What does a good cyber strategy look like?
14 October 2016
A good cyber security strategy not only sets out an organisation’s commitment to delivering effective cyber security, but how it is going to deliver it. However, whilst a security programme plan forms part of the strategy, it is not the only component: having a plan is not the same as having a strategy. If the programme plan is your railway timetable, your strategy tells where you’re trying to get to, and the direction of travel you’ll take to get there. Most importantly, it tells you “why”. A good cyber strategy makes a clear link from business objectives through to a cyber plan, though a series of logical, interconnected steps.
Defining any kind of strategy can be challenging for an organisation, and cyber security is no different. It can be particularly challenging for cyber security SMEs (subject matter experts) to step away from the comforting detail of their day job sufficiently to take the “big-enough-picture” view required to form a strategy.
A strategy can take many different forms, however the most successful strategies will often consist of some key components. The first thing a cyber security strategy should set out is a cyber security vision. This should articulate the “end state” for cyber security within the organisation, and flow naturally in to a series of strategic objectives which break the end vision in to more digestible milestones.
Security is often seen as a blocker in organisations, and so the vision and objectives should focus as much on communicating how security can be an enabler as on how it enables better risk management. Defining these often means taking inputs from four key sources of influence:
- Business strategy: analyse the business’ strategic objectives and understand how cyber security can enable them, and what support business leaders will need to deliver.
- Business risk: look both at the current risk appetite, and at how strategy is likely to modify the risk map, and ask what that will mean for cyber risk.
- External forces: what are the disruptive forces acting on the business from outside, what does that mean for cyber security, and more importantly how can cyber security enable the business to react to those forces.
- Regulation: what are the “must do’s” in your business, and how is that likely to evolve?
With all of these potential sources of influence, how many objectives should you have? There’s no “right” answer, but we would probe into any strategy with more than five or six. Are they high-level enough? Do they really prioritise the things which are most important to your business?
A good objective might say “Cyber security risk will be a business accountability, and we will engage with business stakeholders to enable them to manage their risk…”. This isn’t the place to define which standard you’ll use to build your risk framework, or which person will help them to use it!
Many organisations also struggle to make the bridge from strategy to execution, so if you are struggling to distil down to that number of strategic objectives, consider adding a subordinate layer of enabling objectives which can be more targeted and can help you make the leap from objectives to a plan of action to deliver them.
In order to deliver your strategy effectively, whomever is responsible for it needs to be appropriately empowered. In our Global State of Information Security Survey 2016 we found that 54% of respondents had a CISO in charge of their security programme. One way to ensure that the CISO is able to effectively discharge their responsibilities is to use a CISO mandate and charter. The CISO mandate sets out the authority of the CISO with respect to cyber security and delivering the strategy. The Charter itself will ensure the accountability of the CISO, and give the board and other leaders the ability to hold the CISO to account for delivering the strategy. Many organisations also tackle this by setting themselves objectives around how the security function will integrate with its business stakeholders. (Which naturally leads on to the question of target operating model, which will be the focus of a future article in this blog.)
Ultimately, a cyber security strategy needs to be tailored to suit the organisation in question – whilst there is no “one size fits all” or silver bullet approach, there are certainly some key steps that all organisations can take to ensure that their strategy is as effective as possible.
- Formulate your cyber security vision and objectives based on your overarching information risk appetite and business goals. This way not only will your information risks be addressed in a coordinated manner, it will be done in a way which engages the rest of the business and helps achieve the wider business strategy.
- Consider all of our four sources of influence as you draft your strategic objectives, and pay close attention to how you will ensure that they speak directly to what your business leaders care about. The delivery of the message is often as important as the message itself!
- Ensure that the senior leader with responsibility for delivering the strategy is empowered with the authority to drive the cyber security agenda within the organisation through a clear CISO mandate.