Step Zero – Cybersecurity Strategy Isn’t Something to Be Scared Of (Basics of Cybersecurity Strategy)
This blog is intended to walk cybersecurity professionals through the logical steps in creating a practical and actionable cybersecurity strategy. Before I get started, let’s first go over some of the basics of cybersecurity strategy and clear up what it’s all about. The best place to start is to reiterate a statement from my last blog entry:
Cybersecurity Strategy isn’t hard – when it’s a collaboration
Unless you’re Napoleon or some great strategic genius, you should never go it alone on developing a cybersecurity strategy. Even Eisenhower had a team to help him develop strategies during World War II and that worked out really well.
Developing an effective cybersecurity strategy is definitely a team effort. Gathering data and intel from contributors and stakeholders from multiple areas and perspectives is key to not only making sure the resulting strategy is more reflective of what the organization needs, but will allow the strategy to be developed in a more reasonable time frame. Also, very importantly, making this a team effort will go a long way to getting buy-in when it’s needed.
Speaking of buy-in, another important aspect of strategic development being a team effort is its promotion of open communications and building trust. When Information Security brings in other areas of the organization to help them develop a strategy, it’s helping to move Information Security out from behind the perceived curtains and show that it is a part of the organization, with a mission to support the organization’s secure achievement of it goals and objectives. This will all be enormously helpful down the road in gaining others’ trust in what the strategy is trying to accomplish and how it will effectively help the organization.
So, don’t think you need to go it alone! The adage that many hands make for light work truly applies here.
Cybersecurity Strategy is technology agnostic
Cybersecurity Strategy is not about any particular product or technology. It’s about capabilities and value (more on that in the next section). The main point here is that the cybersecurity strategy is intent on defining a vision for information security and the capabilities the organization needs from it. For example, you don’t say “We need this particular product or technology to classify our data.” You take a step further back and discuss the need for automated data classification as part of the organization’s effort to modernize its data governance program and methodology.
It’s important to remember that the strategy is looking at the big picture. Whatever technology will be applied is a tactical topic that would be more appropriately addressed after the strategy has been formulated and you’re now looking at ways to operationalize it (i.e., the roadmap).
Again, avoid thinking how a technology or product is going to solve your problems. That’s not what the cybersecurity strategy should be about.
Cybersecurity Strategy is about bringing value and looking forward
I’ve seen a number of strategies that CISOs and cybersecurity executives have developed that talked about what they were going to do but not really why or what benefit it would have for their organization. Most of the time, they assumed it was obvious or implied. If the organization’s executive management is going to shell out budget to make the cybersecurity strategy a reality however, those executives have to get behind it and see it’s worth the investment.
The Information Security function for an organization doesn’t exist for its own purposes or in a vacuum. It is part of an organization, and the cybersecurity strategy should reflect what is required of the information security function by the entire organization. This speaks to the need outlined above that, when working on the cybersecurity strategy, be sure to bring in stakeholders from across the organization who have a role to play in the organization’s goals and overall future direction. Their voices will be critical.
The cybersecurity strategy must reflect the organization’s priorities and goals; what it is seeking to accomplish. And it must do so in a way that demonstrably helps the organization progress and move forward in its intended direction. In short, the strategy must show how it will contribute business value to the organization.
The CEO and the Board of Directors don’t care how great the SIEM digests and analyzes telemetry. They do care about the value that greater situational awareness brings to the organization in reducing its risk profile, in enabling the organization to more rapidly respond to the threats facing it, and in modernizing its capabilities to prepare for future online growth.
By demonstrating that the cybersecurity strategy shows an understanding of what the organization requires of the information security function and how it can help the organization achieve its larger strategic goals (i.e., contributes business value), it will gain significant traction and champions in the necessary places.
Cybersecurity Strategy is helping the organization securely get to where it’s going
Related to the above section regarding the Information Security function being a part of the organization, the cybersecurity strategy must outline not only how it can help the organization achieve its goals, but how it will do so in a way that is secure and reduces risk to as manageable a level as possible. After all, cybersecurity is not about an impenetrable defense, or god-like detection. What it is, ultimately, is about managing risk.
It’s incredibly important to understand the organization’s risk tolerance to make sure the cybersecurity strategy is not going too far and therefore becoming prohibitively expensive. The strategy can outline an understanding of the cybersecurity-related risks the organization will face in its strategic journey and in the accomplishment of its overall goals. The strategy can then outline how it will address those risks and reduce them to acceptable levels, making for a more secure journey.
If your organization, as part of its overall strategy, is planning to expand its Internet footprint and provide for the capability, for example, for users to register ahead of time for future product launches, the cybersecurity strategy has to be there – at the very least – to support business continuity planning, the app development process, access controls, the protection of user data (as well as of their privacy), and the design of the Internet ingress and egress approaches.
The basics outlined above hold true for just about any organization in any industry, in the public as well as the private sector. By understanding these four fundamentals, you’re already well-positioned to develop a practical and actionable strategy that focuses on the big picture and will benefit the organization.
One more thing: The Cybersecurity Strategy is a living thing. Never assume the document is static. Strategies are dynamic entities that need to change as the situation changes. A four- to five-year vision for the future isn’t set in stone. It needs to be able to adapt and be reviewed regularly to make sure it is still relevant.
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step One: Who Are You? (Understanding your Organization).
What is the biggest challenge with cybersecurity strategies today that so many organizations either:
- Don’t have one;
- Draft one that doesn’t get budget; or
- Draft one that totally misses the mark and just sits in a drawer?
The answer is simple and twofold:
- You have to understand the basic intent of a cybersecurity strategy (hint: it isn’t just to make your organization more secure).
- You have to know your audience when you draft the cybersecurity strategy (hint: they decide whether the strategy is going to happen or not).
This blog is intended to walk cybersecurity professionals through the logical steps in creating a practical and actionable cybersecurity strategy. It is based on my own experiences as a cybersecurity strategist in developing and drafting strategies for numerous clients – real organizations with real world issues – across a wide range of industries and in the public as well as private sector.
Why a Strategy?
When speaking with clients about cybersecurity, more than a few have asked:
“Why have a cybersecurity strategy at all? What’s it really going to accomplish when I already know what we have to do?”
A lot of people have this attitude and that’s a real problem. Individuals with this opinion really need to follow this series. They have to understand that a cybersecurity strategy is critically important to both the success of the information security function at their organization and the success of their organization as a whole. The purpose of this blog is to answer that very question and settle the issue while showing how to draft a winning strategy that will actually get done.
Did you know that a number of organizations that have been hit by cybersecurity attacks were subsequently sued by customers and the existence of a cybersecurity strategy and roadmap prior to the attack could be a major contributor to those organizations’ legal defenses?
Smoke Jumping or Fire Management
Another crucial matter to consider in justifying a cybersecurity strategy is the cost of constantly being in a reactive mode when working in cybersecurity; moving from one emergency to the next. In essence, being a smoke jumper. All you can do is react to fires that spring up, put them out and hope you have the time and resources to properly deal with it before the next one pops up.
Compare that to the benefit of intentionally anticipating what you expect to experience and proactively establishing a robust cybersecurity framework that will allow you to counter the emergencies – when they’re perhaps minor problems – before they become full-on disasters. This is comparable to fire management: planning, preventing, and fighting fires to protect people, property and the forest resources. This involves predicting and knowing what to expect – protecting the entire forest ecosystem – and being ready for it.
This is foundational to the notion of the cybersecurity strategy. Fire management will always be preferable to smoke jumping. Unless you’re an adrenaline junky.
Boiling the Ocean
To be clear, I want to stress that developing a strategy isn’t hard, but it does take a lot of work and needs to be done collaboratively. I have seen more than a few CISOs and security executives delay or totally put off the development of their strategies because the task can be seen as quite daunting and it’s hard to know where to begin. Also, they may simply not have the time or the resources. Time is a precious commodity and, if you’re already busy dealing with an ongoing string of emergencies and daily crises, you need to make certain you are using your time effectively.
Instead of boiling the ocean, you need to break down the development of a winning cybersecurity strategy into manageable chunks that build on each other. Also, you want to know what parts to do and when so that you are doing it efficiently and using your time well. And you need to include the right people from across the organization – with stakes in the game – to bring in the right perspectives. This blog will help to provide a sensible and realistic process to follow to allow you to produce a cybersecurity strategy that is actionable and, very importantly, will get budget.
So, stay tuned for the next blogs in this series. They’re sequenced in a logical fashion to illustrate the order of activities to follow in the development of your cybersecurity strategy. There will be a few blogs at the end to discuss differences across industries as well as supply chain considerations and aligning with known cybersecurity frameworks. The entries will be as follows:
- Cybersecurity Strategy Step Zero: Cybersecurity Strategy Isn’t Something to Be Scared Of (Basics of Cybersecurity Strategy)
- Cybersecurity Strategy Step One: Who Are You? (Understanding your Organization)
- Cybersecurity Strategy Step Two: Where Are You? (Understanding your Organization’s Current Cybersecurity State)
- Cybersecurity Strategy Step Three: Who Goes There? (Understanding the Current and Projected Threat Landscape)
- Cybersecurity Strategy Step Four: What’s in It for Me? (Determining your Organization’s Priorities, Business Value Drivers and Principles)
- Cybersecurity Strategy Step Five: What’s the Worst that Could Happen? (Defining Organizational Risks)
- Cybersecurity Strategy Step Six: Dare to Dream (Envisioning the Future State and Articulating the Vision)
- Cybersecurity Strategy Step Seven: But What Will It Do? (Determining the Objectives and Key Results)
- Cybersecurity Strategy Step Eight: How Do We Know When It’s Working? (Defining Metrics)
- Cybersecurity Strategy Step Nine: How Do We Get There? (Defining the Operational Roadmap for the Strategy)
- Cybersecurity Strategy Step Ten: It’s All About the Journey (Keeping the Strategy Relevant)
- Cybersecurity Strategy Step Eleven: The Chain is Only as Strong … (Incorporating 3rd Party Suppliers)
- Cybersecurity Strategy Step Twelve: Model Behaviour (The Importance of Aligning with a Cybersecurity Framework)