and then operations. In these scenarios, creativity is eschewed — it kills synchronization. And strategy? That’s what birthed the orders — and orders are what you obey!
This isn’t different in security. Most CISOs spend their career as a consultant at a Big 4 firm, a technically adept individual contributor, or a manager of teams which gradually increase in size and scope. They advance by demonstrating the efficient execution of tasks handed down from above. There’s a lot of talk about “aligning with business value” and “not being a cost center” but descriptions are not strategy and what’s often really meant is, “we want to be liked.” Which is not a bad outcome but is an awful goal.
In this light, it would be a accident for either group to create effective strategists. Compounding the failure, we permit and participate in the devaluing of the term and therefore the concept: ‘strategy’. Strategy is now that meeting with senior leadership, an off-site, any PowerPoint between five and eight slides with mostly pictures, my team’s rolled-up OKRs, your budget and hiring projections, or the thing managers do instead of real work**.
But you will soon see evidence that those meetings, plans, budgets, and hiring projections can and ought to be in service to your strategy. Operations certainly exist without strategy and they may achieve their stated goals. People remain busy without being productive and still accomplish goals. “If you don’t know where you’re going, any path will take you there” certainly resonates truthfully, but is a goal the same as a strategy?
It is not. That je ne sais quoi (indefinable, elusive quality) that you know in your gut that your leadership lacks? That is the absence of strategy. You can feel its absence when you scramble to do something precise, small, definable and the gnawing sense begins that says, “you’re missing it”. You tell yourself, “I’m being productive!” to quell the unease. But as a leader your job is rarely to be productive. It is more often to enable others to be efficiently productive in unified purpose.
This is where strategy acts its age and comes into bloom. We now know what it is not (e.g.,”My_Strategy.pptx”). We know when and how intuition tells us it’s missing (“Am I hangry or am I missing strategy?”).
So what is it? Strategy is the science and art of employing your resources to place yourself in a position to make a greater number of beneficial decisions.
Sometimes your resources are few
Complicated, compound sentence; let’s break it down:
It’s art and science: it’s got a feel and it’s got measurable, predictable dynamics.
Employing your resources: chess pieces, small opportunities, team members, time
To place yourself in a position: strategy involves movement, either you or your counter-parties. It compels someone’s action.
To make a greater number of beneficial decisions: freedom to make many more decisions of which many more may place me in a better decision (it’s turtles now, all the way down).
Let’s start with the abstract: take a burdened security professional. Give her the ability and inspiration to make decisions and employ resources that will place her in a position to make even more beneficial decisions. Now she’s choosing skirmishes that are meaningful. They lead to consolidated success. Give her peer the same; and bestow both with a vision for the end-state. Now they are hopeful and energized. They seek to align and work together. They now have shared mission, vision, and purpose.
Are they in a position where they can be a larger number of beneficial decisions?
Don’t you wish you had more of that?
You cannot delegate this. You cannot have it handed to you. If you are a leader, this is your raison d’etre. If you don’t do this, you’re not a leader. You’re just in front.
Theory laid, let’s get some reps in with the new muscle. Since distance brings perspective, let’s practice on other people’s problems:
Kate O’Flaherty writes “Stuxnet 2? Iran Hints Nuclear Site Explosion Could Be A Cyberattack“
- How was Iran’s strategic position affected by their statements?
How was Israel’s position affected by their own non-response? (Regardless their involvement or lack thereof.)
Who else may reasonably be making a strategic decision by remaining silent?
For all these questions, consider: what decisions could each entity make that results in a greater number of beneficial decisions?
You can’t miss the parallel can you?
When you have an incident, to whom do you report it internally?
When do you report it to customers, privately? Suppliers?
Is there an escalation of communications that result in a public notice or blog post?
What are the criteria which determine whether this incident warrants inclusion in SEC reporting?
Now, reexamine your answers considering your strategic goals: what decision(s) lead you to a position where you can make a greater number of decisions that help you?
Davey Winder writes about police taking advantage of weak encryption and controls in an encrypted message platform.
How were the organized criminal group’s strategic position improved or harmed by their decision to use a unique, sole-sourced encryption platform?
Security and procurement, this is familiar territory, isn’t it? When you decide upon a technology solution to your business problem, just as the CTO for Crime, Ltd. apparently did, have you weighed the right strategic considerations?
Are you placing your organization in a position where they can make fewer decisions that are beneficial?
Will this decision cause you to surrender the better position to competitors***, leaving them in a position to make more, better decisions?
Zoom out a level: does your process place the org in the more decisions/more benefit position?
Yes, still strategy. Bad opening though.
What does morale have to do with strategy? What does vision have to do with hope? If you’re burned out, frustrated, or — perhaps more importantly — if your team are, ask yourself and them, “what’s our strategy?” If the answer sounds like a task, a characteristic, or a to-do list then ask, “what’s our vision?” Historically and in my experience, if your vision is a feeling and your strategy is a to-do list then your reward is burnout.
But now you can see it. You have tried it on for size. Like any skill and muscle, it will take time. Strategy is not an epiphany but wisdom.
Next time, we’ll continue by looking at a famous strategist and pulling practical, pragmatic lessons from their life and experience. Since there is a predictable cycle to things, as always, to go forward, we are going to look back. You are not going to like this either, but strategy and politics are inextricably tied.
*Age? BMI? Credit score? Not telling.
**Hey, I’m just writing down the words you’re thinking.
***Obligatory Carl von Clausewitz quote, “In the whole range of human activities, war most closely resembles a game of cards.” If Clausewitz can abstract war into a card game, we can certainly abstract hackers, APT actors, insider threats, fraudsters, and commercial opponents into “competitors”. The same forces are at work: card games are not predictable, formulaic, nor is strategy deterministic. Chance and skill both play a role. Strategy is not a magic trick; strategy is an odds adjuster.