Difficult to answer, isn’t it? It causes stakeholders to pause for thought, try to think of who may have the answer, and can give them an involuntary deer-in-the-headlights look. It’s not simple to answer, nor should it be. Regardless of what you call it, from cybersecurity to information security to information assurance, we all need a strategy for it.
Often thought of as an “IT Problem” or being purely technical in nature, nothing could be further from the truth. The reality of a cybersecurity strategy is that it concerns every aspect of your business including people, process, environment, and technology. Rather than focused on prevention and being proactive to halt an incident IF it occurs, it’s equally about being reactive WHEN an incident occurs and being able to respond during and after.
Recent high-profile cybersecurity breaches at large, international organisations have made headlines and caused many executives and security professionals restless nights and stressful days. Some of these companies were compromised long before they became aware and are still cleaning up the aftermath months afterwards. Frighteningly enough, there is a degree of uncertainty that the intruders are completely removed.
Were these cases of not having a cybersecurity strategy? Not at all. In fact, nearly all of them have had a strategy of some sort, and even some of them are, in fact, known for their cybersecurity services. The point remains that no one is immune and incidents of this calibre will occur again. With looming Mandatory Data Breach Notification laws, we may begin to hear of more incidents. The sobering reality is that prior to this legislation, considerably more were undisclosed. It is up to us to prepare and having a Cybersecurity Strategy is crucial.
Although you may think you don’t have a “Cybersecurity Strategy” per se, you likely have a disjointed version of one. By that I mean you probably have processes and systems, formal or informal, that you leverage for security-related matters.
If you say yes to any or all of these, you have the building blocks of a Cybersecurity Strategy; all you need to do is pull them together into a cohesive structure. As for gaps, determine their priority and fill them going forward while refining and maintaining the existing pieces.
What is it? A Cybersecurity Strategy is essentially a roadmap to Prepare, Protect, Detect, and Respond to cybersecurity incidents regardless of how big or small they are, and the ability to repeat this cycle to evolve your security posture. It should consist of short-term tactical and long-term strategic elements designed to get you from where you are to where you need to be while being resilient enough to withstand the unknown, and agile enough to adapt to the dynamic threat landscape in which you reside.
Organisations globally spend millions of hours and billions of dollars on cybersecurity solutions every year yet still find themselves victims of cybercrimes. Is it a technology issue? Is it a policy and procedure issue? Is it a leadership and people issue? It’s all of those together and none of them individually bear more responsibility than any other. The best technology in the world can be let down by poor decisions and outstanding leadership can still fail when the technology isn’t up to the challenge. A Cybersecurity Strategy must address both the tangible and intangible.
In essence, you must Prepare by establishing what you do and don’t have by using risk analysis, identifying gaps, and prioritising the findings to be addressed. This analysis, accompanied by Vulnerability Assessments, Penetration Testing, Health Checks, and similar engagements are key planning exercises. Using subject matter experts and trusted advisors helps build a foundation for revising your cybersecurity strategy (or establishing one if it is disjointed or absent altogether). A degree of independence by the assessors is beneficial because internal stakeholders may hold bias that *their* systems and needs should take precedence.
Following on from Prepare, during Protect we look at a defence-in-depth approach consisting of many layers, several of which may overlap. As a visual reference, consider an archery target where the outermost layer represents the perimeter which could be an area outside the control of you and your partners such as the public Internet. As you approach the centre, the level of criticality increases and your control becomes more and more granular, explicit, and clearly defined. At the centre, or “bullseye” as it were, resides your critical data and processes with your human resources often the last line of defence. Rather than existing as a whole, even this core may be segmented.
For Detect, we implement controls and systems that monitor and enforce the layers outlined in the previous paragraph. This may be managed security services, SIEMs, logging and alerting, and any other means by which we monitor activity that traverses the layers. In this regard, it’s not just important to monitor the failures, which only show us our defences are working, but also the successes to validate that those are, in fact, legitimate access. Being able to detect is important, but so is the ability to take action and respond.
For Respond, we need a clearly defined plan in the form of actions and reactions for when we detect something and must counter it. Many organisations perform the Prevent component well but are lacking when it comes to Detect and Respond with too much emphasis on “Before” and not enough on “During and After”. Incident response, a critical piece of a Cybersecurity Strategy, for events both intentional and unintentional ranging from restoring files to catastrophic natural disasters, must be in place. Ultimately, post-incident, you return to the Prepare phase and ask yourselves “What have we learned?”, “What did we do well”, and “What could we have done better?”
By asking questions… a lot of questions, and be prepared to not receive the answers you need. Begin simply by asking within your organisation what your current Cybersecurity Strategy is, what’s covered, when it was last reviewed and updated, and if it has ever been put to the test. You should also be asking if there is anything you can improve and if there is anything not included that should be. The question “do we even need a strategy” should never be asked; the answer is “Absolutely, yes, you do.”
Ask about the people, process, environment, and technology that makes up your Cybersecurity Strategy. While everyone is responsible, there are key roles in governing the creation, review, implementation, and enforcement of the strategy. Ensure you know who they are, what their responsibilities are and more importantly, that they know as well. Your process should be well defined, including policies and procedures, and able to evolve and adapt as needed. “That’s just the way we’ve always done things” no longer suffices.
The environment where you perform your work must be considered, including your offices, remote workers, cloud and hosting services, and any location from which your data and services are accessed. As a step further, the general area has to be considered such as infrastructure and susceptibility to natural disasters; Disaster Recovery / Business Continuity Planning (DR/BCP) is vital and will be dependent upon council, state / territory, and federal concerns. The technology enables the business, so understanding what you have, how it’s used, and where it is carries importance.
Many businesses include some level of strategy in their overall planning, but rarely is it dedicated to cybersecurity or does it has security stand alone in its own right. If this is your organisation, perhaps it’s time to bring your Cybersecurity Strategy out of the shadows and into the light.
Rather than a big-bang approach, implementing your Cybersecurity Strategy needs to be a gradual, phased-in undertaking. Divide your projects down into a number of objectives and timelines and I suggest four. Immediate, Short-Term, Mid-Term, and Long-Term, which all depend on the size and business objectives of your organisation, resources, budget, and appetite for risk.
Interestingly enough, the longer the term, the more likely it is to contain a number of shorter-term objectives. For example, a mid-term project may consist of a few short-term projects and larger number of immediate objectives. Also, some objectives may run in parallel while others may run in series. For example, you may need to complete an immediate objective before beginning a longer-term project, but at the same time, another project is taking place without those same dependencies. Think of implementing a new wireless controller before establishing a guest network but in parallel, you’re working on the acceptable use policy for the wireless networks.
This is where planning your Cybersecurity Strategy is so crucial. Just be aware that along the way things are going to change. Be prepared to make changes, especially where mid- and long-term objectives are concerned.
A major pitfall is leaving your Cybersecurity Strategy completely in the hands of your IT department. Make no mistake; they are a critical component, but the business and leadership must determine the direction with the technology there to enable it. A company that conducts surveys and market research will have far different business objectives than a business that handles payments and international transactions. While the technology may be similar, the way it is used is vastly different because of the business. Always get the business stakeholders involved.
Budgeting and resourcing is another common pitfall where inadequate or excessive allocations lead to systematic failures in developing and implementing a Cybersecurity Strategy. Often this is due to not understanding the objectives, trying to take on too many things at once, or incorrectly prioritising the pieces of the strategy. Planning is essential, and often an area where I would recommend engaging experts to assist.
On the topic of trying to do too much at once, you should already have an understanding of the priority of the elements that make up your strategy, so you should know what needs to be done right away, and what can wait. Among the mid- to long-term objectives may be several of the immediate and short-term objectives, so bear in mind the dependencies among each component and remember that while it may not feel like you’re making progress on the longer term objectives, they all add up towards accomplishing the end state.
Also watch out for single points of failure in your Cybersecurity Strategy. While you may think that this only applies to the technology, such as a single firewall, consider the people more carefully. Never place sole responsibility on an individual, but rather on a team that shares responsibility for a role. Imagine if the only person able to restore a system or has authority to contact a domain registrar is unavailable or leaves with all their knowledge. Getting back on your feet or managing an incident could range from a nuisance to a catastrophe costing millions of dollars. Backups also need to cover your teams.
We often emphasis that human error is an omnipresent ghost in any machine, but office politics and conflicting agendas often rear their ugly heads in any projects that have critical importance to an organisation. It is crucial that the stakeholders have a common objective and can work through any differences, so this is why we emphasis getting the right people involved. Emotional Intelligence is a term that comes to mind often and often supersedes technical skills (although those are very important as well). Be ready and willing to have the difficult conversations and back up important decisions with a business case, but also have viable options as a “plan B”. Everyone probably has a slightly different view of what the finished product looks like; it’s the soft skills that will make it look the same to everyone in the end.
Test, test, and re-test. Make sure that what you put in places works as required, and beyond proof-of-concept testing, every component of your Cybersecurity Strategy must work together. Testing should always be at least annual, and after any significant change to technology or people. Whether it’s social engineering testing for your users, penetration testing for your defences, or the ability to recover from a natural disaster by testing your DR/BCP plan, you need to know that when push comes to shove that you’ll be resilient and be able to evolve and adapt through lessons learned.
We’re always happy to help out… just let us know how we can assist! Implementing a Cybersecurity Strategy can be a long and trying journey, but one you must make and one we are willing to take with you.