The majority of businesses aren’t fixing breaches and effectively stopping cyberattacks fast enough to minimise the impact. This despite record spending on security products and services.
Why is that? In my experience, it’s because businesses don’t have a cybersecurity strategy with an associated actionable roadmap or plan that are appropriate and relevant to their particular business.
Yes, it’s easy to google “security strategy”, spend some time adapting and changing someone else’s and present it as fit for your business. The business embarks on a cyber transformation programme only to spend large amounts of money on products and services that are either not necessary, not applicable or not relevant — your budget frittered away on technologies that white papers sing the praises of, but what you bought doesn’t fit your needs and isn’t as effective as it should be.
What is necessary and works for one industry or one business doesn’t necessarily work for and apply to another — simply spending on a certain technology or implementing certain controls, because a competitor is doing it, is not going to work for your business in the long run.
If you are the sole arbiter or a key decision-maker regarding your business’s cybersecurity strategy and spending, then it is imperative that your money is spent on products and services according to a strategy, roadmap and plan developed for and relevant to your particular business.
How do you develop and implement a business-relevant cybersecurity strategy?
To develop and implement a business-relevant cybersecurity strategy, you start by identifying all the inputs that will inform the development of your strategy. Inputs such as the business culture, its goals and appetite for risk, the regulatory standards that will or could apply to your business and the cybersecurity landscape, all relevant national and international cybersecurity standards, frameworks and control sets, as well as your existing policies and procedures for review. Essentially you must ensure that all authoritative (regulations and acts etc.) and normative (standards, frameworks and best practices etc.) documents that will influence your cybersecurity strategy going forward, are identified.
Once identified, the inputs will need to be reviewed. The review will help you determine what is applicable and relevant to your business, and help you to avoid taking on all generic industry or best practice. This is probably the most important part of the development of your cybersecurity strategy. All the inputs that are relevant to your business should then be consolidated to produce an assessment framework for your business and help you determine the desired future state of your business’s cybersecurity landscape. You can do this by taking control sets, audit frameworks and assessment tools, which would help your business to gauge whether or not it was meeting the standards that you have prescribed for yourselves. You don’t need to include everything, you might find that in the Cyber Essentials framework, there are not enough controls around the physical security of your premises — you might, therefore, want to bring in other controls or assessment questions from other frameworks, like the NIST Cyber Security Framework or the ISO27000 series. What your business should end up with is a set of questions or controls which will enable you to assess whether your business is meeting its regulatory requirements and the requirements that management, suppliers and customers have set for you, through your reviewing and consolidating exercise.
You are now in a position to assess your business’s security posture and maturity against the framework that you have devised and determine the current state of your business’s security landscape. You are able to conduct a gap analysis against the current and desired future states to identify opportunities for improvement and find potential remediation activities that, together, will inform your security strategy and roadmap. Using this gap analysis, you can also put both qualitative and quantitative metrics in place, which will enable you to describe your security maturity. As you implement your strategy and roadmap, improvements in your KPIs demonstrate that your business’s security maturity is improving.
A thorough assessment of your business’s cybersecurity posture and maturity together with a gap analysis of the current and desired future states will enable you to define a comprehensive cybersecurity strategy that is appropriate for, and relevant to, your business. You will be able to evaluate and prioritise requirements to produce a comprehensive cybersecurity and transformation roadmap — an actionable plan, aligned to business objectives, containing relevant strategies, technology initiatives and security maturity improvement plans.
Most businesses struggle to get this right and the constantly changing cybersecurity landscape doesn’t make it any easier. The fact is that more and more businesses are trading online and extending their security perimeter, becoming more and more open to threats every day.
Take the first step and assess your business’s security posture and maturity and determine whether your strategies, roadmaps and plans are really relevant to your business. You don’t have to go it alone, there are many skilled cybersecurity professionals who can help you to either develop this capability in-house or provide expert consultancy on a one-off or longer-term basis to support your business as it develops its cybersecurity strategy and takes away the worry.
