April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Easy-cheezy: Mission, Strategy, Vision

March 27, 2010

I recently found a good start-up post about defining vision statements. What made this post different was its simplicity. It resonated because I've always found mission, strategy, vision exercises to be very easy. Mostly because I don't spend a lot of time worrying about the minutia. The goal is to communicate a tone, no one remembers the actual content because it's not measurable at a practical level.


We covered these concepts in the Security Strategy post awhile back. Now I'd like to challenge every middle manager and individual contributor to come up with your own mission, strategy, vision statements. If you're on your game it should take < 5 minutes. Any longer and there's probably other issues to address. One reason why I'm suspicious when someone wants these statements is the fear of a review black-hole, where you waste time refining something way past the point of diminished returns. So instead of calling it mission, strategy, vision, let's call it:

  • What do we do.

  • How do we do it.

  • What does success look like in 3-4 years.

It's great to have this at the program level to set external stakeholder expectations. I think it's equally important for individual teams and IC's. Give it a try. Let's visit my security services dart board to select something. Thhhwhip... looks like Incident Response:

  • The incident response service limits potential impacts from security incidents and identifies the root cause for continued improvement.

  • We define procedures to identify incidents, integrate with IT to identify, contain, respond, and correct deficiencies.

  • Success is an integrated process across IT and the business with measured results and defined targets to verify risk is managed to an acceptable level.

If you're a member of the IR team, try the above for your role. I think it's pretty cool that these three bureaucratic statements are nothing more than a definition, plan, and measurement description of a process. It doesn't matter if the process is updating a firewall policy, running security operations, or the larger IT security service.


To walk my talk, here's the top of mind for our business:

  • We empower security leaders by improving and standardizing how security teams and programs are managed.

  • We deliver purpose-built applications and resources for security process management

  • Success is when IT security teams are focused on execution because operations and services are defined and measured with clear demonstrated value to the business.

Now I better run and see how that compares to the website...

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags