A good cyber security strategy tailored to your organisation’s goals can help you avoid the pitfalls of operating without a plan. Ensuring it is realistic, adaptable and actionable, your cyber security strategy should cover different levels of planning: strategic, operational and tactical. In this blog, Senior Information Security Consultant Simon Discombe discusses how to initiate effective planning and ensure that security plans deliver for the business.
While no plan typically survives first contact, in order to effectively prepare businesses for the various potholes that exist in the operations space, you need to establish a security strategy. Whether your plan is defined by a dynamic set of steps, a formal directive to guide process delivery or even an idea written down on a notepad, to create no plan will almost certainly result in failure.
By preparing appropriate budget, resource and staff members for milestones you expect to achieve, bespoke plans can be laid and put into action making them far more effective than rarely reviewed plans left to grow old on a shelf. The strategy that you do adopt will also have to be robust and flexible enough to scale and adapt as the environment and business needs develop. Splitting plans into strategic, operational and tactical phases helps to refine intent from a high-level perspective to a ‘boots on the ground application’ and requires a strong cross-function team to secure alignment with culture. But simply creating and delivering a strategy won’t deliver effective results – it needs care and nourishment to thrive.
Why do you need a cyber security strategy?
The modern operating landscape is constantly on the move, with threats becoming more sophisticated or more frequent, vulnerability numbers ever increasing and a global shortage of defenders. So how is a business expected to operate free from risks? Simply put, it is not. Risks are part of doing business and we must factor that in when we secure our business processes.
Regardless of the sector, no organisation is immune to the progressive nature of the information age we live in, and the need for reflective and robust security operating models cannot be underestimated. As data spreads ever further and we migrate the remaining holdouts of on-premises business services and data to cloud services, plans must be adapted to remain relevant.
Your cyber security strategy journey
Just like a good story, a plan needs a beginning, a middle and an end. This means having an idea of the results you want from your business, what your current state is and how you plan on getting from one point to another. This vision serves as an effective reality check throughout plan development to ask how the plan will achieve or protect the components of ‘the story’.
The foundation that underpins your security strategy is what the business is trying to achieve. Strategies need to strike a fine balance to not get in the way of business growth, but hard-won business growth must be protected to prevent value being degraded by avoidable security incidents.
Take stock of risk management
Risk is a great place to start before writing a formal plan. Risk analysis ensures we understand inherent business risks and how they might affect operations. By assessing the business, its processes, partners and supply chain, we can begin to define key areas that pose the greatest concern.
This all starts with identification. Identify threats, vulnerabilities, stakeholders, assets, compliance obligations, critical processes and current records of risks or incidents that have arisen. These will form the basis of what you’re trying to protect, defend against and remediate.
Once risks are identified, we must evaluate them for relevance to our operations. For instance, are risks outdated, are they appropriately owned, are there gaps in understanding and recorded risks, has the severity of risks changed over time? By looking at how risks evolve we can ensure that a review of risks isn’t a waste of critical people resources.
Risks should be prioritised before going any further, placing the emphasis on those risks that seek to do the most harm to the business. By conducting this task with representatives across departments, qualitative judgements on what poses the greatest risks will be more credible by taking into account front end and support services.
Mitigation is then driven by that prioritisation of risks, taking the resources available and distributing them appropriately in the areas that require them most urgently. This is where much of the decision on security controls and security budgeting will be evidently involved, reviewing and selecting those safeguards that most align with business operations. For example, using technical access controls to secure a physical facility that holds critical servers is likely to be more appropriate than access controls for a facility that has no sensitive business assets.
Once mitigations are in place, plans need to account for the ongoing monitoring of risk. There’s no use putting controls in place if they are subject to failures over time or malicious activity is going undetected. Reviewing controls and how they effectively mitigate threats from an evolving environment is essential for conducting due care.
Aligning your organisation’s cyber security strategy
Now that risk management has been reviewed, we can use that information to begin developing plans. For instance, those same key stakeholders involved in reviewing risk will form the bulk of the stakeholders involved in setting long-term objectives to manage risk. Additionally, business risks such as regulatory, legal and contractual obligations become drivers in some of the actions we will need to take in the future to protect reputation. Assets and processes we deem critical to business value will now be placed at the heart of our strategy. This can be cut down to some key things to focus on:
Assets
Knowing where an asset exists and what value it provides to the business will help prioritise protection. Whether that is defined through classification, use case or departmental context, valuable assets should be tracked so that they can be managed effectively.
Humans
Ensure you engage the relevant role holders early on. These people will become accountable and own the execution elements of the plan, as well as engage parts of the business under their remit. Ensure job descriptions, terms of reference (aligned to standards set by NIST, ISO and NCSC) and policies are delivered that effectively organise the business units to be ready to deliver against the vision and mission of the business. As part of this area, don’t forget the buy-in – a plan that is out of touch with culture will lead to issues such as despondency and process challenges that require insecure workarounds. People need to be listened to, trained and engaged to deliver the plans of the business.
Tools
It’s important to use tools to automate areas of planning and decision making, but just like in risk management, we need to identify what we have and evaluate features for suitability with the business. Using tools that aren’t fit for purpose or not enabling useful features and instead purchasing other tools impacts the availability to deliver upon milestones due to issues such as resource wastage or poor interoperability. Make sure that tools selected are tied to tangible technical requirements of the business.
Gaps
Your risk assessment should provide you with a good idea of the areas where you require further resource or effort to be applied. Security control implementation will often be guided by standards or best practice helping to quickly identify compliance misalignment, but this does not always define a gap in the business’ needs. Keeping track of mandated obligations and mapping these with business functional requirements will ensure the best fit adoption of controls.
Thinking about the business from both an internal (culture, awareness, past change management) and external perspective (networking, data sharing, shared responsibility) will allow plans to leverage sentiment and patterns to tie strategies to the expectations of staff and clients.
Roadmap challenges
On your route to implementing your treasured strategy, it’s important to be aware of the challenges you will face. Resource constraints are often a factor in mismanagement of plans or plans having limited impact from budget and expertise. Additionally, the expertise and tools you require will need to stay ahead of evolving threats such as malicious artificial intelligence, sophisticated ransomware and new compliance demands. A lack of awareness in these areas from owners and staff alike will increase a business’ exposure to new and old threats despite the level of planning put in place.
When preparing the business with a strategy, you must consider detractions to that strategy, providing a collaborative approach to execute a plan across departments and workstreams. To avoid security becoming a blocker to work, the controls need to support productivity and security needs. Investing in users by engaging them in the plan creation phase will tie them in as part of the wider effort and support training adoption. The strategy must also not get left behind once in place – reviews, amendments and continual improvement to the underlying structure of plans (such as policies, tools and resource) need re-evaluation. This is often supported by splitting plans down by their focus and time frame such as:
- Strategic: the long-term plan, typically 3-5 years and based on a standard such as NIST CSF or ISO 27001 incorporating relevant business technology, environmental and social drivers that align security and business intent.
- Tactical: these are typically more short term, ranging from a quarter to 3 years, to set the overall direction to reach the goals of the strategic plan, setting targets and allocating resource as needed.
- Operational: typically focused on the very short term such as daily operations within the business, these involve supporting business units in their tasks set by tactical plans and providing performance metrics towards certain goals.
The above plans are all linked to the overarching business vision but vary in the way they support it. As above, the vision is split into manageable phases whereby strategic plans set overall direction, tactical plans detail how strategies will be implemented, and operational plans focus on actions needed to deliver tactical plans on a day-to-day basis.
Monitor environment security and respond
Planning is not enough – it’s only the first step to putting control into your hands rather than the threat actors. Providing the business with a mechanism for reviewing, reporting, amending and correcting residual risks to the strategy is highly useful over time.
The business needs to have awareness of its technical and physical operating environments and the potential for disruptions in these areas. Whether by automated tools or through bespoke groups to review implementation, the business must have visibility of changes and threats over time. Effective response involves enabling and listening to those same groups that are well-versed in business continuity, incident response and disaster recovery, and pivotal in maintaining operations in the face of adversity.
What’s next on your cyber security strategy journey?
Delivering an effective cyber security strategy is a proactive process. While there may be some element of necessary reaction to current events, strategy and planning looks ahead, taking the teachings of the past and applying them to theorise what the future may bring. And that means people, smart people that can support you when times are tough and during more calm periods in terms of preparing the business for whatever comes next.
A collaborative approach that addresses the individuality of a business will always deliver the best results and face off against cyber security challenges. By following a process of risk review, business alignment and plan review, you can face the future head on and compete with less secure organisations that aren’t prepared.
