The song called "Any Road" by George Harrison is a good reminder of why a strategy is important. He sings "If you don’t know where you’re going, any road will take you there." The lyrics is a stark reminder, perhaps even a warning, that if you do not start with a defined strategy, purpose, and objective, you will run into challenges down the line.
Defining a cybersecurity strategy requires knowledge and skill. Defining a world-class cybersecurity strategy that is crystal clear, concise, and aligned to business objectives, requires cybersecurity expertise, accurate information, and a solid understanding of the threat landscape and business context. There are few courses and resources available that teach this the skills required to develop a robust cyber resilience strategy. This article will focus on where you should start, what you should do, and what you should avoid when developing your cyber security strategy.
Cybersecurity Strategy Development Framework
A cybersecurity strategy must be developed by considering various strategic inputs. In cybersecurity, it makes sense for those strategic inputs to the following five inputs:
Global Industry Reports:
This includes research reports, vendor white papers, and academic
research papers. Any reputable industry insights should be reviewed and analysed to gain
insights and an understanding of the global threat landscape. The focus must be on good
quality reputable reports and research.
Past Risk Assessments:
The current cybersecurity posture of your organisation must drive the
cybersecurity strategy. This insight can be gained by reviewing the past twelve to eighteen
months audit reports, penetration testing reports, security reviews, and vulnerability
management reports. Any past assessment that provides insight into the risk posture should
be leveraged.
Cyber Insurance and Assurance Requirements:
An understanding of your organisation’s
insurance requirement is important as this will gaps or areas of weakness, and as a result
influence the strategy and priorities.
Business Priorities:
This is arguably the most important, and also often overlooked input. You
must understand what your organisation’s priorities are. For example, if you find yourself
working for a municipality, and your business strategy is to start a Smart City initiative next
year, this will impact your OT cybersecurity strategy and must be considered. The primary
purpose of cybersecurity is to support business objectives, and therefore this input into the
strategy is vital.
Regulatory Requirements:
It is imperative to understand the regulatory obligations of your organisation and translate that into cybersecurity initiatives. For example, if GDPR or PCI-DSS apply to you, it will impact the cybersecurity initiatives and priorities. If your organisation maintains an ISO 27001 certification, that must be considered as it will influence the strategy.
Common Mistake to Avoid When Defining a Cybersecurity Strategy.
Do not allow technology vendors to develop your strategy. Technology vendor roadmaps and insights should inform your thinking, but caution should be exercised not to allow vendors to unduly influence your cybersecurity strategy.
Do not define the cybersecurity strategy in isolation with the cybersecurity team only. Present the strategy to other IT teams and business leaders for input. You are more likely to gain the support of stakeholders if they believe they were part of the process. Guidelines for developing a robust cybersecurity strategy.
Take your stakeholders on the journey with you. Adopt a consultative approach by starting with the cybersecurity team, then gradually including more stakeholders in the process such as other internal IT teams, business stakeholders, and industry experts. Note that these industry experts should not be your technology providers, but rather trusted advisors who have no conflict of interest.
Understand that people are at the centre of what we do. Security awareness, culture, and governance should be a core theme of your cybersecurity strategy.
Identify and prioritise the top cybersecurity risks as it pertains to your business. For example, if you have fifteen critical items to address, but only receive a budget for five items, you should have a clear methodology on how you would select those five priority items. Your approach should be based on risk, the Pareto Principle, and a cost-benefit analysis.
Consult experts. Developing a meaningful and robust cybersecurity strategy is a skill. If you do not have this skill, consult experts that do while you learn and upskill.
Adapting to Change is Imperative.
In 1996, a group set out to climb Mount Everest. They had all the right equipment, and they were well trained and fit, but on Everest there is a rule: If climbers do not reach the summit by a certain time of the day, they must abandon the attempt. This day, there was a traffic jam of sorts as four different expeditions all attempted to reach the summit, and these climbers did not reach the summit by the specified time. At this point, they should have turned around, but they did not. They reached the summit too late and had to climb down in the darkness and were caught unprepared by an unexpected storm. Sadly, they all died during the attempt.
This tragedy offers a valuable lesson for security teams. They commit to a three-year plan or an eighteen-month road map, and then, as time passes, the business context changes, the threat landscape evolves, and evidence starts to emerge that the current strategy is a bad idea. At that point, the team should stop, reevaluate, and readjust the strategy. But it is often difficult to admit that mistakes have been made, so security leaders may continue heading in the wrong direction. However, if it becomes apparent that a cybersecurity strategy is no longer effective or appropriate, cybersecurity leaders have a responsibility to rectify it. It is therefore imperative not to view the cybersecurity strategy as a once-off exercise. The threat landscape is continuously evolving and therefore the cybersecurity strategy must be reviewed regularly.
Conclusion
The cybersecurity strategy provides a forward-looking view into what you are planning as a cyber leader, and why you are doing it. Consider the audience, and tailor the content using visuals, stories, and analogies. For the stakeholders who appreciates the detail, there should always be a detailed strategy document supported by tactical plans. However, for the senior decision makers, you need to keep it succinct, visual, factual, and presentable in under ten minutes.