This blog walks cybersecurity professionals through the logical steps to create a practical and actionable cybersecurity strategy.
Always make sure to keep your cybersecurity strategy up to date and adjust it when required.
You may recall during my concluding paragraph in Step Zero, where I discussed the Basics of Cybersecurity Strategy, I emphasized that a Cybersecurity Strategy is a living thing.
The strategy should never be assumed to be set in stone – fixed and unchanging. A good strategy is dynamic and open to evolution as circumstances change or new opportunities present themselves. But it never loses its purpose or ability to guide to motivate the organization to move forward in a meaningful way.
Set a cadence to regularly review the strategy as it is being operationalized. Twice a year is a reasonable timeframe. Be aware however that there may arise circumstances – good and bad – that will require you to re-think some aspects of your strategy and incorporate this new information into your plans.
When working to review your strategy, here are a couple of things to consider.
Look for the Good as well as the Bad
There is an adage that applies to any significant events that will impact your strategy: “Never let a good crisis go to waste”.
Be aware of changes in the environment – locally, regionally, globally – that may predicate a need to revisit and revise the strategy to fit with the new reality. It’s not all bad though – a new technology may have been released that will drastically improve your cybersecurity operational capabilities. Or a nation state’s cybersecurity attacks have been radically curtailed sue to a regime change.
In any event, be on the look out for changes that will have a measurable impact on how you do cybersecurity. A few examples may be, but not limited to, the following areas:
- New attack vectors that affect your organization
- Evidence of new threat actors targeting your industry with specific intent
- A global event that changes how the organization operates (e.g., the COVID pandemic)
- A change in the organization’s fundamental goals or direction
- A new product, offering or service the organization has developed that will be certainly a target for competitors and/or nation states and eCrime organizations
Some events may be so significant or impactful or happen so quickly that you would be advised to act on revising your strategy immediately instead of waiting for the next review cycle.
Some people might say, “If this new change or event is so significant, I won’t have time to plan ahead, I’ll be purely in reaction mode dealing with the situation.” There is no denying the importance of dealing with a crisis – either good or bad – as quickly as possible. But, that doesn’t mean your strategy should be set aside. You may recall in my Introduction, I compared the difference between reactive and proactive cybersecurity administration with Smoke Jumping and Fire Management. Both have a very important part to play. And while the professionals are putting out the fires, the leadership needs to also be planning how to manage that forest for the future so that what caused this fire is analyzed, understood and incorporated into any plans moving forward. Your strategy must be revised to accommodate the new event and make sure you are prepared to be proactive about it in the future.
The Road is Never Always Straight
Over the course of operationalizing your cybersecurity strategy via the Roadmap (discussed in Step 9), you will likely find things don’t always go as planned. That shouldn’t be a big surprise. Some projects may go longer than planned, the budget may be cut, a particular strategic objective may not be as relevant as it was the year before. For whatever the reason, it will be important to shift and adapt the strategy as circumstances warrant over the course of its realization. This doesn’t lessen the work put into developing the strategy or mean the strategy is somehow a failure. Far from it. This is merely the normal – and expected – evolution of the strategy to account for the real world. Remember this:
A good cybersecurity strategy will grow and evolve without losing its power to be your North Star.
That wraps up my 10 steps in the pragmatic guidance on developing and operationalizing a Cybersecurity Strategy for your organization. Moving forward, I will be addressing other aspects of cybersecurity strategic planning, including thoughts on the supply chain and the importance of aligning with cybersecurity frameworks.
I hope you have found this blog useful so far. I look forward to publishing further blogs in the future and hope to hear from you as you work on your own cybersecurity strategy
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy – The Chain is Only as Strong (Incorporating 3rd Party Suppliers).