A security plan needs to have a clear objective on what it is expected to achieve and be used for. Action parties identified to be accountable should follow up on operationalising the plan. However, most of the time, people rush into writing it. The plan gets incoherent objectives and becomes fragmented, leading to more queries than clarity. That's an example of a poorly written plan.
A good plan should consider taking on a "SMARTER" means to have it concise and relevant to the audience. Explicit,
actionable, identifying the right custodian and clear responsibilities are the traits of a good plan.
So start off by visualising the big picture in the security plan that will be covered. Draw it out. An example below depicts an overall high-level coverage in a comprehensive security plan. A good appreciation on the scope and each area needs domain expertise. Augmented with the subject matter expert insight make the plan more realistic - not just a high level pitched document.
Do not be ambitious trying to cover everything in one go. With context to the organisation, prioritise and ranking key domains to deliver first. Divide and conquer. Identify the leads in charge of each domain and run through their deliverability expectations. You have to lead the way in the reconciliation of the final plan. My suggestion is a constant reminder and to sync up on SMARTER strategies in their development journey. One incident plan template here.
Be Specific - Identify the problem statement in the domain assigned and outline the intent of a plan.
Be Measurable - Set key performance indicator (KPI) on what is considered a successful execution of the plan. It can be benchmarks that management can better appreciate the usefulness of the plan - how well it is implemented.
Be Actionable - Layout action to be taken and if possible, list out the discrete step. Action party is a necessity. No point having a plan that cannot be understood or instructed on what has to be executed. Clear steps and action are critical.
Be Realistic - The plan has to be in context and well balanced on complexity and implication involved in executing the plan. Resource availability and organisation policy enforcement are typical bugbear constraints.
Be Time-bound - This is the toughest part as no one like to be chased by a deadline, but it is a necessity taken in a positive light. A limited time actually "forces" us to prioritise what can be done within the agreed timeline. Covert the important, address the urgent, and shelf the "good to have" to a subsequent revision of the plan.
Be Engaged - Put yourself in the reader's shoes and address the audience expectation, or at least hear out what they see is needed in the plan. Run workshops and conduct an interview to get a good sense of the list of requirements and expectations. Adopt the agile approach - run iterative cycles in engaging the stakeholders.
Be Reviewed - No point having a plan that only you can understand. Avoid confirmation bias. Reflection is key to stay open on what is the optimal change in enhancing the plan. Conduct peer reviews. Compile reviews and changes into the overall plan and seek as a submission for approval. Give a sufficient buffer for doing all of these activities.
As a whole, show empathy in engaging with the stakeholders and action parties. They need time to ingest and provide feedback. Stay positive, the journey to complete the whole plan needs resilience to manage the various team dynamics. And always look forward to a SMARTER plan!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.