This blog is intended to walk cybersecurity professionals through the logical steps in creating a practical and actionable cybersecurity strategy. Before I get started, let’s first go over some of the basics of cybersecurity strategy and clear up what it’s all about. The best place to start is to reiterate a statement from my last blog entry:
Cybersecurity Strategy isn’t hard – when it’s a collaboration
Unless you’re Napoleon or some great strategic genius, you should never go it alone on developing a cybersecurity strategy. Even Eisenhower had a team to help him develop strategies during World War II and that worked out really well.
Developing an effective cybersecurity strategy is definitely a team effort. Gathering data and intel from contributors and stakeholders from multiple areas and perspectives is key to not only making sure the resulting strategy is more reflective of what the organization needs, but will allow the strategy to be developed in a more reasonable time frame. Also, very importantly, making this a team effort will go a long way to getting buy-in when it’s needed.
Speaking of buy-in, another important aspect of strategic development being a team effort is its promotion of open communications and building trust. When Information Security brings in other areas of the organization to help them develop a strategy, it’s helping to move Information Security out from behind the perceived curtains and show that it is a part of the organization, with a mission to support the organization’s secure achievement of it goals and objectives. This will all be enormously helpful down the road in gaining others’ trust in what the strategy is trying to accomplish and how it will effectively help the organization.
So, don’t think you need to go it alone! The adage that many hands make for light work truly applies here.
Cybersecurity Strategy is technology agnostic
Cybersecurity Strategy is not about any particular product or technology. It’s about capabilities and value (more on that in the next section). The main point here is that the cybersecurity strategy is intent on defining a vision for information security and the capabilities the organization needs from it. For example, you don’t say “We need this particular product or technology to classify our data.” You take a step further back and discuss the need for automated data classification as part of the organization’s effort to modernize its data governance program and methodology.
It’s important to remember that the strategy is looking at the big picture. Whatever technology will be applied is a tactical topic that would be more appropriately addressed after the strategy has been formulated and you’re now looking at ways to operationalize it (i.e., the roadmap).
Again, avoid thinking how a technology or product is going to solve your problems. That’s not what the cybersecurity strategy should be about.
Cybersecurity Strategy is about bringing value and looking forward
I’ve seen a number of strategies that CISOs and cybersecurity executives have developed that talked about what they were going to do but not really why or what benefit it would have for their organization. Most of the time, they assumed it was obvious or implied. If the organization’s executive management is going to shell out budget to make the cybersecurity strategy a reality however, those executives have to get behind it and see it’s worth the investment.
The Information Security function for an organization doesn’t exist for its own purposes or in a vacuum. It is part of an organization, and the cybersecurity strategy should reflect what is required of the information security function by the entire organization. This speaks to the need outlined above that, when working on the cybersecurity strategy, be sure to bring in stakeholders from across the organization who have a role to play in the organization’s goals and overall future direction. Their voices will be critical.
The cybersecurity strategy must reflect the organization’s priorities and goals; what it is seeking to accomplish. And it must do so in a way that demonstrably helps the organization progress and move forward in its intended direction. In short, the strategy must show how it will contribute business value to the organization.
The CEO and the Board of Directors don’t care how great the SIEM digests and analyzes telemetry. They do care about the value that greater situational awareness brings to the organization in reducing its risk profile, in enabling the organization to more rapidly respond to the threats facing it, and in modernizing its capabilities to prepare for future online growth.
By demonstrating that the cybersecurity strategy shows an understanding of what the organization requires of the information security function and how it can help the organization achieve its larger strategic goals (i.e., contributes business value), it will gain significant traction and champions in the necessary places.
Cybersecurity Strategy is helping the organization securely get to where it’s going
Related to the above section regarding the Information Security function being a part of the organization, the cybersecurity strategy must outline not only how it can help the organization achieve its goals, but how it will do so in a way that is secure and reduces risk to as manageable a level as possible. After all, cybersecurity is not about an impenetrable defense, or god-like detection. What it is, ultimately, is about managing risk.
It’s incredibly important to understand the organization’s risk tolerance to make sure the cybersecurity strategy is not going too far and therefore becoming prohibitively expensive. The strategy can outline an understanding of the cybersecurity-related risks the organization will face in its strategic journey and in the accomplishment of its overall goals. The strategy can then outline how it will address those risks and reduce them to acceptable levels, making for a more secure journey.
If your organization, as part of its overall strategy, is planning to expand its Internet footprint and provide for the capability, for example, for users to register ahead of time for future product launches, the cybersecurity strategy has to be there – at the very least – to support business continuity planning, the app development process, access controls, the protection of user data (as well as of their privacy), and the design of the Internet ingress and egress approaches.
The basics outlined above hold true for just about any organization in any industry, in the public as well as the private sector. By understanding these four fundamentals, you’re already well-positioned to develop a practical and actionable strategy that focuses on the big picture and will benefit the organization.
One more thing: The Cybersecurity Strategy is a living thing. Never assume the document is static. Strategies are dynamic entities that need to change as the situation changes. A four- to five-year vision for the future isn’t set in stone. It needs to be able to adapt and be reviewed regularly to make sure it is still relevant.
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step One: Who Are You? (Understanding your Organization).