A

s business, technology and cybersecurity threat landscapes rapidly evolve it is becoming more and more important for businesses to have a well thought through cybersecurity Strategy to help prioritize their activities, focus finite resources, achieve financial discipline on cyber spend and anticipate cyber attacks.

Your cybersecurity strategy:

• Is key to the effective use of finite organizational resources
• Should articulate your organizations cybersecurity focus areas, core cyber capabilities and desired future state
• Should focus on the unique combination of your organizations cyber threat profile, cyber capabilities, people, size & industry
• Should align with and enable your business create value
• Should not be a one off activity, but should adapt to changes in the business, threat landscape, market positioning etc.

What is Cybersecurity Strategy?

I define cybersecurity strategy as a coordinated set of cyber activities designed to enable a business, improve its cybersecurity posture and bolster its resilience in the face of evolving market, technology and threat landscapes. The strategy should be unique to the organizations particular cyber capabilities, budget, workforce and industry positioning. It should speak as much to what an organization will do as well as what it will not do from a cybersecurity perspective e.g. build vs buy, outsource etc. And lastly a cybersecurity strategy should set the organizations cybersecurity objectives and priorities.

An effective cybersecurity strategy should be based on an organization’s unique threat profile, critical and high value assets & data as well as other risk factors. Cyber threat profiles quickly articulate threat types, threat actors and organizational risk. The strategy should not be a technical document but should address how the organization aims to use technology to securely enable business functions, increase productivity and reduce costs.

Why you should invest the time in developing a cybersecurity strategy?

A cybersecurity strategy, like a business strategy is the key document that guides an organization’s cyber decision making, focuses its finite resources, prioritizes cyber objectives and tracks cyber performance against those objectives. The fact is that every organization is executing a cybersecurity strategy consciously or unconsciously. Organizations with mature cybersecurity programs have this strategy clearly articulated and documented while those at a lower level of maturity operate in a more ad hoc fashion. Key things to address in a cybersecurity strategy:

• Governance & Management
• Budget
• Personnel (Recruiting & Retention)
• Technology
• Cybersecurity capability development
• Threat Profile
• Culture

Who should be involved in crafting your Cybersecurity Strategy?

At a minimum organizations should include the following stakeholders to help shape a comprehensive cybersecurity Strategy:

• Senior leaders
• Finance
• Business unit leads
• Human Resources (HR)
• Physical Security

How your cybersecurity strategy should evolve.

The last few months have reminded us all that change is the only constant in life and business, and as organizations continue to grapple with shifting priorities, evolving technologies and more sophisticated adversaries there is a heightened need to continue focusing its finite cyber resources on its strategic objectives. To manage change effectively in the Cybersecurity context, organizations should:

• Understand what assets are critical to its business mission and how those asset classes are evolving
• Ensure cyber leaders are kept informed of changing business realities
• Understand its unique threat actors and follow threat actor evolution by monitoring threat sources
• Understand evolving threat actor Tactics, Techniques and Procedures (TTPs)
• Anticipate how major shifts in technology use will affect how it secures its assets and people