What everyone in cybersecurity ought to know about planning 

 February 11, 2019

By  Jane Frankland

My face was blank but secretly I was screaming inside my head. I felt sick. Full of shame. How could I have been so stupid. And, as I stood there, being scolded for not delivering an effective plan and hitting my KPIs, the words my manager bellowed out at me became ingrained on my memory forever. He said,

“If you fail to plan, you are planning to fail.”

These were the exact words Catherine used to describe a situation she’d found herself in at the start of her cybersecurity leadership career. When we met, she was still scarred from the ordeal and low in confidence.

It was a tough lesson for her to learn and she vowed never to repeat it. And, whilst I agree with her manager for directing her to Benjamin Franklin’s infamous quote, I know that if you want to hit a goal, KPI or target, planning isn't enough. Planning alone doesn’t prevent mistakes from happening or reducing all possible risks — not in an environment where technology, team capabilities, stakeholder expectations, and competition are perpetually changing.

What actually does is your agile resilience — your ability to recover and adapt, fast, when things go wrong. And this is why failure is such an important lesson to build into your planning, and if you’re leading, your management style.

It's something I regularly go through with my clients when I'm delivering business strategy and leadership training, and one of three little known strategies I use when I'm planning. Now, these aren't in my Clarity + Planning Workbook that many of you have downloaded, so unless you join my IN Security Tribe whereby you'll get them early, you'll just have to wait for the other two as I deliver them during February.

#1: The 'if-then' approach

It seems ironic to suggest that you plan to fail, but really, it’s a smart move. Science backs it. You see, your thinking patterns form the bedrock of your actions and subsequent behaviours. Science tells us that the more you repeat a behaviour when a trigger or consistent environmental cue occurs, the more automatic your behaviour becomes.

Using an 'if-then' approach (or Plan B), where you use the phrase, 

“If ______________________happens, then I’ll do ____________________”

allows you to eradicate the choices you have to make. It encourages you stop and think about the obstacles you could face in reaching your goals, KPIs and targets. And, if you use it with visualisation and mental contrasting, it improves the technique further. It’s incredibly empowering, instils confidence and makes your behaviour more automatic. And, with practice and repetition, the mental effort it takes you to change your response or behaviour becomes easier and second nature.

Peter Gollwitzer, a German professor of psychology in the Psychology Department at New York University spent years researching how goals and plans affect cognition, emotion, and behaviour. Credited with being the first person to come up with the 'if-then' concept in the mid 1990s, he reviewed almost one hundred studies that used the technique. And, what he discovered was notably higher success rates for goals ranging from using public transportation more frequently to avoiding stereotypical and prejudicial thoughts.

In one of his experiments, he asked students to mail an assignment two days before it was due. He gave Group A the assignment without instructions, while Group B was told to build in 'if-then planning. This group had to consider when, where and how they'd they mail it.

The results were dramatic. Group A had a 32% success rate, while Group B more than doubled this percentage, by having a 72% success rate. 

The reason why 'if-then' planning works so well is because it speaks the language of your brain — the language of contingencies. As a human being, you're wired to encode information in this manner and use it as a process to guide your behaviours. It’s instinctive and has helped the human race evolve for hundreds of thousands of years.

By using an 'if–then' approach you get a clear plan for overcoming unexpected challenges. It prepares you for distractions and switches you from a reactive mode whereby you're distracted by the urgencies or dramas of everyday life, to a more proactive mode. In short, it enables you to be more in control.

Let me give you a scenario.

Let’s say you’re a CISO and you’ve just started at an organisation that has a poor track record of security breaches. You want to make an impact and reduce this. You formulate your plan but before you implement it, you summon your team together for a strategy meeting so you can think through further scenarios. For instance, who your adversaries are, the approach they may take, where you are vulnerable, the likelihood of a breach, what the total cost to fix your vulnerabilities are, and what the total cost to your organisation will be if the vulnerabilities are not fixed and exploited.

You prepare for the Board, too, and the tough questions they could ask, for example,

”Why did you not ask for more budget?”
 “Why did you buy all of these products and services when we’ve still been breached?”

You also prepare for another question,

”When have we been breached?”

You know you must be able to detect, understand and contain the breach and that your breakout window — the critical period to stop a breach — is now only 1-hour and 58-minutes. According to Crowdstrike, this is, on average, the time it takes for an intruder to jump from a machine that’s initially compromised and move laterally through a network. But, it’s not the only crucial metric you need to know about. When an attack is in progress, you have on average 1-minute to detect it, 10-minutes to understand it, and 60-minutes to contain it.

You think through exactly how you’ll communicate where the breach was, the extent of the damage plus how you'll respond to it internally and externally, in other words to the media. You know that this not only helps you better prepare for the ‘when’ scenario but that it also moves your organisation, culturally, from a mindset of strength to one of resilience. It opens up a dialogue by removing the association of being breached with a failure of security.

Now obviously this is just one scenario, and with a rich ecosystem, incorporating many differing roles in cybersecurity there are many more. So, with this in mind, here's what I want you to do now. Grab a pen and paper or whatever you use to make notes and define the following:

  • The priority goal you’re working towards
  • The date you’ll achieve it
  • Why it matters to you
  • What you’ll have to do, change, or give up in your life to achieve this
  • Whose support (influencer/s) you’ll most likely require
  • What your ‘if-then’ plan will be

Now I want to hear from you…

  • Tell me what insights you've gained on planning and how you're going to modify your planning.
  • If you’re already using the 'if-then' approach what benefits you’re reaping.
  • Finally, tag yourself in the comment box below if you'd like an 'if-then' planning template.

Did you enjoy this blog? Search for more blogs that you want to read!

Jane frankland


Jane Frankland is a cybersecurity market influencer, award-winning entrepreneur, consultant and speaker. She is the Founder of KnewStart and the IN Security Movement. Having held executive positions within her own companies and several large PLCs, she now provides agile, forward thinking organisations with strategic business solutions. Jane works with leaders of all levels and supports women in male dominated industries like cybersecurity and tech. Her book, IN Security: Why a failure to attract and retain women in cybersecurity is making us all less safe' is a best-seller.


Follow me

related posts:

Leave a Reply:

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch