Cyber security Story teller

I really didn’t know what to expect from a class titled “Strategy Formation and Organizational Design”.

There wasn’t even a textbook. Instead, we had a course pack of articles from the Harvard Business Review. I ended up liking this setup, not least because it was a solid $100 cheaper than a textbook.

My biggest lesson learned from this class? An MBA is grad school, y’all. I, a security engineer with an MS already under my belt, arrogantly thought business school would be easy.

I was wrong.

It may not be math and formulas, but it’s the same detailed analysis, critical thinking, and creative problem solving.

Michael E. Porter wrote a fair amount of the assigned articles. If that name sounds familiar, it might be because of this ISC2 Insights article: https://www.isc2.org/Insights/2024/09/Elevating-Cybersecurity-Strategies-to-the-C-Suite-and-Board

The referenced Porter article, “What Is Strategy”, was the first assigned article. Second biggest lesson? Business school is an excellent investment. Business is coming for security, whether or not hackers like it.

Strategy, then, “is the creation of a unique and valuable position, involving a different set of activities.” Market position depends on what the organization is trying to achieve: Do one thing really well (Jiffy Lube — changes passenger car oil), target a very specific audience (Jimmy Choo — a luxury fashion house), or offer cheap goods/services to a specific audience (Rural King — a farm & feed chain).

So what is a security strategy? Considering “What Is Strategy” clocks in at 21 pages, I’m not going to fully answer that here. We have a unique and valuable position: secure the business. We have a set of activities: Choose a favorite framework. We do one thing really well: secure stuff. As always, the trick is to marry the security strategy to the overall strategy of the organization.

Week one also covered defining the organizational vision and core values. Specifically, these are values and a vision that will remain constant no matter what the market does or how consumer needs change. Walt Disney isn’t about any of its intellectual properties; it’s about making people happy. Unless the organization is in the business of providing security, it probably won’t show up in these vision or mission statements. That’s fine.

Week two focused on the external environment with a framework (I know, I know) called PESTEL: Political, Economical, Sociocultural, Technological, Environmental, and Legal. This is the part where we look outside ourselves and try to understand the context in which we operate. Stuff like Section 230, that security costs money instead of makes it, that regular users circumvent security, that best practices change almost overnight, that the blockchain kills the environment, and how red teaming is a felony without consent. Now layer in the environment for any industry vertical. There are many regulations for critical infrastructure, the economy basically craters without us, the only time people think of us is when something breaks, SCADA was never secure by design, we pull resources directly from the environment, and the various laws that protect critical infrastructure.

Context matters.

Porter also defines the five forces: existing rivalry (Amazon / Walmart), threat of new entrants (startups), bargaining power of suppliers (rare earth minerals), bargaining power of buyers (price wars), and threat of substitute products or services (e-mail or snail mail). This is still externally focused, but more existential than PESTEL. It’s about how the industry market is doing and gives the talking heads lots to say.

Security has become an industry. There’s an eye-chart floating around the internet of security companies and their specialized technologies. We don’t buy a Splunk license and expect it to be a firewall, we’re going to buy a Palo Alto license, too. How the five forces affect security, and vice versa, will depend on the industry.

As external forces push on an organization, the organization pushes back. Another framework called the resource-based view, which looks at the resources and capabilities of the organization. That’s what it sounds like: What do we have, and how do we use it?

This raises the obvious question: How do we know what resource matters when we’re identifying internal advantages? Answer: A set of yes/no questions. More to the point: How does security prove itself as a resource to an organization?

Is it Valuable? Not monetarily. If The Thing helps lower costs, or makes customers think more highly of the organization, it’s valuable. Yes, capitalism likes to create value for shareholders, but occasionally, someone else gets value, too.

Customers like knowing their information is private and secure. That’s valuable.

Is it Rare? Money isn’t rare. Patents are rare. Brand names are rare.

Security isn’t — or shouldn’t be — rare. Good and efficient security can be rare, judging by the amount of effort Amazon put into making S3 buckets secure by default.

Is it Costly to Imitate? Reverse engineering is a tedious process. It’s complicated to setting up a vertically integrated supply chain. If we want to compete with Google, we need a treasure chest to match.

Every organization’s security, be definition, depends on what the organization needs. What works for one organization may not work for a different one. So yes, security is costly to imitate.

Finally, can the organization actually take *advantage* of this gift of a resource? The Thing means nothing if it sits on a shelf, collecting dust.

This is where security often falls flat. We’re still not integrated into “the business”, not really. We get put into the corner, regulated to compliance checkboxes, a necessary evil to the cost of doing business. Security COULD become a competitive advantage for an organization. It’s not our fault as professionals that we’re not; but it is up to us to change the business’s perception of us.

Again, context matters. History matters. Decisions made over time often put organizations in a unique market position. Federal contracts matter: Would Coke be what we know it as today if the US Army didn’t give the boys on the World War 2 front a taste of home? Unlikely. When the war was over, Coke was perfectly positioned for broad international distribution.

Generic strategies exist. We can either be different enough that people want to pay a higher price (Apple), or we can be really cheap and get by on volume. The trick is sustaining that. If we’re wanting to take proper advantage of our Valuable-Rare-Costly resource, we should create a business culture that leans into being different.

It’s like diversity matters.

Everyone fights to be “first to market”, but that’s only half the battle. The other half is staying on top. Trade secrets, patents and copyrights only protect so much. Apple may have introduced the world to smart phones, but they’re not the only player in the game anymore. Same with electric cars, fitness trackers, home goods, and the rest of the products and services that fill our lives. This swings back to knowing our vision and core values. Apple isn’t about smartphones, it’s about making “the best products on earth and to leave the world better than we found it”. It’s not any individual product; it’s about the cult of Apple.

Of course, it sucks when some startup comes into the market and offers the same thing at half the cost. What’s an organization to do? If it won’t cannibalize sales, offer a cheaper version, maybe with fewer features. Offer supporting services, not more stuff, like extended warranties or installation. Fight head on, or just live with it. An example industry here is airlines. Delta and other full-service carriers have a hard time competing with budget airlines like SouthWest, and it’s not for lack of trying. Delta Express didn’t last a decade, because trying to provide both full-service and no-frills to different customers is difficult. There are no simple answers here. It all depends on the unique situation. In theory, the guiding light of core values and organizational vision see us through.

One strategy to be different is to go fishing in a different pond, called the “blue ocean” strategy. Basically, quit trying to compete over scraps and go create something new. It’s less about being first to market and more about re-defining the market. This framework is vaguely similar to the KonMarie question of “Does this spark joy”? First, what just makes little sense? Eliminate it. What kind of makes sense, but in a lesser way? Reduce it. What is the market already doing, but not enough of? Raise it. Finally, what is simply absent? Create it.

An example is Cirque du Soleil. Gone are the animal shows of circuses past. Safety features for performers have improved, reducing danger while keeping the audience thrills. Tents gave way to magical venues, making a better environment for customers. Three rings shrunk to one, allowing them to create a spectacle of a story in every performance.

Look at the security processes, procedures, or policies in an organization. What started out making sense, but has become rubber stamp approvals? Eliminate them. Stop doing paperwork for the sake of it. What processes can be automated? Reduce the amount of human time work takes. What tools are already in place, but aren’t fully used? Take full advantage of those expensive license fees. Once the foundation is in place, identify what’s missing, and make it.

Note that I never said it would be easy.

So how do we create value? What do people look for in this mysterious value? The infamous shareholders look at cash flows. If we only make 8% returns, but have to pay 8% interest on all the business loans needed to create that growth … then we’re treading water, not actually growing. The cash flows ARE like pie — the more investors or creditors, the less cash each individual can receive. Expectations matter, too. If we expect growth, and it doesn’t appear, we’re disappointed. It’s the same way we roll our eyes when we hear “Please hold, call volumes are higher than expected.” If all other financial indicators are equal, expectations make a difference.

Finally, common sense matters to value, aka the “best owner” principle. It makes little sense for a Procter & Gamble brand to acquire or merge with a General Motors brand. The two are just too different. It will not save on costs for either side, or make either side more appealing to consumers. Mileage may vary in what makes up common sense.

It also matters on how the shareholders and corporate boards interact. If the board sets strategy, and strategy takes time to execute to see value, then it’s not helpful for the board to change direction mid-stride. Board members with conflicts of interest pull companies in different directions. Shockingly, it’s difficult to meet quarterly Wall Street demands AND create value for someone other than the shareholders.

It’s also hard to get a group of people, like a board, to agree long enough to let a long-term strategy play out.

The last topic is globalization. Information may be global, but imports and exports are still a minority compared to domestic operations. It’s one thing to conquer a domestic market, but consumers on different continents want different things. Even our old-fashioned American fast-food chains offer different menus in different markets. The takeaway here is going global is possible, but not something to go after on a whim.

Surprised at the depth of the analysis involved in the business of doing business? Yeah, I was too. Like I said at the top, it turns out an MBA really is grad school.