Cybersecurity strategy…. To Plan or not to plan…That is the question

March 25, 2021 | Carisa Brockman

What is a strategy?  As defined by Merriam Webster…. ‘a carefully developed plan or method for achieving a goal or the skill in developing and undertaking such a plan or method.’  A cybersecurity strategy is extremely important, but many organizations lack a strategy, or they have not kept their strategy and subsequent roadmap current.  A strategy is especially important in this day of digital transformation and for key initiatives like Zero Trust.

Cybersecurity requires a holistic approach, implemented uniformly throughout the enterprise. A practical cyber / information security strategy, aligned with business objectives, built on an industry-accepted framework, and adjusted to the applicable threat landscape, can help create a predictable and consistent environment and minimize business risk. An effective strategy is instrumental in setting the direction for the cybersecurity program and decision-making information security budget allocation, information security initiative prioritization, and objective measurement of the effectiveness of the program.

Having a unified strategy enables enterprises to focus their information security efforts to be more inclusive, cohesive, and efficient. Furthermore, an information security strategy developed without regards and alignment to the overall business and IT strategy in the organization will likely lead to inefficiencies and inconsistencies at best, or ineffectiveness and increased operational losses, diminished brand /reputation, at worse. An information security strategy defines the goals, objectives, and methodologies used to address internal and external threats faced by the enterprise.  The strategy drives moving from a reactive posture to a proactive approach.   As the business objectives change and the threat landscape evolves, so must the cybersecurity strategy.  This is not a one-time effort but a continuous process.  However, evolving with a solid foundation makes it much easier to adjust the strategy and subsequent cybersecurity posture.  

strategy foundation and planning

Organizations must first adopt a framework of security requirements based upon appliable laws and regulations they must comply with, industry standards, and other drivers, such as customers or business partner requirements.   It is crucial to align with the business.  What are the business strategies and how can cybersecurity enable them?  What inputs must be obtained?

  • Business requirements
  • IT strategies
  • Enterprise risk appetite
  • Enterprise risk assessment

What are the key activities to determine the current security posture?

  • Gap analysis against the framework
  • Determining program maturity and security capabilities
  • Benchmarking against industry peers
  • Industry state and threat landscape

Once the current state is understood organizations can determine where they want to go.  This should all be grounded in aligning with business and IT strategies and reducing risk.  In addition, prioritization takes into account risk management principles, compliance requirements, resources, budget, timelines and dependencies across the organization.   Because this is a process and not a one-time effort, measures and scorecard should be established to show iterative progress in meeting defined targets. 

The implementation of the strategy is facilitated by a strong communication plan across the enterprise-from key stakeholders to all employees.  Communication is about garnering support, providing education, establishing the ‘cybersecurity brand,’ adjusting the culture, and enabling organizational change management; so various mediums should be used to reach a variety of roles. 

Using the measures defined to achieve targets, progress reporting and adjustments must be made to the strategy as part of the review and feedback loop.  The strategy must evolve as the business and risks evolve.  The strategy process and methodology should be cyclical in nature including continual process improvement.   

continuous process improvement for cybersecurity strategy

Carisa Brockman

About the Author: Carisa Brockman

Carisa has worked as part of the AT&T family for over 18 years (through acquisitions). She is well-versed in business management practices and has focused on strategic planning, information risk management, compliance management, enterprise policy management, cross-functional process design & management, consolidation & integration of enterprise security functions, and organizational effectiveness. Carisa joined AT&T Consulting via the acquisition of VeriSign Global Security Consulting, where she served as a Senior Manager. Prior to VeriSign, Carisa worked at the Minnesota Department of Human Services in IT Security. Today, as part of AT&T Consulting, Carisa leads the Governance, Risk, and Compliance Security Consulting Practice. She is responsible for providing strategic direction and vision to grow the business through collaborative relationships with account teams, management, staff, and business partnerships, defining and refining service offerings based upon market drivers and conditions and regulatory landscape, and managing client relationships and business development for practice. Carisa is married with three children. She holds a CISSP, CISA, and CCSFP certifications, a BA in History from University of Minnesota – Twin Cities, and resides in Oconomowoc, WI.

Read more posts from Carisa Brockman ›

‹ BACK TO ALL BLOGS

Get price Free trial