Introduction to Drafting a Winning Cybersecurity Strategy

What is the biggest challenge with cybersecurity strategies today that so many organizations either:

1. Don’t have one;
2. Draft one that doesn’t get budget; or
3. Draft one that totally misses the mark and just sits in a drawer?

The answer is simple and twofold:

1. You have to understand the basic intent of a cybersecurity strategy (hint: it isn’t just to make your organization more secure).
2. You have to know your audience when you draft the cybersecurity strategy (hint: they decide whether the strategy is going to happen or not).

This blog is intended to walk cybersecurity professionals through the logical steps in creating a practical and actionable cybersecurity strategy. It is based on my own experiences as a cybersecurity strategist in developing and drafting strategies for numerous clients – real organizations with real world issues – across a wide range of industries and in the public as well as private sector.

Why a Strategy?

When speaking with clients about cybersecurity, more than a few have asked:

“Why have a cybersecurity strategy at all? What’s it really going to accomplish when I already know what we have to do?”

A lot of people have this attitude and that’s a real problem. Individuals with this opinion really need to follow this series. They have to understand that a cybersecurity strategy is critically important to both the success of the information security function at their organization and the success of their organization as a whole. The purpose of this blog is to answer that very question and settle the issue while showing how to draft a winning strategy that will actually get done.

Side Note

Did you know that a number of organizations that have been hit by cybersecurity attacks were subsequently sued by customers and the existence of a cybersecurity strategy and roadmap prior to the attack could be a major contributor to those organizations’ legal defenses?

Smoke Jumping or Fire Management

Another crucial matter to consider in justifying a cybersecurity strategy is the cost of constantly being in a reactive mode when working in cybersecurity; moving from one emergency to the next. In essence, being a smoke jumper. All you can do is react to fires that spring up, put them out and hope you have the time and resources to properly deal with it before the next one pops up.

Compare that to the benefit of intentionally anticipating what you expect to experience and proactively establishing a robust cybersecurity framework that will allow you to counter the emergencies – when they’re perhaps minor problems – before they become full-on disasters. This is comparable to fire management: planning, preventing, and fighting fires to protect people, property and the forest resources. This involves predicting and knowing what to expect – protecting the entire forest ecosystem – and being ready for it.

This is foundational to the notion of the cybersecurity strategy. Fire management will always be preferable to smoke jumping. Unless you’re an adrenaline junky.

Boiling the Ocean

To be clear, I want to stress that developing a strategy isn’t hard, but it does take a lot of work and needs to be done collaboratively. I have seen more than a few CISOs and security executives delay or totally put off the development of their strategies because the task can be seen as quite daunting and it’s hard to know where to begin. Also, they may simply not have the time or the resources. Time is a precious commodity and, if you’re already busy dealing with an ongoing string of emergencies and daily crises, you need to make certain you are using your time effectively.

Instead of boiling the ocean, you need to break down the development of a winning cybersecurity strategy into manageable chunks that build on each other. Also, you want to know what parts to do and when so that you are doing it efficiently and using your time well. And you need to include the right people from across the organization – with stakes in the game – to bring in the right perspectives. This blog will help to provide a sensible and realistic process to follow to allow you to produce a cybersecurity strategy that is actionable and, very importantly, will get budget.

Looking Ahead

So, stay tuned for the next blogs in this series. They’re sequenced in a logical fashion to illustrate the order of activities to follow in the development of your cybersecurity strategy. There will be a few blogs at the end to discuss differences across industries as well as supply chain considerations and aligning with known cybersecurity frameworks. The entries will be as follows:

• Cybersecurity Strategy Step Zero: Cybersecurity Strategy Isn’t Something to Be Scared Of (Basics of Cybersecurity Strategy)
• Cybersecurity Strategy Step One: Who Are You? (Understanding your Organization)
• Cybersecurity Strategy Step Two: Where Are You? (Understanding your Organization’s Current Cybersecurity State)
• Cybersecurity Strategy Step Three: Who Goes There? (Understanding the Current and Projected Threat Landscape)
• Cybersecurity Strategy Step Four: What’s in It for Me? (Determining your Organization’s Priorities, Business Value Drivers and Principles)
• Cybersecurity Strategy Step Five: What’s the Worst that Could Happen? (Defining Organizational Risks)
• Cybersecurity Strategy Step Six: Dare to Dream (Envisioning the Future State and Articulating the Vision)
• Cybersecurity Strategy Step Seven: But What Will It Do? (Determining the Objectives and Key Results)
• Cybersecurity Strategy Step Eight: How Do We Know When It’s Working? (Defining Metrics)
• Cybersecurity Strategy Step Nine: How Do We Get There? (Defining the Operational Roadmap for the Strategy)
• Cybersecurity Strategy Step Ten: It’s All About the Journey (Keeping the Strategy Relevant)
• Cybersecurity Strategy Step Eleven: The Chain is Only as Strong … (Incorporating 3^rd Party Suppliers)
• Cybersecurity Strategy Step Twelve: Model Behaviour (The Importance of Aligning with a Cybersecurity Framework)