Security
Strategy
From Requirements to Reality

TAF-K11348-10-0301-C000.indd i

8/18/10 2:44:55 PM


TAF-K11348-10-0301-C000.indd ii

8/18/10 2:44:57 PM


Security
Strategy
From Requirements to Reality

Bill Stackpole and Eric Oksendahl

TAF-K11348-10-0301-C000.indd iii

8/18/10 2:44:57 PM


CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2010 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20140905
International Standard Book Number-13: 978-1-4398-2734-5 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at

and the CRC Press Web site at



To my father who always pushed us to be the best we could be.
William “Bill” Stackpole

To my wife Elaine who has always stood beside me and encouraged
and supported my efforts. I am truly a blessed man.
Eric Oksendahl


TAF-K11348-10-0301-C000e.indd v

8/18/10 3:00:42 PM


TAF-K11348-10-0301-C000e.indd vi

8/18/10 3:00:42 PM


Contents
Acknowledgments ............................................................................................................... xv
Introduction ......................................................................................................................xvii
Preface ................................................................................................................................xxi
Authors ............................................................................................................................ xxiii

SECTION I

STRATEGY

1 Strategy: An Introduction ............................................................................................3
Strategic Planning Essentials.............................................................................................. 3
Strategic Planning Process Evaluation................................................................................ 5
Security Leadership Challenges.......................................................................................... 6
Getting Started .................................................................................................................. 7
Value Proposition...................................................................................................... 8
Other Challenges for Security and Strategic Planning ....................................................... 8
When Strategic Planning Should Be Conducted...............................................................10
Metaphor Analysis and Strategic Planning........................................................................10
Strategic Planning as a Process.................................................................................13

Requirements for Successful Strategic Plans.............................................................14
Creating a Security Culture...............................................................................................15
Security Continuum (Moving toward a Security Culture)................................................15
Conclusion........................................................................................................................16

2 Getting to the Big Picture ..........................................................................................17
Background (Why Should Security Bother with Strategic Planning?)...............................17
Menu of Strategic Planning Methods and Models ............................................................18
Which Strategic Planning Tools?...................................................................................... 20
What Are Security Plan Essentials? (Analysis, Planning, and Implementation) ................ 20
Learn the Big Picture of the Extended Enterprise.....................................................21
Include a High-Level Risk Assessment as Input .......................................................21
Link Your Strategic Plan to the Organization Strategic Plan................................... 22
Develop Flexibility and Fluidity in Your Department............................................. 22
When Should Strategic Planning Be Done?...................................................................... 23
Six Keys to Successful Strategic Planning......................................................................... 24
Simplicity................................................................................................................ 24
vii

TAF-K11348-10-0301-C000toc.indd vii

8/18/10 3:20:00 PM


viii ◾

Contents

Passion (Emotional Energy) and Speed of Planning and Adapting..........................25
Connection to Core Values ..................................................................................... 26

Core Competencies................................................................................................. 27
Communication...................................................................................................... 28
Implementation....................................................................................................... 29
Myths about Strategic Planning ....................................................................................... 30
Barriers to Strategic Planning............................................................................................31
Pushing through to the Next Level of Strategic Breakthrough (Inside/Outside
Organizational Input/Output)...................................................................................31
Going Slow to Go Faster, or Don’t Just Do Something, Sit There (Honing
Organizational Strategic Planning Skills)................................................................ 32
Think Ahead, Act Now........................................................................................... 32
Strategic Business Principles and Workplace Politics............................................... 32
Looking for Niches, Voids, Under-Your-Nose Advantages........................................33
Overcoming Negative Perceptions of Security...................................................................33
Averse to Outsourcing............................................................................................. 34
Reluctant to Change Quickly................................................................................. 34
Stovepiped Organization Out of Touch with Business Realities .............................. 34
Always Looking for the Next Magic Technology Bullet...........................................35
Promises, Promises You Can’t Keep.........................................................................35
Developing Strategic Thinking Skills ................................................................................35
Create Time for Thinking....................................................................................... 36
Scan ........................................................................................................................ 36
Inquire .................................................................................................................... 37
Focus Long Distance/Practice Short Distance......................................................... 37
Anticipate ............................................................................................................... 38
Communicate ......................................................................................................... 38
Evaluate .................................................................................................................. 38
Practice Flexibility................................................................................................... 39
Conclusion....................................................................................................................... 40

3 Testing the Consumer .................................................................................................41

Introduction......................................................................................................................41
Defining the Consumer Buckets ...................................................................................... 42
What Historic Issues Are We Trying to Resolve or Avoid?....................................... 42
What Are the Challenges?....................................................................................... 43
Customer Relationship Management (CRM).......................................................... 43
Customer Value Management (CVM) .................................................................... 44
When Should You Collect Consumer Data?.............................................................45
Quick Customer Assessment............................................................................................ 46
Managing Key Internal Relationships..................................................................... 46
Conducting Face-to-Face Interviews........................................................................47
Guidelines for How to Solicit Feedback ...................................................................47
Designing Customer Feedback Surveys............................................................................ 48
Online Survey Guidelines....................................................................................... 49
Focus Group Guidelines ......................................................................................... 49
Deploying a Survey .......................................................................................................... 50

TAF-K11348-10-0301-C000toc.indd viii

8/18/10 3:20:00 PM


Contents

◾

ix

Measuring Customer Satisfaction Results ........................................................................ 50
Integration of Consumer Data ......................................................................................... 50
Conclusion........................................................................................................................52


4 Strategic Framework (Inputs to Strategic Planning)..................................................53
Introduction......................................................................................................................53
Environmental Scan......................................................................................................... 54
Regulations and Legal Environment .................................................................................55
Industry Standards........................................................................................................... 56
Marketplace–Customer Base ............................................................................................59
Organizational Culture.................................................................................................... 60
National and International Requirements (Political and Economic)..................................61
Competitive Intelligence .................................................................................................. 62
Business Intelligence ........................................................................................................ 63
Technical Environment and Culture................................................................................ 63
Business Drivers ................................................................................................................65
Business Drivers for the Enterprise.......................................................................... 66
Additional Environmental Scan Resources........................................................................67
Scenario Planning ............................................................................................................ 68
Futurist Consultant Services ............................................................................................ 69
Blue Ocean Strategy versus Red Ocean Strategy .............................................................. 70
Future (the Need to Be Forward Looking)....................................................................... 71
Conclusion....................................................................................................................... 72

5 Developing a Strategic Planning Process ...................................................................73
Roles and Responsibilities .................................................................................................74
Process and Procedures .................................................................................................... 75
Get Ready to Plan for a Plan .............................................................................................76
Planning, Preparation, and Facilitation............................................................................ 77
Building a Foundation for Strategy (High, Wide, and Deep) ........................................... 79
In the Beginning .............................................................................................................. 79
Vision, Mission, and Strategic Initiatives................................................................. 80
Vision Statement ............................................................................................ 80

Mission Statement ..........................................................................................81
Strategic Initiatives..........................................................................................81
Analysis................................................................................................................... 82
Strategy Formation (Goals, Measurable Objectives)................................................ 83
Implementation (a Bias toward Action and Learning) ...................................................... 84
Keys to Success for the Implementation Stage of Strategic Planning ........................ 84
Feedback, Tracking, and Control......................................................................................85
Completion ...................................................................................................................... 87
Best Strategies (Strategies That Work) .............................................................................. 87
Conclusion....................................................................................................................... 88

6 Gates, Geeks, and Guards (Security Convergence).....................................................91
Introduction......................................................................................................................91
Terms and Definitions ............................................................................................ 93
Benefits of Security Convergence ..................................................................................... 93

TAF-K11348-10-0301-C000toc.indd ix

8/18/10 3:20:00 PM


x

◾

Contents

Cost Savings ........................................................................................................... 93
Improved Security and Risk Management.............................................................. 94
More Effective Event/Incident Management........................................................... 95

User Experience ...................................................................................................... 96
Regulatory Compliance .......................................................................................... 96
Improved Business Continuity Planning................................................................. 96
Other Improvements............................................................................................... 97
Convergence Challenges .................................................................................................. 97
Success Factors................................................................................................................. 98
Conclusion....................................................................................................................... 99

SECTION II TACTICS
7 Tactics: An Introduction...........................................................................................103
Tactical Framework.........................................................................................................103
Facilities—Physical Attack Scenarios.....................................................................104
IT Systems—Logical Attack Scenarios ..................................................................106
Objectives Identification .................................................................................................107
First Principles ................................................................................................................108
Observation Principle.............................................................................................108
Response Principle .................................................................................................109
Timeliness Principle...............................................................................................109
Preparedness Principle............................................................................................110
Economy Principle ................................................................................................. 111
Maintenance of Reserves (Coverage) Principle .......................................................112
Redundancy Principle ............................................................................................113
Least Privilege Principle.........................................................................................114
Commonality Principle.......................................................................................... 115
Conclusion......................................................................................................................116

8 Layer upon Layer (Defense in Depth) ...................................................................... 119
Introduction.................................................................................................................... 119
Defense-in-Depth Objectives Identification ....................................................................121
Information Environments............................................................................................. 122

Threats ........................................................................................................................... 122
Environmental Objectives.............................................................................................. 123
In-House Objectives ............................................................................................. 123
Limited and Controlled Boundary Access Points......................................... 123
Effective Logging, Detection, and Alerting Capabilities ...............................125
Operational Excellence for Security Controls.............................................. 126
Superior Personnel Supervision, Training, and Skills Management.............. 127
High Assurance Identity Management......................................................... 127
Timely Incident Response and Resolution................................................... 128
Shared-Risk Environments.....................................................................................129
Hosted Objectives..................................................................................................129
Consumer Scenario.......................................................................................129
Provider Scenario..........................................................................................132

TAF-K11348-10-0301-C000toc.indd x

8/18/10 3:20:00 PM


Contents

◾

xi

Hybrid Objectives................................................................................................. 136
Consumer Objectives................................................................................... 136
Provider Objectives.......................................................................................139
Conclusion......................................................................................................................141


9 Did You See That! (Observation)..............................................................................143
Introduction....................................................................................................................143
Observation Objectives ...................................................................................................144
Observation Elements.....................................................................................................145
Reconnaissance ......................................................................................................145
Sentry ....................................................................................................................146
Physical Security...........................................................................................146
IT Security....................................................................................................149
Alarming................................................................................................................152
Command..............................................................................................................154
Summary ............................................................................................................... 155
Drivers and Benefits for Excellence in Observation.........................................................156
Observation Challenges ..................................................................................................157
Success Factors and Lessons Learned ..............................................................................158
Reconnaissance......................................................................................................158
Surveillance............................................................................................................158
CCTV Surveillance Lessons Learned............................................................159
Physical Detectors Lessons Learned ..............................................................159
IT System Security.................................................................................................159
IT System Security Lessons Learned.............................................................159
Excellence in Observation Control Objectives................................................................160
Reconnaissance ......................................................................................................160
Surveillance............................................................................................................160
Event Detectors......................................................................................................161
Pattern and Anomaly Detectors .............................................................................163
Conclusion......................................................................................................................165

10 Trust but Verify (Accountability)..............................................................................169
Introduction....................................................................................................................169
Unmatched Value of Accountability................................................................................169

Comprehensive Accountability Challenges .....................................................................172
Identity Challenges ................................................................................................172
Audit Challenges....................................................................................................173
Best Uses for the Accountability Tactic...........................................................................174
Comprehensive Accountability Identity Objectives.........................................................175
Identity Control Requirements for Accountability.................................................176
Domain and Local Account Management....................................................176
Name Collision.............................................................................................176
Identity Retention..................................................................................................178
Identity Verification ...............................................................................................179
Local System Accounts...........................................................................................180

TAF-K11348-10-0301-C000toc.indd xi

8/18/10 3:20:00 PM


xii

◾

Contents

Shared Accounts ....................................................................................................181
Comprehensive Accountability Audit Objectives............................................................182
Current State .........................................................................................................182
Audit Requirements for Accountability..................................................................183
Domain and Local Audit Management........................................................183
Complete ......................................................................................................184
Temporal ......................................................................................................185

Consistent.....................................................................................................185
Relevant........................................................................................................185
Understandable.............................................................................................186
Simple...........................................................................................................186
Sequential .....................................................................................................186
Correlated.....................................................................................................187
Tamperproof.................................................................................................187
Traceable.......................................................................................................187
Retained .......................................................................................................188
Conclusion......................................................................................................................188

11 SDL and Incident Response......................................................................................189
Introduction....................................................................................................................189
Terms Used in This Chapter ..................................................................................190
Security Development Lifecycle (SDL) Overview...................................................190
Security Incident Response Overview ....................................................................191
Tactical Objectives.................................................................................................193
Elements of Application Development and Response .............................................195
Application .....................................................................................................................195
Phase 1—Requirements .........................................................................................196
Phase 2—Design ...................................................................................................197
Threat Modeling ...........................................................................................197
Phase 3—Development .........................................................................................197
Phase 4—Verification ............................................................................................197
Phase 5—Release ...................................................................................................198
Phase 6—Support/Service .....................................................................................198
(SDL)2—Software as a Service Extensions (SaaS)............................................................198
Security Development Lifecycle Drivers and Benefits ............................................199
Security Development Lifecycle Challenges.......................................................... 200
SDL Success Factors and Lessons Learned ............................................................ 202

Application Control Objectives............................................................................. 203
Observation/Recognition ............................................................................. 203
Passive Detection Control Objectives........................................................... 204
Active Detection Control Objectives............................................................ 204
Transition Objectives ..................................................................................................... 209
Common Collection and Dispatch....................................................................... 209
Transition Drivers and Benefits.............................................................................210
Transition Challenges ............................................................................................211
Transition Success Factors and Lessons Learned ....................................................212

TAF-K11348-10-0301-C000toc.indd xii

8/18/10 3:20:00 PM


Contents

◾

xiii

Lessons Learned............................................................................................212
Transition Control Objectives................................................................................212
Rapid Response...............................................................................................................214
Incident Response Procedures ................................................................................215
Automated Responses............................................................................................217
Nonincident-Related Response Procedures (Reporting).........................................218
Reporting as a Response.........................................................................................218
Rapid Response Drivers and Benefits .....................................................................219
Response Challenges..............................................................................................221

Response Success Factors and Lessons Learned......................................................221
Response Control Objectives................................................................................ 223
Conclusion..................................................................................................................... 223

12 Keep Your Enemies Closer........................................................................................225
Introduction................................................................................................................... 225
Hire a Hacker Objectives ............................................................................................... 227
Offensive Objectives ............................................................................................. 227
How to Use This Tactic for Offense...................................................................... 228
Defensive Objectives ............................................................................................. 229
How to Use This Tactic for Defense...................................................................... 230
Summary ...............................................................................................................231
The Hire a Hacker Controversy......................................................................................231
Success Factors and Lessons Learned ..............................................................................233
Control Objectives ..........................................................................................................233
Countering Insider Threats (Malicious Insider)..................................................... 234
Competent Supervision .........................................................................................235
Supervisor Attributes ................................................................................... 236
Supervisory Attributes ................................................................................. 238
Employee Screening......................................................................................241
Target Retaliation ..................................................................................................245
Target Deception ...................................................................................................247
Malicious Code Implantation ...................................................................... 248
Conclusion......................................................................................................................251

13 Hire a Hessian (Outsourcing)...................................................................................253
Introduction....................................................................................................................253
Security in the Outsourcing of IT Services..................................................................... 254
Outsourcing Pros—Benefits...................................................................................255
Outsource Cons—Challenges................................................................................255

Success Factors and Lessons Learned......................................................................256
Outsourcing Control Objectives ............................................................................257
Security in the Outsourcing of Security Services .............................................................261
Commonly Outsourced Services............................................................................261
Security Auditing..........................................................................................261
Penetration Testing, Vulnerability Assessment............................................. 262
Systems Monitoring ..................................................................................... 262
Incident Support.......................................................................................... 263

TAF-K11348-10-0301-C000toc.indd xiii

8/18/10 3:20:00 PM


xiv ◾

Contents

System Management/Administration........................................................... 263
Security Officer Services.............................................................................. 263
Outsourcing of Security Services Objectives......................................................... 264
Challenges to Outsourcing Security Services.........................................................265
Success Factors and Lessons Learned .................................................................... 266
Outsourcing Security Services Control Objectives.................................................267
Maintain the Confidentiality of Results........................................................267
Prevent the Disclosure of Events.................................................................. 268
Preserving Evidence ..................................................................................... 269
Avoiding Retention/Discovery Liabilities..................................................... 269
Elevated Privilege and Intellectual Property Loss ..........................................270
Conclusion..................................................................................................................... 272


14 Security Awareness Training ....................................................................................275
Introduction....................................................................................................................275
Staff Development Training........................................................................................... 277
General Staff Security Training............................................................................. 277
Security Staff Training.......................................................................................... 278
Security Staff Training Requirements ................................................................... 279
Security Awareness Training .......................................................................................... 280
Awareness Training Objectives ............................................................................. 280
Awareness Training Elements................................................................................ 282
Awareness Training Drivers and Benefits ....................................................................... 283
Industry Training Trends and Best-Practices Examples.................................................. 284
Training Resources......................................................................................................... 286
Awareness Training Challenges...................................................................................... 289
Success Factors and Lessons Learned...............................................................................291
How Do You Know if Your Training Is Successful? ....................................................... 292
Conclusion......................................................................................................................293
References..........................................................................................................................295
Appendix ...........................................................................................................................303
Physical Security Checklists ........................................................................................... 303
Index..................................................................................................................................313

TAF-K11348-10-0301-C000toc.indd xiv

8/18/10 3:20:01 PM


Acknowledgments
The authors wish to thank the following people for their hours of reviews, suggestions, and encouragement throughout the process of putting this book together.
Greg Gwash

Elaine Oksendahl
Dave Komendat
Carl Davis
Tim McQuiggan
Lt. Col. Thomas Stackpole, U.S. Army
Dave Cook
Butch Moody
Verdonn Simmons
Peter Oksendahl
Patrick Hanrion
A special thank you to Jennifer Reed who taught Bill’s science class for six weeks so he could
finish the book, and to Tim Lorenz who graciously gave him the time off.

xv

TAF-K11348-10-0301-C000f.indd xv

8/18/10 2:47:32 PM


TAF-K11348-10-0301-C000f.indd xvi

8/18/10 2:47:32 PM


Introduction
I need you to find a way to keep compliance from putting us out of business!
Ron Markezich
Corporate Vice President, Microsoft Online
Security as a business—what a concept! And to many security professionals it’s a concept that few

have had time to consider or have needed to consider. Compliance changed all that; it pushed
information security into the executive suite where it’s not only a jail sentence but a huge drag on
the bottom line. Combine that with a major economic downturn and one has a lot of incentive to
make security a value proposition. Both of us have watched this requirement develop in corporations and have witnessed security professionals struggle to get a handle on what it means to be a
valued business partner.
We see two recurring themes: first is the lack of good business processes on the security side
and second, a diminished understanding of the value of security on the executive side. It is these
two issues that have inspired us to write Security Strategy: From Requirements to Reality. Our primary goal in writing this book is to teach security leadership and security practitioners how to
select, develop, and deploy a security strategy appropriate to their organization. Our secondary
goal is to support the implementation of strategic planning initiatives, goals, and objectives with
a solid set of security tactics. It is also our hope that executive managers, marketing, and other
business units will use this book to better understand the value security brings to the organization
in the compliance-centric 21st century.
Businesses cannot survive in today’s marketplace without information technology (IT), and
IT cannot survive in today’s computing environments without security. Today’s leading companies are those that have solved the security conundrum and learned to leverage security to promote innovation, grab market share, and enhance brand. When Microsoft was being flogged by
the industry for poor security, Bill Gates created a trustworthy computing initiative that united
the company behind a single strategic goal: “to focus our [Microsoft’s] efforts on building trust
into every one of our products and services.” In less than 10 years Microsoft propelled itself from
whipping boy to market leader through innovation, commitment, and solid strategic planning.
One of Microsoft’s key initiatives was to consolidate security services into a single-customer-facing
entity (the Microsoft Security Response Center). This is a strategy that we see as critical to the
future success of security management. There should be one person to contact, one number to call,
one website to visit, and one operations group to receive and respond to security events. It should
never be the customer’s responsibility to figure out who to call while dealing with a difficult or
emergency situation.
xvii

TAF-K11348-10-0301-C000g.indd xvii

8/18/10 2:48:01 PM



xviii

◾

Introduction

We also believe in building a culture of security. Employees are your first line of defense; none
of them leave their houses in the morning without locking the door, and none of them should leave
their worksites at night without locking their computer and sensitive documents away. If you really
want your employees to be your first line of defense, you need to teach them how, and you must be
readily available, helpful, and responsive when they call. When the quality of Ford products began
to diminish, the company moved Quality Assurance from a business unit to a business culture.
Quality became “job one” for everyone working at the company from Bill Ford’s Quality Council
to the autoworker at the St. Paul assembly plant. This is our view of security; it is job one for every
employee, and it needs to be promoted as such.
The challenges are substantial but not insurmountable. It will require a lot of effort on the part
of the security group to build the strategic planning skills required, and it will take a fair amount
of forbearance on the executive management side as things stumble forward. But the end results
in cost reductions, brand enhancement, and operational efficiency are well worth the effort. Let’s
get started!

Approach
This book presents business strategy for security groups and tactics for implementing that strategy.
It is unique in its approach because it focuses entirely on security strategy planning and execution.
The book is about finding the strategy that works in your organization, building it, and implementing it to see real results. You won’t find any point solutions here, no silver bullets, no magic
formulas. What you will find is a comprehensive look at the structures and tools required to build
a security program that really does enable and enhance business processes in your organization.
The book is based on our experiences in working with large security groups to build and implement strategic plans and tactical solutions, but the book is equally applicable to smaller organizations looking for long-term security solutions.

We have divided the book into two parts. The first part is about business strategy. Although
it is security-centric, executive managers reading this portion of the book will totally understand
it. The second portion of the book is about tactics—the means needed to implement strategy.
Security professionals will completely understand this portion of the book. The real value for
both groups of readers will be reading the portions of the book that are not familiar to them. It is
our hope that in so doing a viable synergy will develop between the two groups—one that allows
security to take its place as a valued partner and contributor to the success of the enterprise.
Much of the security conundrum organizations find themselves in didn’t develop overnight; it
has been a long time in the making. While corporate (facilities) security is a long-standing discipline, information security, especially in the network arena, is a relatively new discipline, one that
has been in an almost nonstop fight against an onslaught of attacks and a continuously changing
landscape. It has taken time to develop the tools, processes, and skills needed to build effective
security solutions. Although much remains to be done, the security industry has finally found
itself in a place where it can begin to be proactive. A major part of that proactive effort is learning
how to become a full-fledged partner in the business.
Security must become part of an organization’s standard business processes and a partner in
the promotion and profitability of the business. For years security professionals have been talking
about how security enables the business; well, now it’s time to step up and prove it. So roll up your
sleeves, bolt on your armor, and get ready for some giant-killing ideas. Welcome to the business
of security.

TAF-K11348-10-0301-C000g.indd xviii

8/18/10 2:48:01 PM


Introduction ◾

xix

SIDEBAR: HOW TO READ A BUSINESS BOOK

1. Decide, before you start, that you’re going to change three things about what you do all day at work. Then,
as you’re reading, find the three things and do it. The goal of the reading, then, isn’t to persuade you to
change, it’s to help you choose what to change.
2. If you’re going to invest a valuable asset (like time), go ahead and make it productive. Use a postit or two,
or some index cards or a highlighter. Not to write down stuff so you can forget it later, but to create marching orders. It’s simple: if three weeks go by and you haven’t taken action on what you’ve written down,
you wasted your time.
3. It’s not about you, it’s about the next person. The single best use of a business book is to help someone
else. Sharing what you read, handing the book to a person who needs it…pushing those around you
to get in sync and to take action—that’s the main reason it’s a book, not a video or a seminar. A book
is a souvenir and a container and a motivator and an easily leveraged tool. Hoarding books makes
them worth less, not more.
Seth Godin

Terms Used in This Book
Business unit—To eliminate confusion between the organization as a whole and the business
suborganizations such as departments and divisions, the term business unit has been chosen
to refer to these suborganizations.
Consumer/Customer—The terms consumer and customer are used in a general sense. These
terms include those external entities that purchase products or use services from the organization as a whole, as well as those external or internal entities that use the services of a
business unit within the organization—for example, business units that use security services
and/or products and are subject to security governance.
Core Competencies—Core competencies are the specific strengths of an organization that
provide value in a market space.
Core Values—Core values are the operating principles that guide an organization’s conduct
and relationships.
Corporate security—The terms corporate, physical, and facilities security refer to the group
that manages the security of physical assets such as facilities, equipment, and inventory.
Corporate security is typically responsible for surveillance, building access controls, security
officers, loss prevention, and associated events.
IT security—IT security refers to the group that manages the security of information assets

stored, processed, and transferred on computer-based technologies. IT security is typically
responsible for the confidentiality, integrity, and availability of digital information, compliance with statutory, regulatory, and industry requirements, and business continuity/disaster
recovery planning for IT services.
Organization—This term, used in a generic sense, refers to for-profit and nonprofit businesses
(companies, corporations, and enterprises) and government entities/agencies.
Security—This book takes a holistic approach to security, so the terms security and security
group encompass both corporate and IT security functions.
Security group—To eliminate confusion between the organization as a whole and the security
suborganization, the terms security group or security function have been chosen to refer to the
security suborganization.
Stakeholder—A stakeholder is a party who is or may be affected by an action or actions taken
by an organization, for example, employees, managers, board members, shareholders, customers, contractors, vendors, and partners.

TAF-K11348-10-0301-C000g.indd xix

8/18/10 2:48:01 PM


TAF-K11348-10-0301-C000g.indd xx

8/18/10 2:48:01 PM


Preface
The CEO looked up from his desk and said, “I’m sure you are all aware of our plans to form a
joint venture with Coral Reef; this is a great opportunity for us but to be honest I have some real
concerns about it. If you will pardon the pun, these guys are some real sharks. If we give them
access to our network, they could steal us blind. I need you guys to tell me what the risks are.”
The CIO looked over his shoulder, “Matt?” With a slight grin, Matt, the CSO, replied, “There’s
no additional risk sir; we’ll set up a SharePoint site for the project and that’s the only thing they’ll

have access to.” The CEO was about to express his delight when the CFO interrupted, “Well that
might be true for remote access, but what about when they’re here on campus?” “It’s not any different,” Matt replied, “Their laptops aren’t part of our domain so they can’t connect to any of our
systems except e-mail, Instant Messenger, Web conferencing, and the project SharePoint.” “But
won’t they look like one of our employees if they have e-mail and IM accounts?” asked the CFO.
Matt replied, “Nope, all external parties have identities that start with F dash and their badges
have a different color so our employees know they are ‘foreigners.’” The CFO continued, “But
they will have access to our offices and workspaces; isn’t that a risk?” “There’s always a risk that
someone might go snooping around, but our identity and building access control systems are tied
together. They will only have access to the buildings they will be working in, and we can track all
other access attempts. We run a weekly report of all F dash building and computer accesses just to
make sure they are behaving. If we suspect they aren’t, we can always review the video surveillance
to see what they were up to,” Matt replied. “But they could still steal stuff !” the CFO exclaimed.
Matt replied, “Yes they could, but not for long! They’d be violating the security policy they agreed
to uphold and that’s reason enough to send them packing.” “Thank you gentleman, I believe we’re
good to go,” said the CEO as he dismissed the meeting with a smile and a hint of disbelief. Was
his security really that good?
The answer is yes. In three short years, Matt had managed to build a security program that not
only protected the company’s assets but also anticipated the company’s future business requirements and security needs. And he did it with a modest capital investment and no increases in
operational costs. Impossible, you say! Not at all. Matt was able to save a substantial amount of
money by converging the facilities and information security groups into a single team and converting older expensive video and building access controls technologies to IP network-based devices.
He used these savings and the reductions in operating costs to train and cross-train his staff to
improve effectiveness and coverage. He also got capital monies to make improvements to the identity management system and to implement some new control technologies.
Successes like this are rare in the security community, so how did all this come about? Security
strategy. Matt took the time to analyze the company’s vision, goals, and business strategies, and
xxi

TAF-K11348-10-0301-C000h.indd xxi

8/18/10 2:48:45 PM



xxii

◾

Preface

then he sat down with the key stakeholders to identify existing issues, understand their goals, and
learn what their expectations were for security. Next, Matt (with the help of his team and these
stakeholders) created a three-year Security Strategic Plan aligned with and supporting the overall
business strategy. Finally, he went out and sold that plan, implemented it, and demonstrated security’s value to the business.
Security strategy is the missing gem in many security programs. It’s not a common skill set
among security practitioners and there isn’t a lot of guidance on how to do strategic planning for
security management. It was the authors’ goal to remedy that situation by providing you with a
practical set of tools and guidance to get you started down the planning path (Section I) and to
help you build the processes and controls for implementing that plan (Section II).
There are a large number of strategic planning methodologies; trying to cover them all would
be unrealistic. Fortunately, they all follow a similar pattern so we have addressed those components and compiled an exhaustive set of references you can use to further study the method you
settled on for your company.
It is our sincere hope that this book will contribute to your success and make the practice
of security strategic planning a common discipline in the industry. Welcome to security as a
business!
Bill Stackpole
Eric Oksendahl

TAF-K11348-10-0301-C000h.indd xxii

8/18/10 2:48:45 PM



Authors
William “Bill” Stackpole, CISSP/ISSAP, CISM, former Principal Security Architect for Microsoft
Online Services, has more than 25 years of IT experience in security and project management.
In his past position, Bill provided thought leadership and guidance for Microsoft’s Secure Online
Services Delivery architecture. Before coming to Microsoft, Bill was a principal consultant for
Predictive System, an international network consultancy where he was the architect and promoted
the application security business. Bill holds a B.S. degree in Management Information Systems,
a CISSP with an Architecture Professional endorsement. He is coauthor of Software Deployment,
Updating, and Patching (Auerbach, 2007) and a contributing editor to Auerbach’s Handbook on
Information Security Management (Krause and Tipton). Bill is a former chair for the CISSP Test
Development Committee and a current member of the (ISC)2 Common Body of Knowledge committees for the CISSP and ISSAP certifications.
Eric Oksendahl, former Security Strategist for Boeing, has more than 25 years of experience as
a business management consultant, senior facilitator, teacher, and program manager. At Boeing,
Eric facilitated strategy development and implementation for the Security and Fire Protection
division, including physical and information security. He designed and coordinated the use of
strategy development and initiative deployment to integrate security practices into key business
processes (e.g., international sales campaigns). Prior to that, Eric was a program manager at the
Boeing Leadership Center where he conducted leadership development courses around the world
that included Boeing management, supplier management, and customer management. Eric holds
a B.A. from Montana State University and an M.A. in Communications from the University of
Washington.

xxiii

TAF-K11348-10-0301-C000i.indd xxiii

8/18/10 2:49:12 PM


TAF-K11348-10-0301-C000i.indd xxiv


8/18/10 2:49:12 PM