Planning a security strategy: Three core questions to ask

Security teams are overwhelmed by the increasing need to safeguard their information assets. Simultaneously, CEOs are thinking of how to cost-effectively ensure security across their organizations that often span geographic borders. They all want a simple answer to a complex question: Where do I begin? That's what this article is about.


Jack Danahy (, Security Executive, Office of the CTO, IBM Rational, IBM Corporation

Jack Danahy photoJack Danahy is a security executive in the Office of the CTO for IBM Rational software. He is the former chief technology officer and founder of Ounce Labs, which was acquired by IBM in July 2009. He is one of the industry's most prominent advocates for data privacy and application security. Danahy holds five patents in a variety of security technologies and is a contributor to industry and national security working groups on data privacy, security, and cyber-security and cyber-threats. His writes a blog called Smart Grid Security.

29 October 2009

Also available in Chinese

With ever-increasing cyber-security threats and the pervasive access to information, CISOs are overwhelmed by an urgent and recurring need to overhaul their organization's security infrastructure as they safeguard their information assets. Simultaneously, CEOs are thinking of how to find cost-effective ways to deploy resources and dollars to help ensure security across their organization, which often spans geographic borders. The search for a simple answer to a complex issue is a common issue for both CISOs and CEOs.

"What product should I start with?" is a common first question, but this can also be the wrong question to ask. Unless you have experienced an overt or obvious symptom, such as a security breach, this question is premature. The practical strategy for a security implementation is much more likely to be developed through a more prescriptive process.

Before prescribing a remedy, each organization needs to look at themselves and their motivations, performing a diagnostic self-evaluation. There are, at a minimum, three core questions that every organization, C-level executive, security consultant, or others must be able to answer honestly before receiving a proper security diagnosis.

Although there are hundreds of additional questions that will follow, these three core questions should be asked when considering where to start:

  1. Why are you doing this?
  2. What are you trying to secure?
  3. What will happen if you don't do this right?

Question 1: Why are you doing this?

No one comes to the decision that they need better security because they have had an epiphany and now believe that security trumps all other organizational priorities. It is always because something has happened. A class, webcast, or seminar that offers insight into security threats can be the catalyst. Perhaps the organization's security was breached, or someone heard that a company in their space had been breached. Often, staff is simply asked to address security issues or to increase their security posture by a manager, or an auditor, or an executive.

Depending on what your motivation is, your first step can be different. If your security has been breached, clearly you need to complete whatever triage and clean-up you are performing. In addition, you need to establish a means of protecting against re-infection or re-emergence of remnants from the same exploitation. The short answer the principle question of why you are doing this is that your organization is interested in security. Thus, starting by understanding the reasons why your organization is not secure enough is a good launching point. This provides a much more focused goal and also provides a common language and context within which to talk about your interior security.

Question 2: What are you trying to secure?

This is a question that is particularly enlightening for individuals who are newer to the space, but it can be very insightful for seasoned staff members who think through the implications of this review process. For many, the gut reaction to what you are trying to secure is "my networks," but when pressed or when given more time to think, you might answer "my data," "my business," "my reputation," or "my time."

Depending on your goal, your answer to this question can lead to a litany of other questions about the specifics of whatever body of resources you need to protect. Security is among the murkiest of disciplines, and it requires thorough examination to yield a solid base of what you actually need. In the absence of a real strategy, it can be argued that anything will make it better, but few organizations want to just "get better." Most organizations want to be at least "good enough," and "good enough" is tightly related to what is supposed to be secured — and how secure it has to be.

Question 3: What will happen if you don't do this right?

Human nature, or at least the noble components of it, inclines us to want to do the right thing. I think people ask advice about security because they truly want to be better informed and do a better job, which is all to the good. Unfortunately, in many cases, the yearning for reliable security tends to cool abruptly when confronted with the chilly realities of funding, inconvenience, and change. Security is not free, and good security is neither cheap nor convenient.

At the start of any new security process, or at the start of an extension to an existing security program, it is very important to ask the question "what will happen is we don't do this right," because knowing whether it is imperative or just interesting will make all of the difference when it comes to making necessary choices.

If failure will mean the loss of jobs, revenue, and reputation, there will be robust support for the person who wagers a career on creating an effective means of addressing security issues, even if those means are not easy. If, on the other had, failure will mean that an individual's status report is yellow (caution signal), that managers need to sign a waiver, or that a vendor gets a strongly worded letter, the security champion should keep that in mind when he or she finds it necessary to either push hard and escalate or to compromise and close on the issue.

Security is not a word with a strictly defined meaning, so it must always be approached with a situational perspective. The three questions discussed here and the questions that they will, in turn, engender will help to create an environment where there is a balance between the intention for security and the likely willingness of the organization to help to make it a reality.

To learn more about the current state of security perspectives between CISOs and CEOs, read the "Building the Business Case for Data Protection" report (see Resources). Research was conducted by The Ponemon Institute and sponsored by Ounce Labs, an IBM® Company.



Get products and technologies



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Rational software on developerWorks

Zone=Rational, Security
ArticleTitle=Planning a security strategy: Three core questions to ask