A large portion of academic and practitioners’ literature focuses on implementing and validating existing security frameworks or guidelines. Limited academic research is done on strategizing risk and security. Formulating a security strategy depends on several perspectives and is usually different for each company. Formulating this strategy depends on regulations, technologies, business processes and the interaction among numerous partners in the digital value chain. These dynamics vary in force and frequency. The importance of a well thought-out strategy is examined and elaborated in several studies by several strategists in all types of industries.
Learning from more than one hundred years of research in the domain of strategy can potentially bring us a lot of knowledge that can be used in the domain of risk and security. What can we learn from, for example, a well-known strategist like Michael Porter? Can Porter’s 5 forces model for creating a competitive advantage bring new perspectives to our security field? And, if so, what can we learn from this model to help predict and anticipate future threats that can harm a company’s continuity? Which forces or perspectives can we incorporate into our own strategy to strengthen our company’s reputation and trustworthiness?
My recent ISACA Journal article is about applying Porter’s model to an extensive research study of numerous experienced security managers from a wide variety of industries. The results were remarkable. First, it brought new insights to most of the participants. They simply did not reckon with numerous forces while formulating their security strategy. Secondly, they had a blind spot for their own influence capability on these forces. Organizations can either strengthen their reputation or lose it by neglecting essential tasks while dealing with these forces. My Journal article helps apply the 5 forces model to formulating a security strategy.
My ISACA Journal article is part of a larger research project performed throughout the Netherlands over the past 4 years. This article is included in my latest research book How Safe Is My ‘Share’? (Hoe veilig is mijn ‘aandeel’?). The entire research project aimed to answer how security and risk management, at a certain maturity level, can contribute to the company’s stock value, and the role of a security manager (e.g., chief information security officer [CISO]) in contributing to a company that is publicly perceived as a safe company. Is their share great because they are contributing in a well thought-out strategy that is aligned with the overall business strategy? Or is their share limited because they are only focusing on minor things such as pleasing the auditor? The 23 practical cases in this book show that good risk and security governance and management, can actually bring value and create a competitive advantage.
Read Yuri Bobbert’s recent online-exclusive Journal article:
“Porters' Elements for a Business Information Security Strategy,” ISACA Journal, volume 1, 2015.