I recently found a good start-up post about defining vision statements. What made this post different was its simplicity. It resonated because I've always found mission, strategy, vision exercises to be very easy. Mostly because I don't spend a lot of time worrying about the minutia. The goal is to communicate a tone, no one remembers the actual content because it's not measurable at a practical level.
We covered these concepts in the Security Strategy post awhile back. Now I'd like to challenge every middle manager and individual contributor to come up with your own mission, strategy, vision statements. If you're on your game it should take < 5 minutes. Any longer and there's probably other issues to address. One reason why I'm suspicious when someone wants these statements is the fear of a review black-hole, where you waste time refining something way past the point of diminished returns. So instead of calling it mission, strategy, vision, let's call it:
It's great to have this at the program level to set external stakeholder expectations. I think it's equally important for individual teams and IC's. Give it a try. Let's visit my security services dart board to select something. Thhhwhip... looks like Incident Response:
We define procedures to identify incidents, integrate with IT to identify, contain, respond, and correct deficiencies.
If you're a member of the IR team, try the above for your role. I think it's pretty cool that these three bureaucratic statements are nothing more than a definition, plan, and measurement description of a process. It doesn't matter if the process is updating a firewall policy, running security operations, or the larger IT security service.
To walk my talk, here's the top of mind for our business:
Now I better run and see how that compares to the website...