Today I found a very interesting study, which seems to have no relation to strategy. Its title is “The global State of Information Security 2006”, a worldwide study by CIO, CSO and PriceWaterhouseCoopers. But inside the survey results some very interesting issue concerning strategy can be found. The survey authors asked participants to prioritise their activities. The results were more than surprising (for me too): The top three of an information security executive are:

1. = Data backup, 
2. = Network firewalls; 
3. = application firewalls.

I would not say that these are less important items, but last year’s number one was “Disaster recovery / business continuity”. The authors of the survey results described it that way: “When an individual thinks he doesn’t have enough information on which to base decisions…and for the most part, he’s not part of the planning process, what does he do?”

Now the statement: “Typically, he falls back on what knows best. For information security executives, that means focussing on technology – on tactics, not strategies”.

There is just one item left for me to add: What I often observe in bad managed organisations is that (to be fair: in some cases, but not that seldom) people do what they know best (sometimes is this a good solution compared to a try and error approach) or do what they like most. Hence improving those organisations could be easy….