When we begin to plan how best to protect our systems and organizations from intruders, it helps to think of those who maliciously attack the security of our organizations as entrepreneurs in their own right--though entrepreneurs of havoc and, in extreme cases, evil. As such, they are always looking for opportunities to be more effective and efficient. That means they frequently change their tactics as they seek to perfect their skills. As security planners, we must do the same to effectively deal with these attackers; that is, we must work with greater conviction and stay as fast on our feet as they are. In this article, I'd like to highlight what I consider to be the most important best practices when it comes to security planning. By using security planning best practices, and by understanding their complex interrelationships, you can see further into the future and better anticipate our advesaries’ next moves:

• Sell security, don’t force-feed it.

Demonstrate to your organization that security adds value, as opposed to presenting security as a necessary burden. Detail the value of security in terms businesspeople can understand.

• Remember that security planning is neither an absolute science nor an ad hoc process.

Security planning is a process that must be constantly managed and optimized, hence it can never be regarded as “finished.” Help people in your organization understand that security planning is an ongoing activity, not something you do until you reach some ultimate solution.

• Achieve balance when planning.

Avoid the extreme practices of ultra-planning and nonplanning. A lack of focus is the enemy of security.


• Prioritize and focus your information and infrastructure security planning and budgets.

Regularly perform security risk and impact analyses.

• Create a cross-organizational security planning team with an executive mandate.

Manage the effectiveness of your security plan through a structured quality management process.

• Plan security within the context of business, life cycle management, and technology.

Security planners must understand the plethora of technology they are protecting, not simply the tools designed to protect it.

• Treat security policies, procedures, and training as the backbone of your security plan.

Take into account the specific needs of your organization, regularly look for opportunities to introduce needed training materials, policies, and procedures or to improve existing ones.