Why your cybersecurity strategy is probably inadequate and what you can do about it
You’re not alone if you answered yes to the question. In my experience working with several CIOs and CISOs at Fortune 1000 over the years, I’ve seen a few great cybersecurity strategies—but mostly not so good ones. As cyberattacks become increasingly more destructive and costly, your cybersecurity strategy can’t be operationally inadequate or unfeasible. If it is, your cybersecurity exposure skyrockets, and professional credibility plummets.
Why is it hard to develop a “good” cybersecurity strategy? Reality is that cybersecurity strategy means different things to different people and is highly contextual from an organizational culture, “subjective” risk tolerance, and sector perspectives to name just a few. It’s precisely for this reason that makes crafting an effective cybersecurity strategy a challenge for most.
Not surprisingly, often an operational roadmap is bandied about as cybersecurity strategy, meaning there’s no clear linkage between business priorities, risk exposure, and ultimately the needed cybersecurity capabilities. Consequently, I’ve seen more than a few CIOs/CISOs fail to secure (pun intended) commitment from stakeholders to acknowledge the cyber risks, support the priorities and—perhaps most importantly—to fund them adequately.
What can you do? Developing an effective cybersecurity strategy requires incorporating three foundational elements.
Foundational Element # 1: Business Orientation
You need a program-based approach if cybersecurity’s to better enable the business. However, many cybersecurity executives are uncomfortable with this notion for various reasons. Fact is that you need business stakeholder engagement, strong executive/board sponsorship, as well as an effective governance structure to drive meaningful organizational and behavioral change as part of your cybersecurity strategy.
Your cybersecurity strategy needs to convey how adopting a cybersecurity risk management program will drive greater business orientation and why it doesn’t have to be a bureaucratic or resource-intensive endeavor. To this end, consider adopting an industry framework like ISO 27001 or NIST CSF for risk management that you can tailor to suit your organizational needs. Tailoring is key here. This will enable you to avoid the common organizational pitfalls while using leading practices to mature cybersecurity capabilities.
Another technique to achieve greater business orientation is to conduct security workshops to build awareness and consensus with your business stakeholders in support of your cybersecurity strategy. Key to success here is using proven workshop techniques and tools. I highly recommend Microsoft’s security workshop. As full disclosure, we’re a Microsoft partner and deliver Microsoft security workshop<link to MS Security Workshop once site’s active> to customers.
Foundational Element # 2: Cyber Risk Measurement
You also need to have a strong cyber risk measurement capability to perform business threat modeling and risk analysis—both qualitative and quantitative. Without it, your cybersecurity strategy is likely to lack the analytical rigor that your executive team and the board most likely expects.
Even if your stakeholders aren’t seeking a high level of analytical rigor for some reason, you’ll nonetheless significantly improve your ability to defend your strategic options and recommendations, especially regarding budgeting and headcount at the very least.
Adopting an industry framework such as NIST 800-30/37/39 or FAIR and—once again—adjusting it to your environment and organizational norms can lend a lot of credence to your overall cybersecurity strategy.
Foundational Element # 3: Operational Effectiveness
Improving business orientation and risk measurement enables you to tell the “why” of what makes for a compelling cybersecurity strategy. Translating these two foundational elements into specific operational measures is where the proverbial rubber meets the road by conveying the “how”. As such, your cybersecurity strategy needs to show how you’ll increase operational effectiveness with clearly articulated ROI, NPV or other metrics your CFO may have a proclivity for regarding financial viability of numerous investments competing for limited resources.
One approach is implementing pre-integrated cybersecurity controls that can reduce your attack surface as well as cover multiple threat vectors to simplify the organization’s technical infrastructure and operational procedures. In fact, I’d argue that using a “best-of-breed” approach to cybersecurity tools has led to a proliferation of cyber tools often numbering in dozens, adversely increasing operational complexity and costs in exchange for marginal improvements in managing cybersecurity threats. Consequently, we’re seeing a fast-moving shift to “fit-for-purpose” cybersecurity tools using a platform-based approach like those from Microsoft.
Another recommendation to make your cybersecurity strategy more compelling and relevant is to show how you’re modifying your team’s practices and security controls based on industry leading frameworks like NIST 800-53 or Top 20 CIS Controls (CSC) to be more responsive in support of activities like DevOps, which should make for much happier business and IT folks.
In closing, you need to develop a cybersecurity strategy that not only communicates the cyber risks, measures their qualitative and quantitative impact on the organization, outlines specific actions you’ll perform to manage these risks, and ways in which you’ll manage costs. You also need to make regular adjustments to your cybersecurity strategy minimally every six months or ideally once every quarter to keep pace with the business and IT teams in view of what’s going on with the cloud, AI, robotics, IoT and other disruptive technologies.
In closing, ask yourself these 3 questions as you prepare to present your cybersecurity strategy at the next quarterly board meeting and see if the recommendations provided in this blog can help you craft a better story to tell:
- Have we identified and analyzed the top 5-7 cyber risks to the business that’re responsible for 70-80% of the total cyber exposure?
- Do the business and other IT stakeholders agree with the qualitative and quantitative impact of these risks and recommended steps?
- Are we presenting key operational metrics that’re suitable for consumption by senior executives and effectively conveying what’s working well, planned areas for improvement, and calls to action?