One of the documents which remain elusive to many organisations is a cyber security strategy. A cyber security strategy, in the simplest terms, should outline an organisation’s current threat landscape and the plans to reduce the risk posed by those threats.
[Disclaimer, not all people and organisations will agree with the methods described below, and that is ok. What I am describing is the process I undertake when completing a cyber security strategy. Different people will go about this activity using different techniques and methodologies. What is important is that any cyber risk strategy addresses current threats, how the organisation will address these threats and most importantly how the strategy will support the overall organisational business strategy.]
Understanding Your Current Security Posture
When developing a cyber security strategy, there are two primary components. The first is to have in-depth knowledge of the organisation’s current security posture. Ideally, undertaking a gap assessment against a relevant framework such as ISO/IEC 27001 or an organisation-wide cyber security risk assessment will assist in arming you with the knowledge of the organisation’s strengths and weaknesses concerning information security.
Engaging With Leadership
Once you understand the organisation’s current security posture, the next step is to run workshops with key stakeholders, such as members of the board and the executive team. The workshop should clearly articulate the findings of the initial assessments, the current threat landscape, and the primary cyber security gaps. These workshops will also ensure alignment with the overarching organisational business strategy, as all cyber security strategies should underpin and support the business strategy, helping to enable its success.
The workshop should be focused on developing key themes, the vision, and the purpose of the strategy. The stakeholders do not need to know what activities are required to ensure a better security posture but rather to give feedback on the main priorities for the organisation, allowing identification and development of these activities. For example, the working group may identify the theme of Continual Improvement, ensuring strategies already developed are enhanced and provide a greater return on investment to the organisation.
Developing the Cyber Security Strategy
Once the workshops have been completed, the next stage will prioritise the initial gap assessment/cyber risk assessment findings to align with the key themes identified within the strategy group. Going back to the example of Continual Improvement, one of the initial assessment findings could be poor third-party risk management practices or no security awareness offered during the onboarding of new staff members.
The completed cyber security strategy should be a high-level one-page document that defines the organisation’s purpose and vision with regards to cyber security, the goals of the organisation, which may vary between business units, for example, if the organisation is a University, and parts of the University may want to undertake military research and require DISP Membership; the themes discussed above; and the foundational capabilities of the organisation.
Developing the Supporting Roadmap
Supporting this document should be a road map with greater detail on how the strategy will come together and the implementation strategies required. Going back to the Continual Improvement workstream, the goal may be to uplift and maintain critical areas associated with DISP requirements as well as an overall improvement to the security posture of the organisation. This may be performed through governance, risk and compliance activities, such as uplifting the third-party supplier process and security awareness activities, such as improved security awareness training during onboarding.
Lastly, the detailed roadmap must have when specific actions will start and finish. A well-managed strategy, once complete, would be reported to the Audit and Risk Committee or the Board to provide organisational visibility. Once commenced, the Audit and Risk Committee or Board should be provided updates on the progress of the roadmap.
Cyber Security Strategy Roadblocks
Strong project management skills are essential when engaging with executives and board members. The first step should be a kick-off meeting or providing a kick-off presentation stating clearly what the agenda will be, what the purpose of the meeting is and what the key takeaways from the meeting need to be. Allowing individuals to contend critical points during the workshops can be helpful as it promotes a robust discussion by members and gains greater buy-in and investment by those stakeholders. Still, it can also impede the outcome, so if people are clashing and there is no sign of negotiations, it is best to take the discussion offline. Where feasible, trying to address all concerns in the strategy generally works best.
With cybersecurity, one of the most common concerns and challenges is the perception that security controls inhibit organisational processes, innovation and progress. Dealing with this perception requires educating stakeholders to understand security is there to enable the business rather than impede it. By identifying and addressing cyber security risk, an organisation is better placed to embrace positive risk, i.e. opportunity, which allows innovation and faster uptake of new technologies. For example, understanding that security is not an all-or-nothing prospect is essential. Every control is not required by every business unit 100% of the time. Therefore, robust exception management processes are necessary to ensure where exceptions are needed to support the business, any risk posed by these exceptions should be documented and compensating controls put in place to reduce risk to acceptable levels. In my experience, a greater understanding of these concepts by key stakeholders has reduced most challenges that have arisen during risk strategy development along with other critical security processes.
Review and Continual Improvement of Your Strategy
Cyber security strategies are living documents and should be reviewed regularly to ensure they remain relevant. The threat landscape is continuously changing, and the strategy needs to be aligned with the current threat landscape to ensure it remains relevant. Organisational objectives and priorities also change, and the strategy needs to align with any significant changes in direction. Organisations that fail to review their cyber security strategies regularly may find that their strategy is not addressing current threats or new risks that may have arisen within the business.
Additional Resources
Some of the better cyber security strategies I have seen out in the wild include:
- Victorian Government Cybersecurity Strategy
- Defence Cybersecurity Strategy
- Brent Cybersecurity Strategy
 Happy cyber security strategising!
0 Comments