This blog is intended to walk cybersecurity professionals through the logical steps in creating a practical and actionable cybersecurity strategy.
Be absolutely clear on what your organization is about from the top on down.
I stated in my last post that the cybersecurity function doesn’t operate in a vacuum or for its own purposes. It’s a critical part of an organization, intended to protect the confidentiality, integrity and availability of that organization’s data and information. It’s dealing with threats both external and internal, some of them very specific (more on that in a later post). So, a fundamental requirement for any cybersecurity strategy is thoroughly understanding the organization within which information security is playing such a critical role.
The Mission, Goals and Objectives of the Organization
It’s not enough to know what your organization does: making cars, running a local government, providing health care services, selling insurance, etc. It’s important to understand what distinguishes your organization from all others and from where it derives and creates value. That word – value – is something I referred to in my last post and you’ll be seeing it very frequently throughout this series.
The most direct path to identifying the organization’s unique and distinguishing nature is via such definitive and forward-looking documents as the following:
- The Mission Statement – including any values stated in the mission statement
- The Charter (for some public-facing organizations)
- Recently published Strategies for the near- and long-term, including:
- Objectives and Key Results,
- Priorities and
- Annual Reports
Also, it is crucial to note any recent directives stated by the Executive (e.g., the CEO, President, Governor, Premier, etc.) through interviews, conferences, memos and statements. These will provide more up to date context with regard to where the organization is heading.
An organization in the manufacturing sector was forced to divest itself of a major division that was one of the original parts of the organization and part of its defining brand. This divestiture totally changed the direction of the company and necessitated a complete change in its long-term strategy.
However you do it, make sure you get a clear and thorough picture of what distinguishes the organization and what is important to its leadership.
The Goals and Objectives of Information Technology
Closer to home of course is determining the guiding vision for the IT function within your organization. Whether your organization has a CIO or equivalent, it is as important to get a clear understanding of what the IT function is striving to achieve as it is to understand what the organization is trying to achieve. One will logically follow the other of course and you want to make sure you are on top of both.
Similar to the above, the CIO would have published their own strategy with a vision for the road ahead. The strategy will often outline the CIO’s priority areas (e.g., in the form of pillars, or foundations, etc.) with stated goals and objectives. Additionally, some strategies will outline a roadmap or programs/projects/initiatives to realize and operationalize the strategy. These are critical for your purposes.
One foundational area that most every IT strategy addresses is around security. But be sure to focus beyond that to the entire strategy. While information security is a vital part of the CIO’s strategy, the cybersecurity strategy should be about making sure the entirety of the CIO’s strategy will be realized securely.
Also, be aware of any directives or communications that come from the CIO or their leadership team that indicate a strategic, operational or tactical shift in the IT function’s direction.
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step Two – Where Are You? (Understanding your Organization’s Current Cybersecurity State).