Most of the programs I ran used calendar years for project planning, budgets, etc. I always found November to be a good time to reflect on the progress made, plan for the next year, and give thanks for all the positive steps in the right direction. In general, I followed the SWOT(T) method for evaluating my program, team, and organization. I found it rather easy to follow, and I really liked when the team and other associated groups would provide feedback.
It’s not a perfect method; however, I do believe in reflection, and this method has greatly helped me over the years. I also added my own “T” to the end of the cycle, which stands for “Thanks”. Give thanks to those that helped you achieve any success you have had. Be intentional about it. Create specific awards (if they don’t already exist for things like risk mitigation and Identification) as a way to publicly recognize people outside of your team who are helping you achieve success. I think this is often forgotten amongst the rush to close and start new projects.
What is SWOT(T)?
SWOT(T) Analysis is a technique for strategic planning that highlights the Strengths, Weaknesses, Opportunities, and Threats to a program or an organization. Teams can use SWOT(T) to optimize their regular activities, clarify areas for improvement, and set objectives to enhance their performance in a competitive market. Conceived by management consultant Albert Humphrey in the ‘60s and ‘70s, SWOT(T) has evolved into a question format meant to spark constructive strategy amongst collaborators.
A couple of tips when you perform a SWOT(T): Have your team do their own analysis and bring the results back as a group to discuss. Have an employee lead the session. It’s a great leadership growth opportunity and grants your team the ability to contribute directly to strategic planning.
I also think it’s invaluable to get contributions from other teams you work with. IT should have the ability to do one for your program, and the business should also have input. Who are the largest internal customer groups? Give them the opportunity to generate strategic feedback. It is easy to remain myopic as we focus on our issues. But when you hear back from, say, a development or accounting team, you can identify areas you may not even know you needed to work on.
Let’s do a quick breakdown on an InfoSec SWOT(T)
Strengths: Recognize the characteristics of the security program or culture that give it an advantage.
Some helpful questions to ask during this phase include:
- What advantages does your program/team have?
- What do you do better than anyone else?
- What unique or lowest-cost resources can you draw upon that others can’t?
- What do people in your organization see as your strengths?
- What factors mean that you “move the needle”?
- What makes your team and program the right one for the organization?
Weaknesses: Outline characteristics of the security program or culture that put the team at a disadvantage.
During this phase, some helpful questions to ask might include:
- What areas is the program weak in? Skills? Technology? Visibility?
Maybe you are just weak in project execution as an organization. One true way to be a business enabler is to invest time into better execution as an organization, which benefits your program as a result.
- What could you improve?
- What should you avoid? (You can include a quick stop, start, continue method here)
- What areas are people in your company likely to see as weaknesses?
- What factors cause your team to lose credibility?
Opportunities: Highlight elements in the environment that the security program or culture could exploit to its advantage.
Helpful questions to ask during this phase:
- What good opportunities are there for your team and program?
- What interesting trends are you aware of?
Useful opportunities can come from a variety of sources, such as:
- Changes in technology and markets on both a broad and narrow scale.
- Changes in government policy related to your program.
- Changes in social patterns, population profiles, lifestyle changes, and so on.
- Local events and information sharing.
Threats: Identify elements in the environment that could cause trouble for the security program or culture.
It is easy to focus on adversarial threats or external threats during this phase. However, you should and must consider internal threats to your program as well. Who are the security detractors internal to your organization? Who might pose a threat to achieving your goals? Once identified, you should add them to the opportunity portion. This represents an opportunity to turn detractors into fans of infosec with time and effort.
Several helpful questions to ask during this phase can be:
- What obstacles does the program face?
- What are your peer programs doing?
- Are standards or regulations changing?
- Is a changing business or technology rollout threatening your program or progress?
- Have you noticed underinvestment from the business?
- Could any of your weaknesses seriously threaten your program?
Thanks: Last but not least, thank and recognize those that have helped move the needle for the security program or culture.
No team is successful alone. Take the time to appreciate all the others in the organization that help your team. This is invaluable for changing a culture.
Once you receive feedback from the team and other groups, don’t be defensive. Actually listen and internalize it. Find the commonalities amongst the feedback and cluster them together. This will give you a great idea of the areas to focus on over the course of the next year, some of which may surprise you This feedback can inspire you to formulate new strategies to address areas for growth.
You can get as down and dirty or as fancy as you want when performing SWOT(T). Just going through the exercise initially is a massive step towards empowering your employees to provide and improve the overall InfoSec strategy.
Performing an annual SWOT(T) will make the program better. It doesn’t take much time to do and is an invaluable exercise for improvement.
Links to help you through a SWOT(T):