IT Strategic Planning. It’s been known to illicit cringes from those responsible for its development. Like many things ISP-related, most organizations document an IT Strategic Plan because they have to, not because it’s valuable. Creating a 3-5-year IT project list does not constitute an IT Strategic Plan. Many times has a Director or senior executive come back from a conference and said “let’s do this now!” instead of aligning that project with a true strategic plan.

IT Strategy + Information Security Program 

You may recognize SBS’ ISP flowchart below – but have you noticed that the IT Strategic Plan sits atop the ISP? Have you ever wondered why? How does an IT Strategic Plan help you to build and manage an ISP?
 

IT strategic planning also holds a prominent place right at the beginning of the FFIEC’s Management Handbook. Clearly, it’s an important component of an overall Information Security Program. So, what’s the difference between ensuring its creation and maintenance is a meaningful exercise and not just a check mark on compliance? At least minimal transparency from Senior Management regarding the Bank’s Strategic Plan as well as participation from Senior Management to ensure the Bank’s strategic initiatives are aligned with how the institution plans to deploy technology in the future, both internally and towards customers (also known as an IT Strategic Plan).

Regulation

To make our case, let’s look at what the regulation (FFIEC IT Management Booklet) says.

I.A.2(a) Executive Management: 

Executive management develops the strategic plans and objectives for the institution and sets the budget for resources to achieve these objectives.
 

I.A.2(b) Chief Information Officer or Chief Technology Officer: 

The CIO or chief technology officer (CTO) is responsible and should be held accountable for the development and implementation of the IT strategy to support the institution's business strategy in line with its risk appetite. The CIO or CTO should play a key role in the strategic planning as well as supporting activities of peers in various lines of business.
 

I.A.2(c) Chief Information Security Officer: 

The chief information security officer (CISO) is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting.
 

I.B.6(a) Strategic IT Planning: 

Strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution's technology plans are consistent and aligned with the institution's business plan. The IT Strategic Plan should address the budget, periodic board reporting, and the status of risk management controls.

Tactical plans support the larger IT Strategic Plan by defining specific steps necessary to fulfill it. Tactical plans outline specific steps, personnel, tools, and timetables to achieve the goals laid out in the IT Strategic Plan, typically using a one-year time frame. These tactical plans typically address hardware and software architecture, end-user computing resources, and processing done by third-party providers.

The operational IT plan is used to achieve the goals and objectives of both the tactical plans and the larger strategic plan. It provides the detailed information to perform the tasks needed to implement the tactical plans of an institution. The operational IT plan includes the milestones and tasks that must be undertaken, the individuals who have responsibility for each milestone and task, the timelines in which they must be completed, the conditions for success, and the financial resources necessary to complete each milestone and task.

Strategic IT planning should consider a number of factors:

• Marketplace conditions
• Customer demographics
• Institution growth targets
• Mergers and acquisitions
• Technology standards
• Regulatory requirements (e.g., privacy, security, consumer disclosures, and other reporting requirements)
• Cost containment
• Process improvement and efficiency gains
• Customer service and technology performance quality
• Third-party relationship opportunities versus in-house expertise
• Optimal infrastructure, including systems and software replacement
• Ability to adopt and integrate new technology

Solution

Regulation clearly states that an IT Strategic Plan is necessary and that it be aligned with the Bank’s Strategic Plan and support its initiatives. Executive management must develop the Strategic Plan and set the budget. The CIO or CTO should then develop the IT strategy that supports the institution’s business strategy and ensure the strategy aligns with its risk appetite. The CISO is then responsible for ensuring those risk appetites are met and reporting back to executive management. Together, each of these entities create and maintain an IT Strategic Plan that is aligned with the Bank Strategic Plan. The IT Strategic Plan should tie itself to the risk assessment, be capable of supporting current and future IT operations and infrastructure, and is integrated into the budget process.

The weak link often is executive management’s reluctance to share the overall Bank Strategic Plan with the members of management charged with developing the IT Strategic Plan, much less with the consultants that may aid in its creation and maintenance. This lack of transparency is understandable. More aggressive organizations may have business strategies that could create agitation within the workforce. Some simply believe it’s their secret sauce and should be shared with no one. While understandable, the issue of linking the components of an effective IT Strategic Plan remains.

Minimally, executive management should ensure the individual strategic initiatives of the Bank’s Strategic Plan make an appearance in the IT Strategic Plan. Then senior management can assist in ensuring alignment with the IT Strategic Plan.

IT Strategic Plan Contents

Once we understand the Bank’s strategic initiatives, plan development becomes straight forward. In general, an IT Strategic Plan should contain a few major components:
 

Identity

Banks should identify its location on the innovation curve. The Law of Diffusion of Innovation is one of the seminal theories in social science that works to explain how, over time, products or business processes gain acceptance across a population. The Law of Diffusion of Innovation also helps an institution answer the question of “who do we want to be as an organization when it comes to deploying technology, both internally and for our customer?” Banks typically fall into one of four categories for technology diffusion strategies:

• Innovators (or “Bleeding Edge”) – Two types of organizations exist within this section of the curve. Banks that implement the latest technology first, then figure out the risks and how to mitigate the risk later, or those institutions that are exceptional at risk management. A significant amount of risk exists with Innovators, but these Banks are first-to-market with new technology.
• Early Adopters (or “Leading Edge”) – Banks that implement new technology before the majority of other competitors, but are not first-to-market in their area, fall into the Early Majority category. Early Majority Banks may know some of the risks, as well as how to mitigate those, but don’t necessarily know all the risks and must plan to implement additional risk-mitigating controls as they become available.
• Majority (or “Normal”) – Banks that fall into the Majority are not first to market with new technology, and typically implement technology only after customers begin to request said technology, and the risk of implementation becomes more well-known. The Majority has two parts: Early Majority (before adoption is entirely commonplace) and Late Majority (getting in on the downswing).
• Laggards (or “Conservatives”) – Banks that implement new technology only well-after other institutions in their area, and even then, only after customers demand said technology, fall into the Laggard category. Laggard Banks are sometimes viewed as conservative and are only willing to accept a minimum amount of risk to implement new technology. There is also a strong correlation to Laggards and the quality of risk assessment (not knowing what the risk truly looks like), often resulting in those institutions being afraid or fearful of new technology.

Risk Appetite

Once an institution has established their “identity,” Banks should next identify their Risk Appetite. A Risk Appetite is typically identified by the percentage of risk an institution wants to mitigate for a particular thing – in our case, an IT asset, vendor, or business process.

The most significant factor in determining the level of required risk reduction is the Protection Profile, also known as the “importance” of an asset. Protection Profile can be identified in the Bank’s IT Risk Assessment, which highlights the criticality of the information stored, processed, and transacted by the information technology asset. It quantifies the confidentiality, integrity, availability, and volume of the asset to a number between 4 and 12 (lowest to highest). For each Protection Profile rating, the risk reduction goal is the target risk reduction.

Referencing the Diffusion of Innovation Theory above, Innovators and Early Adopters are either willing to accept more risk and have more mature risk management processes.

Business Objectives

Banks should identify their Business Objectives. HINT: These objectives are the strategic initiatives discussed before that are identified in the Bank’s Strategic Plan. This is where it all comes together!

Banks should identify individual projects to support each Business Objective and ensure alignment with the IT Budget and IT Risk Appetite.

Takeaway: Checkbox or North Star

Will the IT Strategic Plan be a meaningful exercise for your institution, or will it be a check mark on compliance? To ensure the IT Strategic Plan is valuable, executive management must take an active role in its development and maintenance. Minimally, senior management must be provided the Bank’s strategic initiatives identified in the Bank’s Strategic Plan. Without that tie-in (and buy-in), the IT Strategic Plan will be nothing more than a check mark on compliance.

Knowing who you are as an institution and what your level of acceptable risk can sure help when it comes to decisions regarding technology. Whether or not your IT Strategic Plan acts as your north start or is done to simply check the box is up to you.

Written by: Cody Delzer
VP Information Security Consulting/Regional Director
SBS CyberSecurity, LLC

SBS Resources: 

• {Service} Consulting: In today's rapidly evolving business landscape full of cyber risks, both employees and business leaders are finding it harder and harder to handle all the demands of being a security expert. This is why SBS Consulting Services have been one of our most sought-after offerings for over ten years. Learn more.
   
• {Solution} TRAC: TRAC™ is an integrated cybersecurity risk management solution that automates and centralizes the tedious risk assessment process, providing relevant and quantifiable results. Trust your results with a proven, time-tested risk assessment model that has led organizations through thousands of successful exams. Learn more.
   
• {Hacker Hour} 3 Key Tips to  Getting More Value From Your IT Strategic Plan: Join SBS as we discuss how the IT strategic plan can become the driving force for your information security program and IT strategic decisions. View Webinar

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.