Today I found a very interesting study, which seems to have no relation to strategy. Its title is â€œThe global State of Information Security 2006â€, a worldwide study by CIO, CSO and PriceWaterhouseCoopers. But inside the survey results some very interesting issue concerning strategy can be found. The survey authors asked participants to prioritise their activities. The results were more than surprising (for me too): The top three of an information security executive are:
- = Data backup,Â
- = Network firewalls;Â
- = application firewalls.
I would not say that these are less important items, but last yearâ€™s number one was â€œDisaster recovery / business continuityâ€. The authors of the survey results described it that way: â€œWhen an individual thinks he doesnâ€™t have enough information on which to base decisionsâ€¦and for the most part, heâ€™s not part of the planning process, what does he do?â€
Now the statement: â€œTypically, he falls back on what knows best. For information security executives, that means focussing on technology â€“ on tactics, not strategiesâ€.
There is just one item left for me to add: What I often observe in bad managed organisations is that (to be fair: in some cases, but not that seldom) people do what they know best (sometimes is this a good solution compared to a try and error approach) or do what they like most. Hence improving those organisations could be easyâ€¦.