Strategy is easy. Execution is where the wheels come off. My advice, as someone who used to focus a lot on strategy: focus less on the fancy PowerPoint and more on why the same things keep appearing in the PowerPoint, year after year. Attackers aren’t burning businesses down because of the work we’re doing today to prepare for the risks of tomorrow. They’re burning businesses down because yesterday’s risks have still not been addressed. Risks that the strategy from 3 years ago was supposed to fix.
I’m sometimes asked what the security world will look like in 5-10 years, presumably so that organisations can orient themselves in that direction. They’re fun conversations, and there is some value in having them. But some of these organisations have been (not) dealing with the same basic security issues for the last 15 years (“identity modernisation”). Does it really matter what’s on the roadmap if the red team can get control of your AD or Entra ID tenant in 37 seconds?
“Legacy tech debt” is not the problem, by the way. Figure out why the organisation ended up with so much legacy technical debt to begin with and you will have discovered the real problem. In other words, discover the underlying systemic issues that unwind (and will continue to unwind) every strategy you create, when you attempt to execute on them. Organisations that struggle to make decisions and execute on strategy have a legacy problem, but it’s not technical, as a general rule. It’s legacy thinking, structure, leadership, and culture.
Smart organisations with smart people know what to do. The question is, will they be able to do it? Doing the right thing wrong isn’t ideal, but it’s an error that can be corrected, and turned into a learning opportunity. Doing the wrong thing right just perpetuates wrongness, because no one recognizes it as an error until it’s too late. As W. Edwards Deming demonstrated in his funnel test, the more we attempt to correct the wrongness, the worse it gets.
I used to beat around the bush about this stuff, because it’s terribly inconvenient to hear, even though we all know it’s true. Strategy is easy. Execution is where the wheels come off. It is far better to execute imperfectly on an adequate strategy.
