Who or what defines a cybersecurity strategy?
A recent survey by insight and IGG from a pool of 250 security executives showed that 39% of senior IT and security professionals say that they “lack a clear overall strategy and roadmap for cybersecurity”.
It’s more interesting what else is in that report rather than just that statistic, and in some cases, when we see such data from a small pool of companies, is it an intention to mislead?
Let us take a look at the other things in this report for this particular question, were the following: lack of automation, outdated network access solutions, legacy infrastructure, software tools that do not address today’s threats for cloud environments, lack of skilled staff, outdated governance processes and procedures, insufficient analytics to action and investigation, the ability for effective regulatory compliance and audit reporting, oversight of internal changes land the lack of executive support which leads to low awareness.
Are these not all things that make up a strategy? Is a strategy a course for or a direction to something?
Cybersecurity strategy should be part of a business strategy?! This is not a question it is a statement. Who amongst you disagree with that statement?
One fundamental mistake that a lot of businesses make, is that they assume that information or cybersecurity strategy is a technology one and not a business one. That it is a technology issue to solve and not a business one. To ensure effective priorities around cybersecurity you must first understand your business and what your business outcomes are, how can you design an effective cybersecurity strategy if you don’t know what is important to your business and why?
However, let’s examine what makes a good cybersecurity strategy?
a) Business priorities. Do you understand your business priorities? - that should be your first test. Failing to understand business priorities will lead to poor and inadequate planning.
How do you know what to protect if you don’t know where your business is going? CISO’s need to at the forefront of business planning activity, but sadly we are still not part of that c-suite club, a lot of lip-service around it. In 2021 it is still very much the same old story, you have a CISO, but let’s keep them at arm’s length until something goes wrong, and then let’s blame them for not doing their job – sound familiar!
Focus on the business need, then worry about the technology that supports it or does not in most cases.
b) Ensure effective sponsorship. Getting lip service from the board or lip service from your executive will only lead to failure. Once you’ve understood what is driving your business and where that business strategy is going, work out what you want to say to your executives, make sure they understand whether it’s informational, actionable, or investment-related, and be clear as to what you want, so they know how they can help you. A lot of the time with CISO’s we can tend to react rather than act on the information we are trying to relay, be intelligence-led at all times, you want to only go to the board when it is necessary, with that said, that’s if you even have access to it in the first place.
c) Actual and factual. It is vitally important what you say as a cybersecurity leader is factual. Fear and Scaremongering do not work and are an antiquated way of getting your messages across. We should not be scaring people to do the right thing or to be afraid in the knowledge that if something goes wrong you may lose your job. Now a lot of what we do can be subjective, the key is to move to a more “revenue loss” focused conversation. As that what Investors, Boards, and executives understand the most- Money.
d) Make friends. That may sound flippant, but CISO’s and their teams are not internal affairs, the secret police, or any other form of internal force that is attempting to bend the will of the people. Building relationships is key. It will determine the level of success you have internally, and it is a fundamental part of your security strategy. This cannot just be about managing up, it must also be about supporting below, that is just basic leadership. This is also about the type of behaviors you wish your organisation to follow. (Though behaviors play a massive part in any company’s success, changing behaviors to think security is never an easy task.)
e) Foster a culture of transparency. Publish your roadmap for all to see.
In most cases, a CISO’s first reaction is to keep this as a need-to-know? Not sure why? It does not have to contain confidential information, but you need to take your Board, executive, and people on the journey, make sure they understand the importance of what that change will bring and why you actually cannot do it without them.
f) Talk about failures. Why? Because they teach us something, we learn, adapt and change (hopefully for the better), if we only praise ourselves when things go right, its sets a false sense of security. We all know nothing is 100% secure. We also know companies will get breached even with the best of strategies in place, the larger you are-the bigger the technology footprint, the bigger the customer base, something will fail – it’s okay to fail, we are human after all.
g) Education. It may sound easy but trust me, it is not. To be informed and make effective decisions, we all need to have access to information that helps us do that. Security as a discipline is no different, but there is an assumption that what we are teaching is too technical or not sexy enough for people to understand. Also, if you are a CISO for a large enterprise or corporate, you are a competing voice in many so many other voices. So, what is going to make you stand out from the rest? The key here is to ensure your Board and executive lead by example, it starts and stops with them. At the same time, you also need a bottom-up approach. Have an open-door policy. Your position or rank means nothing in this instance, nor it should anyway. The most important thing here though is about consequence management. “The carrot is always better than the stick”. There are some crazy rules, I have seen businesses implement, which just leads to a lot of noise, if you have zero trusts at all times you will have zero loyalty. Just think about that for a while….
h) Your Supply Chain – Third-party vendors, are just commonplace now. They play an integral part in any business strategy. It is not just about the services they provide or how they form part of your overarching technology strategy. It is also about what type of relationship you have with them. The more they know about your business goals and objectives, the better they can support you. One major mistake we make insecurity is not focusing on the procurement lifecycle. Though you have a good security SLA/MSA. Have you read it, were you involved in defining it? The last conversation you want to have with your vendor or supplier is…. it’s not in the contract and we can’t support you. Think carefully about how to secure these based on your business objectives and security needs not that of the supplier. Remember they are an extension of you
i) Understand your technology. You are probably wondering why this is last. A lot of us and even including me at the early part of my career always started with securing the tech. Let’s harden this, let's configure this securely, let's encrypt that, and so on. All without context. Before you attempt to govern you must first understand what you have, what you don’t have, what works, and what does not. Don’t make judgments. If this is a new role, and nothing is in place, well maybe that’s why you were hired, but if it is bad, maybe your executive has been misinformed. Who knows? Better to find out yourself (go to point D). Get a full and as complete picture as possible. Who cares if your predecessor left you a mess – so what? Your focus should be on what you need to do to improve it.
You would have probably noticed; I have left out anything that would seem remotely security-related or technically focused. It was intentional. The strategy needs to be a high-level direction, roadmap, and target, from that, go and develop your Target Operating Model, your operational models, your implementation models, and so forth. It is not for you to define every security requirement at that stage, because this is about the business and its risk appetite. Now let’s face facts, we as CISO’s will be pulled in multiple directions, have multiple priorities, the business-as-usual activities, and let be frank all the blah blah blah that goes with the job. You can only do one thing at one time and have one priority, effective planning and business prioritisation are key. Don’t get me wrong, if you have a major security issue, this is a business issue, and therefore must be prioritised. Failure to do so may lead to the failure of your business.
Don’t be yet another headline!