Developing a cyber strategy: building the foundations for a successful strategy
18 August 2016
Large scale data breaches are increasingly common both in the news and on the boardroom agenda. A regular flow of small and large cyber attacks have raised the prominence of cyber threats and demonstrated the potential impact that cyber-related attacks could have on a business. CISOs, CIOs, CROs and even CEOs are increasingly being called upon by Boards to report on the cyber risk to the organisation and critically their strategy and future plans to mitigate these.
Our Global State of Information Security Survey 2016 highlights that 91% of organisations considered have adopted a risk-based cyber security framework, but only 58% of organisations have an overall cyber security strategy. Many organisations rush into developing a plan to mitigate their cyber risk without the appropriate up-front consideration of their long-term objectives, resulting in tactical fixes and often in nugatory cost. While there may be an apparent sense of urgency, as organisations realise they are vulnerable to a host of threats, there is often a need to take a more methodical approach.
So how would it be best to approach developing a strategy, and where should companies start in creating a cyber security strategy? Starting points will naturally vary depending on circumstances but some suggestions are given below.
Where do we start with a cyber strategy?
Developing a cyber strategy can be a daunting task, however, there are a number of important information sources that should be reviewed to act as the foundations for a successful strategy. Consideration should be given to:
- Strategic business objectives
- IT Strategy
- Cyber risk log and threat reports
These can be collected through wider business and IT stakeholder engagement to understand potential business requirements and ensure alignment with the overall mission of the organisation. By combining these sources of information it will be possible to begin to identify key drivers for change and create a meaningful strategy which will aid the business in achieving its goals.
What drives a good strategy?
We believe that a strategy should begin with a well-defined view of the external and internal drivers for change, including but not limited to:
- The organisation’s business objectives (e.g. price vs value, new market entry, new product development, winning in a constrained talent market)
- Key cyber threats (for which the organisation will need a clear view of its critical assets)
- Regulatory mandates (e.g. SOC2, PCI-DSS or emerging IoT safety trends)
- External disruptive forces (e.g. digital trends, blockchain, IoT)
These drivers should be used to feed into and articulate a clear vision, or set of vision statements, of how the security function will add value to the organisation. This vision should be decided in consideration of the overall business vision and that of IT, bearing in mind that the goal of security is ultimately to support and enable the business in achieving their objectives.
Let’s take an example to illustrate the point. Say we have an organisation building E-Commerce platforms for customers. The business wants to grow, but labour costs in the UK are too high and so the business decides to build a delivery centre in APAC and export development costs. We know from the news that the country they have chosen is particularly unstable at the moment, and has recently tightened regulations on encrypted communications. From this information alone we can already see clear internal (moving delivery to APAC for cost savings) and external (geopolitical cyber risk, local government regulations on communications) drivers which will feed into the cyber security strategy.
An essential element for ensuring a successful cyber security strategy is buy-in from senior organisational leadership. Making a business case for a strategy based purely on risk reduction is generally much more difficult than one which shows a positive contribution to the business. By bringing in inputs from business strategy, and having a clear acknowledgement of the likely disruptors the organisation will face, cyber strategy can be presented in the context of it adding to the ability of the business to deliver on its broader objectives.
So how should a CISO tackle this task? In the next article in the series, we set out our view of the key steps to developing a good cyber strategy.