This blog walks cybersecurity professionals through the logical steps to create a practical and actionable cybersecurity strategy.

Clearly communicate your ideal future state to show your aspirational vision for cybersecurity.

At this point, you can build on everything you have gathered and built to define your target state. Now that you have done the leg work to understand what the organization is about, where it’s going, the current state of your cybersecurity function and the risks your organization faces, you are now in a position to figure out where you want to take the cybersecurity function – to define the target/future state. While it must be practical, it must also inspire and demonstrate your aspirations.

The key word here is “aspire”. It is vitally important to be able to imagine and communicate what you envision as your ideal future state in order to generate enthusiasm and anticipation to move forward. This is a key element to getting key decision makers and stakeholders to buy into your vision. It demonstrates having a footing in reality while also keeping an eye open for the art of the possible.

Imagine, for example, the following:

• Bad actors are detected in seconds…
• The workforce can securely share information any time, anywhere…
• A new user can get exactly the privileges they need for their role in minutes…
• Identities cannot be stolen…
• Passwords do not exist…
• Data is automatically classified and protected…
• Users can click fearlessly.

Aspirational statements can motivate and generate positive dialogue regarding your Vision. The first step is to develop a list of your aspirations for the future state – what you want to be able to accomplish in the long-term (i.e., the next 3-5 years). This may be considered you ideal future state so don’t hesitate to go all out. What would you like to achieve in a perfect world? Go there! You’re developing a Vision after all. You can worry about coming back down to earth in the later stages.

Once you have worked out a solid depiction of your aspirational future state, you are ready to boil it down into your Vision Statement.

The Vision

Defining the future state for your audience must start with your Vision Statement. The Vision will be stated in one sentence to provide a clear north star for the strategy to move toward. Everything else afterward will be developed with the sole intention of achieving the Vision. Therefore, the Vision must encapsulate what the future state will accomplish for the organization (i.e., your aspirations) in a way that is:

• Forward looking;
• Inspirational; and
• Practical

With that in mind, here are a couple of things to consider.

Make the Vision Relatable

While it is important that the Vision be forward-looking, do not lose sight of the fact that it must depict a future state that maps to your organization’s goals and objectives. That’s the whole point after all.

When drafting the Vision Statement, be aware of everything you have learned up to this point and what the organization needs from the cybersecurity function to be able to accomplish its own vision. There must be synergy!

Side Note:

One organization was in the midst of a massive transformation to a more service-oriented as opposed to a product-oriented enterprise. The cybersecurity function had to show itself to be cognizant of this move. The statement had to ensure that the vision articulated a way forward, outlining a journey that allowed the organization to securely realize that transformation in a manner that managed risk and prepared them for this new model. This had to be a foundational element.

While a Vision Statement may need to be grounded in the organization’s goals however, it must still be inspirational.

Generate Excitement

It bears repeating that the Vision Statement must be encouraging, motivating, and exciting! It needs to drive the members of the cybersecurity function in realizing the vision. And of equal importance is the need to ensure the stakeholders and the key decision makers can get behind the vision and approve the budget to see it become a reality. No pressure.

Side Note:

Using the above example, the need was to combine what the organization planned to accomplish (i.e., transforming to a service-based enterprise) with a message that allows people to get behind the Vision. After a great deal of thought, the Vision Statement was published as:

Evolve into a world class cybersecurity organization, with governance and processes that reduce risk to acceptable levels, enabling Contoso to move to the next level and securely deliver services for its customers and partners

You may read the Vision Statement and think to yourself that it sounds somewhat generic. Don’t worry; that’s the nature of them. They have to be forward looking while also allowing for a great deal of flexibility and adaptiveness. A Vision Statement is not about specifics, it’s about the far horizon, which is broad.

In the end, the Vision Statement, and the Future State it depicts, has to be simple and act as a North Star. Don’t go into excessive detail. That’s not what the Vision Statement is about. Keep it short and sweet.

Finally, it needs to be said that the envisioned future state is an outline of the things you seek to accomplish at a high level. It will not entail technical detail or a security architecture. It is not intended to. Detail and architecture are just a couple of parts of the realization of the strategy and should not be part of the strategy at this point. There are a few more things to do before going there.

Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step Seven – But What Will It Do? (Determining the Objectives and Key Results).

Special thanks to Karel Beukes for their contributions to this post.