Definition and prioritization of strategic initiatives

A simple approach to defining the initiatives that make up the strategy would be to define one initiative per strategic requirement and to prioritize them according to some predefined criteria. This, however, is unlikely to be the most efficient strategy, as such a method takes no account of other activities that will be ongoing during the same period. A better approach is to gather information on future projects and to define and prioritize initia-tives in such a way as to obtain as much benefit as possible from possible synergies.

At the Secure Bank, not only are we not allowed to see the strategy document, there exists no centralized control over project activity (although this was introduced later in the form of a program management team).

Hence, it is necessary to piece together a project roadmap for the future based on information we can glean from stakeholders. The result is far from ideal but will allow us to order some initiatives so as to take advantage of likely synergies. The project roadmap we derived is displayed in Figure 5.2.

A few comments are in order at this point:

◗ The “Introduction of New Tariffs” and “Implement New Accounting Rules” projects have no impact on information security and can therefore be ignored.

◗ Apart from the cost-cutting exercise and the initiative to offer personal-ized information to private-banking customers over the Web, dates are only a best guess based on discussions with stakeholders.

◗ There is a high degree of uncertainty associated with the planning of the last project, to the extent that no sensible date could even be guessed at this point.

Although the possibilities are rather limited, some synergies can be real-ized here. To start with, we decide to begin work on designing the architec-ture immediately, even though we do not yet have a budget, in order to be 5.8 Definition and prioritization of strategic initiatives 123

Table 5.6 Last Strategic Requirement

Id Strategic Requirement Underlying Issue

R15 The organization shall reduce expenditure related to information security in line with management directives.

Issue I30:

Management’s decision to reduce expenditure globally by 25% over the next 18 months.

ready to contribute to the Internet home banking initiative when it starts in the second quarter of 1999. This is realizable, as the design stage can be achieved with a small team and costs can be absorbed as part of daily busi-ness. As designing an IT security architecture typically takes from 3 to 6 months, this will allow us to develop the essential ideas before the home banking project begins.

The resolution of requirement R15, reduction of expenditure, must start immediately, as the planning for this has been fixed by executive manage-ment. This is an example of a strategic initiative for which there is absolutely no flexibility in terms of planning. The same is not true, however, for requirements R9, R11, and R12, all of which are concerned with confidenti-ality and privacy issues. The resolution of these issues is planned to start in the first quarter of 1999 to take advantage of the work that has been carried out with the marketing department regarding the privacy issue.

Requirement R10 is effectively preparation for the plans to close down operations in Asia and the Middle East and to restructure the branch office network. It therefore makes sense to plan to do this work in the second quarter of 1999. This date is chosen to coincide with other preparation activities that will be ongoing at this date. For the remaining requirements, there is little to be gained from planning around this vision of future proj-ects, so these initiatives will be prioritized based on their degree of difficulty, likely cost, and likely impact on risk.

We note in passing that this prioritization results in the production of the information-security policy almost a year after we start our mission. The rea-son that this doesn’t really result in any problems is that we introduced risk

1998 1999 2000 2001

Extended Internet services ?

Cost cutting Personalized info.

on Web (private banking) Introduction of new tariffs Internet home banking (private banking) Stop activities in Asia and Middle East

Implement new accounting rules

Restructuring of branch offices

Figure 5.2 Derived project roadmap for The Secure Bank.

analysis as an essential tool early on in the consolidation period. This approach also has the benefit of encouraging managers to think in terms of risk first and policy afterwards, which leads to more conscious decision making.

With this last exercise completed, we finally have enough information to define and prioritize the initiatives that collectively comprise the strat-egy. In order to further simplify tracking, it is a good idea to group initia-tives into themes or tracks. The successful completion of a track should represent the termination of a logically connected series of projects. At The Secure Bank, we define the following tracks and initiatives. The strategic requirements satisfied by each initiative are listed in parentheses following the name of the initiative. Note that some requirements are satisfied using a stepwise approach. For instance, requirements R9, R11, and R12 are resolved by first defining suitable policy statements (initiative 2.1) and later describing how these policy statements are to be satisfied in particular situations (activity 2.2).

Track 1: Consolidation 1.1 Consolidation

1.2 Architectural design (R5)

Track 2: Framework initiatives 2.1 Policy (R1, R2, R9, R11, R12) 2.2 Standards (R6, R9, R11, R12) 2.3 Risk-management methodology (R3) 2.4 Information-security training (R8) 2.5 Administration procedures (R4) 2.6 Technology watch (R13)

Track 3: Technical initiatives 3.1 Secure mail solution (R7)

3.2 Information-security Web site (R14) 3.3 IT security architecture (R5)

3.4 Analysis of technical developments (R13)

Track 4: Operational initiatives

4.1 Support for restructuring/closure of operations (R10) 4.2 Cost control (R15)

A high-level plan, showing how the four tracks are spread over time, is shown in Figure 5.3. Although the consolidation period is not strictly a part of the strategy, it has been included for completeness. When the final docu-ment is produced, a short description of the initiatives carried out during the consolidation phase will help readers understand the background to the remaining activities. We show the planning details here to illustrate the method, but this level of detail will not be included in the strategy docu-ment itself. Of course, this high-level planning provides the basis for the strategic plan as explained in Section 4.5.3.

5.8 Definition and prioritization of strategic initiatives 125

When finalizing the strategy, it is important to remember that resource constraints have not been taken into account. The high-level plan that underpins the strategy is therefore an ideal. This fact will emerge when this high-level blueprint is turned into a strategic plan and, for some initiatives, it will be necessary to either reschedule the activity or request additional resources at the proposal stage.