About Us | Contact Us
View Cart

Twenty Questions About 2013 IT Strategy

By Dan Hadaway | Monday, November 12, 2012 - Leave a Comment

It’s hard to believe:  the year is coming to an end quicker than we think.  Thanksgiving is less than two weeks away.  And though, as busy as we all are, none of us are yet looking back at a year of endless politics, mobile deployments, and supplement compliance, we’re still looking forward to 2013, wondering what to include in next year’s Information Strategy.

When it comes to developing a 2013 IT Strategy, I have three types of Clients:  those with white paper phobia, those who need to “dust off” the 2012 IT Strategy, and those who have been reviewing that strategy monthly, with the appropriate steering committee.

Not to rub it in, but those in the last category are probably much happier than those in the other two categories.  They invested the time necessary to make their own lives easier.  Though the first two types thought they were saving time by skipping the formal process, the third type can skip to question 13!

Metalanguage:

  1. Authorization:  Does the document express the policy which requires the creation of the strategy and tactical plans?
  2. Multidisciplinary:  Does the document leave a paper trail demonstrating that a multidisciplinary approach was taken in creating the document?
  3. Strategy then Tactics:  Does the documented strategy separate strategy (objectives, benchmarks, approaches) from tactics (plans, lists of expected achievements)?   Does it have a high-level strategy that aligns with the bank’s business strategy that is then further articulated via a set of tactical plans?
  4. Flexibility:  Are the strategic objectives written so that tactics can be flexible?  Does language hedge so that an auditor won’t be able to hammer you for not achieving deadlines on time?  Does language make clear that the further “out” in the plan we go, the less confident we are in the objectives we define?  See “deadlines and benchmarks” below.
  5. Prioritization:  Does the document identify high priority versus moderate or low priority?  Do the deadlines expressed consider priority?  Do we differentiate between urgent and important?  Are prerequisites addressed?
  6. Board Approval:  Has an executive summary of the strategy document been presented to the board.  Who presented it?  Was it formally approved?
  7. Ownership:  Does the document identify ownership not only of the overall strategy but also of each tactical plan that is born from the strategy?
  8. Deadlines and Benchmarks:  Does the document express specific deadlines?  This practice does not have to clash with “keeping tactics flexible.”  Deadlines can be expressed as “first quarter, second quarter, this year, second year, third year” and surrounding language could include “assuming all prerequisites are met.”  Just be careful how you word your deadlines.  Meanwhile, do tactics span three years?    Identify what you MUST achieve this year, and everything else should be for the second and third year of the plan.
  9. Budget:  Does the tactical plan articulate budgets, or at least speak to the financial resources required for implementation.  This could be in the form of “further investigation is necessary but for now we are budgeting an allowance of $xx,xxx for this tactic.  Is there a grand total for the year?  For all three years?

 Strategy Sources: 

  1. Business Strategy:  Does the IT Strategy align with the bank’s business strategy?  To be clear, does the strategy document reflect the business strategy of the bank?  One way to answer this is, does it even refer to the business strategy of the bank?  If you can tell what the bank’s business strategy is by reading the IT strategy, then alignment has probably occurred.
  2. IT Governance:  Do tactics address:  Awareness, Access Management, Asset Management, Branchless Banking, Business Continuity, Incident Response, Risk Management, and Vendor Management? 
  3. Risk Management:  Do the tactical plans reflect and incorporate risk remediation strategies?  Does it express major concerns from audit, examination, and risk assessment findings?  Does it incorporate the results of drill-down risk assessments?
  4. Confirmation of 2012 Strategy/Tactics:  Does the document express the work left from previous plans, either to finish projects or to confirm that previous tactics have worked?
  5. Compliance:  Do the tactical plans incorporate upcoming compliance concerns (if any)? (Benchmark:  Most community banks are currently okay with multifactor authorization, but are either finishing or starting the detect/response component of the Supplement, and are probably still in the planning stages of customer education.)
  6. Infrastructure Improvements:  Do tactical plans include all planned infrastructure improvements?  Are we upgrading or replacing workstations, applications, servers, or network devices?
  7. New Technologies:  Does the strategy speak to the adoption of new technologies (both proprietary and generic?)  Do tactics list the new technologies that will be investigated?  (Consider Mobile Banking, Endpoint Security, Mobile Device Management, MPLS, Virtualization, Secure Messaging, Cloud Portals, etc.)
  8. New Products, Services:  Does the strategy speak to the support of new products and/or services?  We auditors can tell by looking at your strategy whether or not your policy (assuming you have one) requiring management to involve IT in new products and services is being enforced.  (Consider Customer Education Programs, Statement Reward Programs,
  9. New Process, Projects:  Does the strategy speak to the support of new processes or upcoming projects?  (Consider BYOD, integrating Cloud Computing with Vendor Management, Project Management, Analytics.)

2013 Checkpoints:

  1. Trends:  Are you ready to search for and find the plethora of year-end articles related to new trends in banking technology, predictions for 2013, and spending breakdowns?  (Let me recommend watching http://www.banktech.com, www.bankinfosecurity.com, http://trentfleming.com/newsletter/, http://www.americanbanker.com, and of course https://my.infotex.com.
  2. New Technologies Beyond 2013:  Does the document address the bank’s posture regarding the technologies not-yet-ready for community banks?  Big Data?  Hybrid IT?  Enterprise App Stores?  IoT (Internet of Things)?

——————————————-——————————————————————–————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

——————————————-——————————————————————–————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]