This blog walks cybersecurity professionals through the logical steps to create a practical and actionable cybersecurity strategy.
Your cybersecurity strategy must reflect a clear understanding of the organization’s priorities, goals, and drivers.
You may recall during the introduction to this blog series I stated that one of the secrets to drafting a winning strategy was to know your audience. Not to put too fine a point on it, but:
Your audience will be those parties who will determine whether your strategy is worth the organization’s time and money to implement.
So, when drafting your cybersecurity strategy, you must make sure it resonates with the key decision makers (and those people to whom the decision makers either answer to or whose opinion matters). Their concerns are not typically around cybersecurity. Their concerns will be broader and/or unique to their own role. You must find a way to connect with what’s important to them and ensure the cybersecurity strategy reflects that connection.
I mentioned two important tenets in a previous post: “Step Zero – Cybersecurity Strategy Isn’t Something to Be Scared Of”:
- Cybersecurity Strategy is about bringing value and looking forward
- Cybersecurity Strategy is helping the organization securely get to where it’s going
In a nutshell, this is what the key decision makers need to see from your cybersecurity strategy. The strategy needs to be seen as an enabler for the organization that will bring tangible value and allow the organization to achieve its goals in a way that keeps risk to a manageable level. To do that, the strategy must first articulate the priorities, goals and drivers that are of the highest importance to the key decision makers.
But how do you find out, specifically, what’s important to the key decision makers? We’ll assume you’ve already followed the recommendations from “Step One – Who Are You?” and have a good idea of what the organization’s about and from where it creates and derives value. The next step is straightforward: Talk to the Key Decision Makers.
Getting it Straight from the Top
The best way to understand what the leadership team deems important is to get it directly from them. Typically, the best way to do that is to do the following:
- Identify the Key Decision Makers: Target those key decision makers that are primarily responsible for the direction of the organization and the development of its goals and priorities. Note: Be sure to keep in mind that the cybersecurity strategy will affect certain decision makers more than others (e.g., the COO, CIO, Chief Risk Officer, etc.). If there is a long list of stakeholders, focus your efforts on those decision makers that are 1) chiefly responsible for approving your strategy and providing budget, and 2) more likely to be affected by the information technology ecosystem and the cybersecurity function. Very often, they will be one and the same.
- Prepare the Questions: While any conversation with the decision makers is best framed as free flow and conversational in nature, prepare a set script of questions that you need answered. You may also have questions stemming from your research on the organization as a whole (i.e., from Step 1 – Who Are You?). For example, what is the key decision maker’s role in operationalizing the organization’s overall strategic plan. Make sure that whatever questions you ask eventually get around to what you need to know for your cybersecurity strategy. The questions should never be yes or no style. They should allow for thought and consideration. Include something along the lines of the following:
- What are your key responsibilities?
- What are your priorities in the mid- to long-term (e.g., 1-3 years)?
- What are your primary goals and objectives in the mid- to long-term (e.g., 1-3 years)?
- What are the primary risks you see in achieving your goals and objectives?
- What are your top pain points and challenges; the things that keep you up at night?
Side Note:
If you find the decision maker being interviewed thinks the questions are too broad, you can narrow down the scope of their questions to focus more on the information technology ecosystem and cybersecurity. However, you want to make sure they are able to express to you what is important to them.
- Schedule one-on-one interviews/meetings: One-on-one meetings face-to-face are always best, if possible, but take what you can get. It is important to make sure the meeting allows you to make a connection (if one doesn’t already exist) and establishes a relaxed environment. Also, it is likely you will be limited in terms of the decision maker’s available time so try to keep the meeting to 45 or 60 minutes. That should be enough to give you what you need.
Side Note:
Keep the conversation moving and try to get as many of the questions answered as possible – without making the decision maker feel they’re being rushed (or interrogated).
- Take Notes and Get Validation: It may go without saying, but be sure to document everything you discuss. Structure the notes so that you can send them back to the decision maker for their review and feedback. This will ensure:
- There was no misunderstanding or miscommunication.
- The decision maker knows they were heard.
- The decision maker is afforded the chance to make any necessary clarifications or additions.
- Analyze Your Findings: Compile the information gathered to find the Key Takeaways from each interview. Look at the data singly and in aggregate to gather what you determine are the Primary Considerations from the decision makers. This, coupled with what you understand about the organization, will allow you to articulate – in the decision makers’ own words – the organization’s Priorities, its Business Value Drivers, and its Key Objectives.
Following this framework will produce several benefits. Not only will it allow you to get the information you need, but you will have done it in a way that brought the key decision makers into the process. This collaborative approach will aid in building their trust that the strategy is going to focus on those areas that are of greatest relevance to them and the organization. Also, reflecting their priorities in your strategy will help to increase their sense of ownership and partnership in the resulting document.
The interview-based approach outlined above highlights two very important concepts that need to be embraced when developing a winning cybersecurity strategy:
From Blocker to Enabler
How often has the Information Security function been seen by the rest of the organization as the “Department of No”? As the Blocker? Now, this is not entirely the fault of the Information Security management and staff. There’s plenty of blame to go around (especially when a department wants to place a new workstream into production with zero input from Information Security).
Often, this negative perception is fundamentally due to the lack of information sharing, effective communications and collaboration across departments and divisions within the organization.
If we want that to change, we must be the catalyst.
By demonstrating a desire to include people from outside Information Security to help craft the strategy, you are exemplifying the open communications mindset and leading by example. You are showing yourself to be an enabler for the organization, rather than a blocker.
Executed properly, this should provide the impetus for other parts of the organization to embrace security as a partner. It may not be immediate, but the example presented by Information Security – the Department of No – would set an excellent precedent.
Open Communications – Reaching Across the Silos
In many organizations the information ecosystem is segmented into any number of pillars with their own hierarchies and priorities. Communications is rarely directly across but rather goes to the top, moves across and then down. In some other scenarios, the Information Security function may be responsible for securing the digital ecosystem, but a lot of the operational pillars of cybersecurity may be outside of their direct control. For example, one organization had a mandate to mature its cybersecurity capabilities across the board, but such functions as Identity and Access Management, Business Continuity and Patch Management were outside of their managerial control.
In these situations, it is impossible to develop a realistic and actionable cybersecurity strategy without opening the doors and involving these key decision makers and stakeholders to be a part of the cybersecurity strategy development process. Developing a cybersecurity strategy by including key decision makers and organizational stakeholders is a fantastic way to reflect a genuine belief in open communications and collaboration. If they are asked to participate and contribute to crafting the Priorities, Business Value Drivers, and Key Objectives on which the strategy will be determined, then your chances of getting them to support the execution of the strategy will get exponentially better.
The Principled Approach
While some may think this optional, I think the subject an organization’s principles worthy of mentioning here.
Principles are fundamentally guides to behaviour. Most organizations have formally published a list of principles to help define their culture and how their employees are expected to conduct themselves as representatives of the organization. Principles are carefully thought out and reflect what the organization is about and what it stands for. As such, it is important to be cognizant of your organization’s formal principles – if it has them – and make sure they are not only called out, but that you articulate how the strategy will ensure it aligns with and adhere to those principles. This one act can go a long way toward attaining buy-in from a broad representation of the organization as it reflects your effort to make the cybersecurity strategy a part of the organization at a foundational level.
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step Five – What’s the Worst that Could Happen? (Defining Organizational Risks).
Special thanks to Michael Howard and Karel Beukes for their contributions to this post.
Eric's Cyber Blog 