Project 4: Enterprise Cybersecurity Program Step 10: Evaluate for Policy Improvements The

Project 4: Enterprise Cybersecurity ProgramStep 10: Evaluate for Policy Improvements
The previous steps dealt with the element of practice in an enterprise cybersecurity program. In this step, turn your attention to policy. Using notes taken in earlier steps as well as the Defense Framework Enhancement Proposal and the Cybersecurity Framework Report, compile a list of the policies that will best support the cybersecurity framework.
As the CISO, you will be expected to consider both strategic foresight leadership and strategic alignment to core business functions when reviewing cybersecurity policies. Include potential policy improvements or solutions to missing elements for your financial services organization. Note positives and negatives of aspects of each policy. The next step will build upon this work.
Strategic foresight leadership is what holds together every successful organization. The concept is used in the Department of Defense, Defense Industrial Base, and successful companies nationally and internationally, but is not commonly used or executed well across other federal agencies or many private sector communities.
Organizations gain an advantage when they rely on robust, sound, and mature strategic foresight management processes to understand upcoming external changes in relation to internal capabilities and drivers, recognizing long-term threats and opportunities, and positioning the organization’s capital assets to address them (Nordmeyer, n.d.).
Strategic foresight leadership “maintains the alignment of an organization’s activities and resources with its vision, mission and strategy to improve financial and operating performance,” and strategic advantage (Nordmeyer, n.d.). It provides a means to convert a strategic-foresight plan to a sound mature framework that supplies feedback and tracking of foreseeable changes and behaviors, and allows the strategic [foresight]-plan to evolve as an organization’s operating environment, objectives, and operating requirements change (Cleland, 1996).
Strategic foresight flourishes if it motivates the organization to learn more effectively and to be more inventive in developing strategies and initiatives, and if it helps to pursue the organizational vision with more compelling results (Rainey, 2010). Click on each component in the left column to find out more.
Strategic Foresight Leadership
Mastery of Strategic Foresight Leadership
Strategic Policy
Strategic Budgeting
Strategic Partnerships – Nationally and Internationally
Integrated Oversight Dashboard
In mastering strategic foresight, all leaders will achieve superior professional performance in top-notch, actionable, forward-looking thought leadership relevant to strategic intelligence, vision alignment, foresight-strategy and policy design, risk assessment, collaborative strategy and innovation, adaptive leadership development, and stakeholder engagement. This mastery is imperative in all fields of business, more specifically the field of cybersecurity.
back to tab
Strategic foresight looks ahead and develops contingency and operational plans for an organization in “volatile, complex and uncertain environments” (Amniattalab & Ansari, 2016, p. 1650040-2).
The federal government uses the National Science and Technology Council’s (NSTC) Federal Cybersecurity Research and Development Strategic Plan to guide foresight planning, strategic policy making, and implementation of cybersecurity plans (NSTC, 2016). This plan can also serve as a model for development of strategic plans and policies for cybersecurity within other levels of government and private sector organizations. Whether used in the public or private sector setting, the objectives of strategic foresight are to (Amniattalab & Ansari, 2016):
foster innovation and provide input for policy formation
indulge in strategic thinking
discover investment opportunities
generate visions for the future
anticipate significant challenges
trigger actions
promote discussion and debate about alternatives
Emerging technology, system vulnerabilities, and both internal and external threats increase the necessity of strategic foresight with respect to cybersecurity in order to ensure operational efficiency, effectiveness, and security. Ultimately, the strategic foresight planning process seeks to get leaders to “stop thinking incrementally and start thinking exponentially” (Kamensky, 2013, p. 36).
Why Does Strategic Foresight Matter?
To accomplish strategic foresight planning effectively, it requires organizations to project further into the future than is characteristically done in strategic planning (five to 10 years). Strategic foresight regards the organization’s vision within the framework of its environment. Scenarios allow an organization to do both: look into the future (usually 10 to 50 years) and consider expected and visionary potentials. Bezold (2010) argues that scenarios should consider a variety of predictable (most likely), challenges (what could go wrong) and visionary (unpredictably successful) possibilities.
Author Maree Conway, in a presentation on strategic foresight, notes that the key of any strategy is about building the future of the organization, not the present. “All of our knowledge is about the past, but all of our decisions are about the future”; however “future strategy is developed in the present. How do we integrate intelligence about the past, present and future to create prudent strategic-foresight management and strategies today?” (Conway, 2007).
Conducting a global strategic examination of the organization’s posture, emotional intelligence, competitor intelligence, competitive intelligence, business intelligence, and social intelligence will provide a clearer focus for strategic foresight planning and development. Another key factor is to establish discussion between stakeholders about future threats and opportunities, clarify risks and potential impacts, evaluate action options in possible future scenarios, and develop plans to address contingencies that may occur (Alizadeh et al., 2016).
Although current approaches are largely qualitative, trend analysis, emerging issues analysis, quantitative benchmarks, and cross-impact analysis are needed in strategic foresight management (Conway, 2007). Sound, robust, and mature strategic foresight frameworks integrate steps into the process. This allows decision makers time at the start of the process to judge potential future events and possible ramification of strategy “rather than reacting to future events which might undermine that strategy by the time those events become apparent” (Conway, 2007).
What Is Strategic Foresight?
Definitions according to Ruben Nelson (2015), executive director of Foresight Canada:
What is strategic foresight?
A way of thinking about the future, beyond the conventional, that helps organizations develop futures ready strategy.
Futures-ready strategy is agile strategy, flexible enough to deal with whatever challenges and opportunities the future brings. It supports resilience and adaptive capacity development for people in organizations.
At its base, strategic foresight is about understanding and responding to changes in the external environment of your organization proactively.
How does strategic foresight relate to the work of management and operations?
Strategic foresight provides “a coherent context within which both management and operations can take place.”
What then is the obligation of leaders to engage in strategic foresight?
Leaders must engage in strategic foresight in order to assess the implications of a changing context, which in turn implies that leaders must develop the new competencies involved in understanding, valuing, and contributing to strategic foresight. Nelson also notes that any commitments that “flow from serious strategic foresight work” must be made and “owned” by the organization.
What are the benefits of foresight? (Bezold, 2010)
dealing with problems when they are easier to solve
improving perception of opportunities and options
clarifying vision—or mission-focused objectives
generating audacious goals that motivate and align effort
monitoring the future to check plans
What are the challenges to effective foresight? (Bezold, 2010)
We’re too busy to think about that.
That (thinking about the future or dealing with solutions beyond the current approach) is not my responsibility.
It is impossible to do effective forecasts for many subjects.
Politically sensitive issues would prohibit considering necessary alternatives.
The organization is locked into world views and has assumptions that we do not even recognize.
The Benefits of Research in Strategic Foresight Leadership
Increasing instability, uncertainty, and improbability make sound strategic decision making even more challenging. Further research and development in the area of strategic foresight leadership and planning will help organizations gain better insight into the future business and strategic threats landscape (Conway, 2007).
Programs that combine methodologies of futures work with those of strategic management and providing skills and tools for preparing better strategic-foresight plans are the latest efforts. Among the various forecasting tools is the Delphi Method, in which experts and stakeholders are surveyed and the results are compiled and evaluated to find consensus upon which to formulate plans (Proskuryakova, 2016).
Having clearer road maps to guide organizations to success and gain new tools and practices will dramatically modernize strategic steering (Conway, 2007).
References
Alizadeh, R., Lund, P. D., Beynaghi, A., Abolghasemi, M., & Maknoon, R. (2016, March). An integrated scenario-based robust planning approach for foresight and strategic management with application to energy industry. Technological Forecasting and Social Change, 104, 162-171. http://dx.doi.org.content.umgc.edu/10.1016/j.techfore.2015.11.030
Amniattalab, A., & Ansari, R. (2016, April). The effect of strategic foresight on competitive advantage with the mediating role of organisational ambidexterity. International Journal of Innovation Management, 20(3), 1650040-1650058. doi: 10.1142/S1363919616500407
Bezold, C. (2010). Lessons from using scenarios for strategic foresight. Technological Forecasting & Social Change, 77 (Strategic Foresight), 1513-1518. doi:10.1016/j.techfore.2010.06.012
Cleland, D. I. (1996). Strategic management of teams. John Wiley & Sons.
Clinton, L. (2015, Winter). Best practices for operating government-industry partnerships in cyber security. Journal of Strategic Security, 4(8), 53-68.  http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1456&context=jss
Conway, M. (2007, November). Strategic foresight: Linking foresight & strategy. Thinking Futures presentation. https://www.slideshare.net/mkconway/building-a-strategic-foresight-capacity-presentation
DeHaas, D., & Powers, E. (2016, January/February). Sharpening the board’s role in cyber-risk oversight. NACD Directorship, 42(1), 67. Accession number: 112856275
Government Accounting Office (GAO). (2010, July). OMB’s dashboard has increased transparency and oversight, but improvements needed.  http://www.gao.gov/new.items/d10701.pdf
Kamensky, J. (2013, May/June). Taking the long view. Government Executive, 45(3), 35-37. Accession number: 87956404
Metcalfe, L. & Lapenta, A. (2014, February). Partnerships as strategic choices in public management. Journal of Management & Governance, 18(1), 51-76. doi: 10.1007/s10997-012-9233-6
National Science and Technology Council (NSTC). (2016). Federal Cybersecurity Research and Development Strategic Plan. https://permanent.access.gpo.gov/gpo65956/2016_Federal_Cybersecurity_Research_and_Development_Stratgeic_Plan.pdf
Nelson, R. (2015 May-June). Strategic foresight: A new obligation for boards of directors. Board Leadership, 139. doi: 10.1002/bl.20035
Nordmeyer, B. (n.d.). The importance of strategic management vs. strategic planning. http://yourbusiness.azcentral.com/importance-strategic-management-vs-strategic-planning-17329.html?
Palmer, A. (2016, February). A model framework for successful cybersecurity capacity building. Journal of Internet Law, 19(8), 15-19. Accession number: 113004690
Proskuryakova, L. (2016, June 2). Energy technology foresight in emerging economies. Technological Forecasting and Social Change. doi:10.1016/j.techfore.2016.05.024
Rainey, D. L. (2010). Sustainable business development: inventing the future through strategy, innovation, and leadership. Cambridge University Press.
Sarpong, D., & Maclean, M. (2016, August). Cultivating strategic foresight in practice: A relational perspective. Journal of Business Research, 69(8), 2812-2820. http://dx.doi.org.content.umgc.edu/10.1016/j.jbusres.2015.12.050
Shimamoto, D. (2012, March). A strategic approach to IT budgeting. Journal of Accountancy, 213(3), 38-44. Accession number: 72928084
Taylor, A. (2009). How strategic budgeting can control cost while improving performance. Journal of Corporate Accounting & Finance, 20(3), 53-58. Accession number: 36783189
Core business functions are those activities that are essential for an organization to exist.
Within the private sector, core business functions are the “production of final goods or services intended for the market/for third parties, carried out by the enterprise, and yielding income” (Nielsen, 2012).
Within the public sector, core business functions are the primary activities of the organization, as defined by the executive or legislative branches. Support functions, such as marketing, distribution and logistics, research and development, administration and management, and information technology and cybersecurity, support the core business functions (Nielsen, 2012).
The next transcript is from a video…
Cybersecurity Framework Shared comprises public domain material from the National Institute of Standards and Technology, U.S. Department of Commerce. UMGC has modified this work.
Cybersecurity Framework Shared
>> The cyber security framework in our mind has been so successful, because it has very large broad appeal to many organizations. Small, medium businesses, large organizations.
>> It helps us communicate risk in ways that everyone understands, from the server room to the board room.
>> It provides companies with a common language. So, whether you’re a CEO or you just walked into a company the first time as a new employee. It’s something that you could feasibly grasp.
>> One of the things that is so exciting is that this is moved out of being just a public policy conversation, and it is moving into being a business strategy conversation. So I find that really cool.
>> It talks a lot about how an entity should assess their risks and it gives them a lot of flexibility, so it’s not a one size fits all model.
>> The fact that you know, you have this flexibility inside the framework. It’s something that is really new in the context of standards and the similar things.
>> It cuts across all different segments, whether it’s manufacturing, agriculture. It’s a framework that can be used across many areas, many businesses, etcetera. So therefore, it’s a very inclusive type of framework.
>> My belief is, it’s really the most comprehensive view of the full set of things you need to do.
https://www.nist.gov/video/cybersecurity-framework-shared
Project 4: Enterprise Cybersecurity ProgramStep 11: Compose the Cybersecurity Policy Report
Using the evaluation of policy improvements in the previous step, as well as the Defense Framework Enhancement Proposal and the Cybersecurity Framework Report, create a brief, one- to two-page description of how these policy solutions should be incorporated into the given framework. The description should thoroughly analyze the positives and negatives of all policy aspects of the foundational framework.
Submit the Cybersecurity Policy Report for feedback before moving onto the next step. Integrate feedback into this report to be used in the development of the final Enterprise Cybersecurity Program Report.
Submission for Project 4: Cybersecurity Policy Report