Cyber Security Strategy – Guide to Managers and Leaders

Cyber Security Strategy – Guide to Managers and Leaders

All of the seasoned Cyber Security Leaders have done strategies for their organizations few times over the years, with planning sessions, budgets, annual goal/OKR settings and 3/5 year strategy set ups. Is there any blueprint that security leaders can follow, so you cover your bases, make the strategy practical and simple and end of the day actually reduce cyber security risks at a quantifiable way while establishing metrics to monitor success?
Well there is a way to set this up, which can be explained in 4 steps. More than the theoretical aspect of each step lets dry to discuss examples, and industry based scenarios in each step to better understand the steps.

Pre-requisite : You need to have a good understanding of the business strategy and the IT/Digital strategy of the organization to better align the Cyber Security Strategy.

1. Understand and evaluate threat landscape

This is the step where you evaluate what could go wrong in the next year comparing yourself with the industry leading threats. Not all the threats will be applicable to you and relevant. And based on your current infrastructure, IT/Digital strategy, technical debt, your top threats will be different.

Sample list of top threats

                      Sample list of top threats

Are you a large enterprise with very large group of internal users, which are currently impacted in an inflation driven market conditions, may be its good to look at insider threats as a priority.

Are you holding critical and sensitive customer data (health data, PII, Financial system access credentials) where hacker groups can be interested in obtaining them for value of the data.

Are you operating in highly regulated markets where regulated are strict for breaches so hacker groups are prone to ransom you or loosely regulated markets where general cyber security posture and hygiene factors and user awareness is low? (US, EU, ANZ, SG or Africas, South Asia, LatAm)

Are you an enterprise with more closed systems, with core ERP like manufacturing, are you in BFSI with very large digital foot print with digital channels, are you in engineering industries like Telco, aviation where your networks are of not only IT but IOT, telecommunication, radar etc.? This is where your Digital strategy will help in prioritizing in different areas of impact.

2. Assess your current maturity and risk profile

It’s important to understand the current maturity of the organization in terms of benchmarking with a standard set of practice areas. NIST cybersecurity framework would be a good tool to understand and evaluate your current maturity. NIST would help your to rate and rank CyberSecurity posture in the areas of Identify, protect, detect, respond and recover capabilities.

Sample current state assessment inline with NIST cyber security framework practice areas

Sample current state assessment inline with NIST cyber security framework practice areas

 

Example of maturity rating

                               Example of maturity rating

 

Make sure your onboard respective owners of these areas are aligned to your assessment and it reflects the current status of the organization. Some organizations who have invested heavily of the security tech lacks governance would understand there may be gaps. Remember, goal is to life the overall cyber security posture, not a part of it. And your maturity would be low, even if the technology investments are already made, but you haven’t build practices to operate, accountabilities are not defined and the rules are not configured and customized.

Assessing the risk profile would be equally important, as framework maturity outcome, shall have a correlation between the ongoing risk assessments and treatments. Misalignments would read as there are already identified gaps which are not reflected in the maturity, or the risk management program has gaps in terms of identifying risks in granularity throughout a total cycle of identifying to recovery.

3. Determine programs/goals to improve cyber maturity

Once you have buy-in for the current maturity rating, clearly articulate the future maturity you would like to get to. Its always sensible to bring all the areas to the defined state (processes exist and they are followed with less than 10% deviation) through a 3 year plan for an organization, whose current state is at an overall maturity of about 1-2 (initial-repeatable).

As a leader your goal should be to improve overall maturity from identification of exposure, assets and threats to have capabilities build protection, detection, response and recover. NOT to have great detection abilities only like EDR, SIEM, ASM or like only recovery through backups or cloud replications.

Setting up goals/programs to get to desired maturity allows you to demarcate between the different areas of cyber security where not only cyber security team can drive the desired maturity.

Illustrative sample for programs

              Illustrative sample for programs

You can simply bucket your programs into the NIST phases from Identify to Recover. This may work for some organizations, where for some it would give more clarity and brings in buy-in from other teams as you specify the areas which indicates accountability and responsibility from the offset. You would need then identify all the projects that would require you to increase maturity to the expected target in each program areas. Lists of projects may vary as per the size, complexity and nature of business. The point would be to list down all projects within security to be listed. Non-exhaustive sample list would look like below for two of the programs mentioned above.

Non-exhaustive sample program list for governance and operations

           Non-exhaustive sample program list for governance and operations

4. Prioritize the projects with rationality

This is one of the key steps in the process would be to prioritize these projects. There are many methods to this. Risk programs, priority matrices with weighted scoring, investment analysis, impact analysis etc. Some are highly quantitative where as some would be qualitative and some would be a mix. It’s good to have this phases out, meaning have a qualitative and rationality based high-level prioritizations discussed and agreed first and to drill down to a investment/impact analysis. Below matrix allows the CISO to place the projects at a drawing board in terms of 2 main metrices.

Impact – This would reflect how much risk the project reduces, benefit to business and amount of maturity this provides in relation to target state.

Complexity – This accounts to the investment, effort (engineer time, architecture revamp, integration)

You will note these 2 parameters change drastically based on the organization. E.g., startup with agile cloud tech stack can have less complexity in a product revamp than an enterprise. Similarly impact of a asset inventory would be higher and less complex, if the current maturity is very low to increase maturity than a complex Network Access Control project.

Sample project priority matrix

                          Sample project priority matrix

Note that your focus is low-hanging fruits and important projects. Depending on the organization risk appetite, industry, current maturity even the same project could be on a different quad.

5. Identify key enablers and plan them out

Final stage is identifying the key enablers and get consent and buy-in from the rest of the organization in investing in those. All these projects require primarily 3 key enablers for them to deliver the expected outcome and effectively execute.

People – You would need key roles established like Analysts, Leads, Managers, CISO accountabilities set for other IT and business roles for security. This will depend on the business. List them down and show how you would add in each year to support maturity journey.

Process – Identify the process requirements like Data classification and Protection, Information security policies, Standards, Risk management initiatives here. Without achieving a baseline through these its extremely difficult to to desired state and minimize ROI on most of the tech investments.

Technology – List down the technologies required in the projects and how in each year each technology is adopted. Note that prior to implementation there should be people and process capabilities at an acceptable level to drive the full functionality and return on the technology investment. E.g., If DLP is planned in 2 years, ensure Data protection role, classification framework and classification tooling is built in the prior years.

Subject matter experts – No strategy can be realized if you focus on building all the talent and skill in house. Identify where Subject Matter Experts (SMEs) can be leveraged and used as a compliment to this strategy. It can be in the form of consultants, auditors, implementation partners, assessment partners, monitoring partners etc.

Once you list down all these key components and list them down based on the priority of the projects through matrix you would arrive at a strategy for 2-3-5 years, where your significant investments would be on the enablers where the non-tech decision makers can relate to and make informed decision as they understand the rationale and focus of investment justification is mostly on the enablers, as the project justifications are already made. CISO/Manager would derive the project plan, but there will be common consensus build around the key enabler investment over the years and that would clearly reduce the risk and bring in maturity for the organization.

What is discussed here is one approach that can be commonly used across organizations. There is no silver bullet. You may pick and choose ,components or go into much deeper analysis based on the culture, industry of the business.