How to create a transformational cybersecurity strategy: 3 paths

Enterprises must build a security strategy that is aligned with business needs.

Video: Why your company should invest in cybersecurity infrastructure

Enterprises cybersecurity teams are in the midst of an intensifying storm: Technology challenges are growing more complex, and the speed of business continues to increase along with the number of cyber threats companies are facing, Andrew Rose, chief security officer of Vocalink, said in a Thursday session at RSA 2019.

"Security is being put under immense pressure to keep up, and if it doesn't, we're the ones to blame," Rose said. "We need to keep up or we just get left out."

We are also in the midst of the age of the customer, wherein customers care more about privacy and security than ever before--and if they aren't happy with a company, they walk away, Jinan Budge, principal analyst at Forrester Research, said in the session.

SEE: Incident response policy (Tech Pro Research)

However, this all opens up new opportunities as well as challenges when it comes to creating a transformative cybersecurity strategy, Budge said.

"There's a fine line between the deeply technical, scientific part of cybersecurity, and the people part, which we spend less time talking about--the stuff that actually enables a sustainable transformation," Budge said. "We've seen how one without the other can fail."

A good strategy moves security from an IT issue to one of customer trust, Budge said. It also moves security from a technically-focused discipline to a holistic one, and gives business the freedom to achieve its digital aspirations, rather than acting as a blocking agent, she added.

Bad cybersecurity strategies are those that cause companies to miss the breaches they experience, that invest in the wrong areas, that require teams to spend their time responding tactically, and that struggle to attract and retain talent, Budge said.

No one silver bullet exists for creating a cybersecurity strategy; each is dependent upon the size of the organization, its cybersecurity maturity, and the level of support in the organization, Budge said.

Here are three different paths that enterprises can take in creating a cybersecurity strategy.

1. A quick tech roadmap

A quick tech roadmap includes the following:

  • List of key initiatives and projects to be completed
  • Serves to achieve compliance
  • Technically-focused
  • Clear timeline

The benefits to this strategy include the fact that it is quick to put together, and can involve a one-year plan. It's also comfortable for the CISO and security team to build. However, challenges include the fact that it is insular, and doesn't consider culture, or business or customer stakeholders. It also does not get the buy-in required for sustainable change.

"The quick tech roadmap is quick to put together, and you believe in it because you wrote it independently," Rose said. "But it's difficult to get the business engaged in it, because they haven't been part of creating it, and don't see themselves reflected in it." However, this option is still better than having nothing at all, he added.

SEE: Network security policy template (Tech Pro Research)

2. Risk-aligned strategy

A risk-aligned strategy involves:

  • Supports your business strategy
  • Clear vision of gaps and risks
  • Defined benefits realization
  • Clear roadmap and timeline
  • Considers the business risks at its heart
  • Considers the threat landscape
  • Focuses on protecting your organization's crown jewels

This strategy drives a competitive spirit between business units, as well as control maturity. It also offers strong visuals and metrics to demonstrate risk reduction, making it a transformative option. Challenges involved with this strategy include the fact that it is driven by IT rather than business goals, and needs the business unit engaged to collate data.

"This requires more engagement from business leaders and more time and effort from your team to pull together," Rose said. "But it has benefits of great metrics associated with it--it enables you to discuss the the board and show real process on where strategy is going." However, it is still largely IT-focused, and not a complete vision, he added.

3. Stakeholder-focused

A stakeholder-focused strategy involves:

  • A business document
  • Endorsed by boards and executives
  • Extends to all stakeholder groups including customers, partners, and citizens
  • Future-looking and transformative

This strategy requires significant buy-in, and allows you to embed security into all aspects of your business, making it a transformative option. Challenges include its high cost, significant change management skills, and the fact that it is outside the comfort zone of many CISOs.

"Some of the benefits are quite phenomenal," Budge said. "When you do take everybody on the journey with you to create a strategy, every has an input. It's likely that you'll have the support of everybody through the creation of the strategy, but also through execution." However, it does take significantly more time and effort to accomplish, she added.

Next steps for CISOs in creating a cybersecurity strategy

CISOs should follow these steps over the coming months to create the right transformative cybersecurity strategy for them, Rose said:

  • Next week

-Decide what your strategy path is. There is not shame in any of them--the important thing is just getting started and creating documentation for one, Rose said.

-Identify influential key stakeholders, and how they can be part of your strategy and transformation

  • Next three months

-Define your strategy mission statement

-Be clear on your security program priorities

  • Next six months

-Build a right-sized, risk-based, business-aligned cybersecurity strategy document

-Share you strategy with your key stakeholders

For tips on how to choose the right cybersecurity framework, check out this TechRepublic story.

Also see

Image: iStockphoto/metamorworks