Setting your cyber security strategy up for success - three key insights from the frontline
Many organisations take a whack-a-mole approach to cyber security, with leaders bouncing from one security incident to the next without staying ahead of threats. Too often they focus disproportionately on cyber incident response activities; developing detailed response plans, setting up Security Information and Event Management (SIEM) systems, or establishing a Security Operations Centre (SOC), rather than trying to prevent incidents occurring in the first place. However, an unplanned approach to cyber security exposes organisations to operational disruption, financial loss, reputational damage, intellectual property theft or regulatory risk.
To make the move from a reactive to a proactive mindset, the first step is to develop a cyber security strategy. A cyber security strategy is a high-level plan which outlines how an organisation will proactively secure its systems and data while minimizing risk across the security landscape over time. It allows for a defendable prioritisation model and suitable budgeting to implement its cyber security programme.
Effective strategies provide the structure organisations need to be prepared in the event of a cyber attack. By reducing confusion and uncertainty, organisations can focus on improving prevention, detection and response measures instead of responding to incidents as they happen. Once implemented, an effective cyber strategy will reduce the likelihood of incidents taking place and can make the difference between a minor incident and a major one.
Each organisation has unique risks and requirements, so it is important to tailor each strategy to its specific context rather than taking a generic approach. Additionally, while many cyber security strategies adopt a three-to-five-year vision, ensuring the strategy is monitored to assess progress and revised frequently (in the current landscape, at least yearly) will help guide stakeholders and inform decision making as your organisation, and cyber threats, evolve.
Key elements
So, how should an organisation set its cyber security strategy up for success? There are three key elements that leaders should consider in developing and implementing a cyber security strategy:
A focus on business outcomes
Encouraging leadership buy-in
Fostering a security culture
A focus on business outcomes
Cyber security plays a critical role in determining the success of an organisational strategy. However, a gap can arise if business leaders view cyber security as an isolated function rather than a strategic concern.
How often do you see the person responsible for cyber security reporting directly to the CEO? How many leadership or board meetings have a standing item on the reputational, operational and strategic risk posed by cyber threats? When leaders don’t link cyber security goals with business outcomes they put the long-term resiliency and success of their organisation at risk.
To shift the dial, technology leaders need to take to take time to understand their organisation’s strategic priorities and articulate clear linkages between cyber security and business goals. Outcomes positively impacted by cyber security activities include customer experience leading to customer loyalty; risk management by reducing exposure; governance and compliance by aligning with regulatory requirements; as well as operational resilience by minimising disruption and ensuring business continuity.
For example, an organisation might have a strategic imperative around digital transformation to stay ahead of rival organisations or meet customer expectations. By establishing clearly how cyber security efforts will protect new technologies, enable data transformation and enhance the customer experience, leadership can recognise the importance of cyber security in achieving specific strategic objectives.
When boards and C-suite understand the interconnectedness of cyber security and business outcomes, they will be more compelled to support the development of a cyber security strategy and approve the investment in cyber security initiatives.
Encouraging leadership buy in
If a successful cyber security strategy relies on support from senior leadership and boards, how can IT leaders go about securing their commitment? Board members and executive leadership teams may not have the expertise to understand the threat and opportunity posed by technology. Conversely, IT leaders often talk in technical terms and struggle to demonstrate the business impacts posed by security risks. As a result, cyber security can be prone to flying under the radar, only being discussed when a serious breach occurs. So how should leaders engage and communicate with decision makers so that they get on board with a strategic and proactive approach to cyber security?
Clear communication, education and reporting structures are key. Here are some practical steps that organisations can implement in helping to bridge the divide:
Identify cyber champions within the organisation. Engage board members and senior leaders who have experience or an interest in cyber security
Establish clear reporting lines by encouraging the appointment of a CISO or equivalent responsible for the cyber security strategy, reporting directly to the CEO
Regularly update governance and top leadership on cyber security strategy progress.
Provide meaningful updates and metrics that leadership can relate to e.g. incidents and mitigation efforts, cyber risks impacting the organisation and financial information on the cost of data breaches
Use business language and terms that senior stakeholders will understand. Avoid overly technical terms and stick to key cyber security concepts.
Once communication and reporting lines are open, senior leaders can gain confidence in understanding the cyber security threat landscape. IT leaders, management and boards can communicate more effectively around cyber risk and organisations are better placed to approach cyber security in a proactive and strategic way.
Once the cyber security strategy has been approved for implementation, IT leaders can provide regular progress updates to senior leaders including how it is contributing to their organisation’s overall goals. This gives them the oversight of how cyber security budgets are being spent and the return from those investments.
Fostering a security culture
As the main target and asset in cyber security, employees are critical to the success of any cyber security strategy. So, how can organisations weave a strong security-conscious culture into the fabric of your organisation?
As with any effective strategy, it starts with a commitment from the top. Senior leaders and executives are pivotal in sending a clear message to employees that cyber security is everyone’s responsibility. They play an active role in modelling positive security behaviour, following procedures and mobilising employees to do the same. Their commitment ensures that cyber security receives adequate focus so that accountability cascades throughout the organisation.
To support the successful implementation of a cyber security strategy, here are some practical steps that leaders can take to enable a strong cyber security culture:
Designate a culture change owner who is responsible for driving change by communicating effectively and championing the initiatives that support the cyber security strategy
Set expectations for employees in terms of cyber security reporting, compliance and awareness. Build these objectives into staff performance measurements to drive change
Share security updates, policies, and best practices with employees. Start meetings with relatable stories around recent hacks or data breaches, to reinforce the importance of security to your organisation.
Communicate swiftly in the event of a breach to highlight the importance of effective crisis management.
Implement and attend employee training programmes, tailoring them to specific groups and levels of capability. Delivery of training should include different modes including phishing simulations, in-person education and computer-based training to keep employees engaged and invested in the learning process.
As the threat landscape is evolves so leaders must continuously learn and adapt their approaches. Their ongoing commitment to security awareness, communication, evaluation and training, will be critical to developing a security-conscious culture in support of their cyber strategy.
Making it happen
Many organisations take a reactive approach to cyber security, but a lack of preparedness increases the risk profile. Elevating security to a strategic level gives organisations a better chance of staying ahead of the evolving threat landscape. By articulating the contribution of cyber security to business strategies, opening up communication channels with decision makers to secure commitment and enabling a strong security culture, leaders can set their cyber security strategy up for success and build a more resilient, security-conscious organisation.