What is a strategy? As defined by Merriam Webster…. ‘a carefully developed plan or method for achieving a goal or the skill in developing and undertaking such a plan or method.’ A cybersecurity strategy is extremely important, but many organizations lack a strategy, or they have not kept their strategy and subsequent roadmap current. A strategy is especially important in this day of digital transformation and for key initiatives like Zero Trust.
Cybersecurity requires a holistic approach, implemented uniformly throughout the enterprise. A practical cyber / information security strategy, aligned with business objectives, built on an industry-accepted framework, and adjusted to the applicable threat landscape, can help create a predictable and consistent environment and minimize business risk. An effective strategy is instrumental in setting the direction for the cybersecurity program and decision-making information security budget allocation, information security initiative prioritization, and objective measurement of the effectiveness of the program.
Having a unified strategy enables enterprises to focus their information security efforts to be more inclusive, cohesive, and efficient. Furthermore, an information security strategy developed without regards and alignment to the overall business and IT strategy in the organization will likely lead to inefficiencies and inconsistencies at best, or ineffectiveness and increased operational losses, diminished brand /reputation, at worse. An information security strategy defines the goals, objectives, and methodologies used to address internal and external threats faced by the enterprise. The strategy drives moving from a reactive posture to a proactive approach. As the business objectives change and the threat landscape evolves, so must the cybersecurity strategy. This is not a one-time effort but a continuous process. However, evolving with a solid foundation makes it much easier to adjust the strategy and subsequent cybersecurity posture.
Organizations must first adopt a framework of security requirements based upon appliable laws and regulations they must comply with, industry standards, and other drivers, such as customers or business partner requirements. It is crucial to align with the business. What are the business strategies and how can cybersecurity enable them? What inputs must be obtained?
- Business requirements
- IT strategies
- Enterprise risk appetite
- Enterprise risk assessment
What are the key activities to determine the current security posture?
- Gap analysis against the framework
- Determining program maturity and security capabilities
- Benchmarking against industry peers
- Industry state and threat landscape
Once the current state is understood organizations can determine where they want to go. This should all be grounded in aligning with business and IT strategies and reducing risk. In addition, prioritization takes into account risk management principles, compliance requirements, resources, budget, timelines and dependencies across the organization. Because this is a process and not a one-time effort, measures and scorecard should be established to show iterative progress in meeting defined targets.
The implementation of the strategy is facilitated by a strong communication plan across the enterprise-from key stakeholders to all employees. Communication is about garnering support, providing education, establishing the ‘cybersecurity brand,’ adjusting the culture, and enabling organizational change management; so various mediums should be used to reach a variety of roles.
Using the measures defined to achieve targets, progress reporting and adjustments must be made to the strategy as part of the review and feedback loop. The strategy must evolve as the business and risks evolve. The strategy process and methodology should be cyclical in nature including continual process improvement.