Security Strategy: From Requirements to Reality, 1st Edition (Paperback) book cover

Security Strategy

From Requirements to Reality, 1st Edition

By Bill Stackpole, Eric Oksendahl

Auerbach Publications

346 pages | 23 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9781439827338
pub: 2010-10-13
SAVE ~$18.19
Hardback: 9781138440463
pub: 2017-07-27
SAVE ~$41.00
eBook (VitalSource) : 9780429152160
pub: 2010-10-13
from $43.98

FREE Standard Shipping!


Addressing the diminished understanding of the value of security on the executive side and a lack of good business processes on the security side, Security Strategy: From Requirements to Reality explains how to select, develop, and deploy the security strategy best suited to your organization. It clarifies the purpose and place of strategy in an information security program and arms security managers and practitioners with a set of security tactics to support the implementation of strategic planning initiatives, goals, and objectives.

The book focuses on security strategy planning and execution to provide a clear and comprehensive look at the structures and tools needed to build a security program that enables and enhances business processes. Divided into two parts, the first part considers business strategy and the second part details specific tactics. The information in both sections will help security practitioners and mangers develop a viable synergy that will allow security to take its place as a valued partner and contributor to the success and profitability of the enterprise.

Confusing strategies and tactics all too often keep organizations from properly implementing an effective information protection strategy. This versatile reference presents information in a way that makes it accessible and applicable to organizations of all sizes. Complete with checklists of the physical security requirements that organizations should consider when evaluating or designing facilities, it provides the tools and understanding to enable your company to achieve the operational efficiencies, cost reductions, and brand enhancements that are possible when an effective security strategy is put into action.


This book focuses on the process, objectives, and controls of security strategy. It consists of two sections: Strategy (6 chapters) and Tactics (8 chapters). The sections include strategy how-to’s and security tactics, which support the realization of security. The strategy portion is aimed at executives, whereas the tactics portion is geared toward security professionals. … The authors—both security veterans—share many personal anecdotes. They use relevant quotes and concisely illustrate their points. The book addresses security quality attributes promoted by the Architecture Tradeoff Analysis Method (ATAM) and used in the Sherwood Applied Business Security Architecture (SABSA) framework … .

—A. Marlen,

Table of Contents


Strategy: An Introduction

Strategic Planning Essentials

Strategic Planning Process Evaluation

Security Leadership Challenges

Getting Started

Other Challenges for Security and Strategic Planning

When Strategic Planning Should Be Conducted

Metaphor Analysis and Strategic Planning

Creating a Security Culture

Security Continuum (Moving toward a Security Culture)

Getting to the Big Picture

Background (Why Should Security Bother with Strategic Planning?)

Menu of Strategic Planning Methods and Models

Which Strategic Planning Tools?

What Are Security Plan Essentials? (Analysis, Planning, and Implementation)

When Should Strategic Planning Be Done?

Six Keys to Successful Strategic Planning

Myths about Strategic Planning

Barriers to Strategic Planning

Overcoming Negative Perceptions of Security

Developing Strategic Thinking Skills

Testing the Consumer

Defining the Consumer Buckets

Quick Customer Assessment

Designing Customer Feedback Surveys

Deploying a Survey

Measuring Customer Satisfaction Results

Integration of Consumer Data

Strategic Framework (Inputs to Strategic Planning)

Environmental Scan

Regulations and Legal Environment

Industry Standards

Marketplace–Customer Base

Organizational Culture

National and International Requirements (Political and Economic)

Competitive Intelligence

Business Intelligence

Technical Environment and Culture

Business Drivers

Additional Environmental Scan Resources

Scenario Planning

Futurist Consultant Services

Blue Ocean Strategy versus Red Ocean Strategy

Future (the Need to Be Forward Looking)

Developing a Strategic Planning Process

Process and Procedures

Get Ready to Plan for a Plan

Planning, Preparation, and Facilitation

Building a Foundation for Strategy (High, Wide, and Deep)

In the Beginning

Implementation (a Bias toward Action and Learning)

Feedback, Tracking, and Control


Best Strategies (Strategies That Work)

Gates, Geeks, and Guards (Security Convergence)

Benefits of Security Convergence

Convergence Challenges

Success Factors


Tactics: An Introduction

Tactical Framework

Objectives Identification

First Principles

Layer upon Layer (Defense in Depth)

Defense-in-Depth Objectives Identification

Information Environments


Environmental Objectives

Did You See That! (Observation)

Observation Objectives

Drivers and Benefits for Excellence in Observation

Observation Challenges

Success Factors and Lessons Learned

Excellence in Observation Control Objectives

Trust but Verify (Accountability)

Unmatched Value of Accountability

Comprehensive Accountability Challenges

Best Uses for the Accountability Tactic

Comprehensive Accountability Identity Objectives

Comprehensive Accountability Audit Objectives

SDL and Incident Response


(SDL)2—Software as a Service Extensions (SaaS)

Transition Objectives

Rapid Response

Keep Your Enemies Closer

Hire a Hacker Objectives

The Hire a Hacker Controversy

Success Factors and Lessons Learned

Control Objectives

Hire a Hessian (Outsourcing)

Security in the Outsourcing of IT Services

Security in the Outsourcing of Security Services

Outsourcing of Security Services Objectives

Challenges to Outsourcing Security Services Success Factors and Lessons Learned

Outsourcing Security Services Control Objectives

Security Awareness Training

Staff Development Training

Security Awareness Training

Awareness Training Drivers and Benefits

Industry Training Trends and Best-Practices Examples

Training Resources

Awareness Training Challenges

Success Factors and Lessons Learned

How Do You Know if Your Training Is Successful?

Appendix: Physical Security Checklists

About the Authors

William “Bill” Stackpole, CISSP/ISSAP, CISM, former Principal Security Architect for Microsoft Online Services, has more than 25 years of IT experience in security and project management. In his past position, Bill provided thought leadership and guidance for Microsoft’s Secure Online Services Delivery Architecture. Before joining Microsoft, Bill was a principal consultant for Predictive System, an international network consultancy where he was the architect and promoted the application security business. Bill holds a B.S. degree in Management Information Systems, a CISSP with an Architecture Professional endorsement. He is co-author of Software Deployment,Updating, and Patching (Auerbach, 2007) and a contributing editor to Auerbach’s Handbook on Information Security Management (Krause and Tipton). Bill is a former chair for the CISSP Test Development Committee and a current member of the (ISC)2 Common Body of Knowledge committees for the CISSP and ISSAP certifications.

Eric Oksendahl, former Security Strategist for Boeing, has more than 25 years of experience as a business management consultant, senior facilitator, teacher, and program manager. At Boeing, Eric facilitated strategy development and implementation for the Security and Fire Protection division, including physical and information security. He designed and coordinated the use of strategy development and initiative deployment to integrate security practices into key business processes (e.g., international sales campaigns). Prior to that, Eric was a program manager at the Boeing Leadership Center where he conducted leadership development courses around the world that included Boeing management, supplier management, and customer management. Eric holds a B.A. from Montana State University and an M.A. in Communications from the University of Washington.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General