CYBER
Edition-1-Inside-Cyber-March-2017.compressed
Edition-1-Inside-Cyber-March-2017.compressed
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
What does a good<br />
cyber strategy<br />
look like?<br />
A good cyber security strategy not only sets out an<br />
organisation’s commitment to delivering effective<br />
cyber security, but how it is going to deliver it.<br />
However, whilst a security programme plan forms<br />
part of the strategy, it is not the only component:<br />
having a plan is not the same as having a strategy.<br />
If the programme plan is your railway timetable, your<br />
strategy tells where you’re trying to get to, and the direction<br />
of travel you’ll take to get there. Most importantly, it tells<br />
you “why”. A good cyber strategy makes a clear link from<br />
business objectives through to a cyberplan, via a series of<br />
logical, interconnected steps.<br />
Defining any kind of strategy can be challenging for an<br />
organisation, and cyber security is no different. It can be<br />
particularly challenging for cyber security subject matter<br />
experts to step away from the comforting detail of their<br />
day job sufficiently to take the “big-enough-picture” view<br />
required to form a strategy.<br />
A strategy can take many different forms, however the<br />
most successful strategies will often consist of some key<br />
components. Firstly, it should set out its cyber security<br />
vision. This should articulate the “end state” for cyber<br />
security within the organisation, and flow naturally into a<br />
series of strategic objectives which break the end vision<br />
into more digestible milestones.<br />
Security is often seen as a blocker in organisations, and<br />
so the vision and objectives should focus as much on<br />
communicating how security can be an enabler as on how<br />
it enables better risk management.<br />
With all of these potential sources of influence, how many<br />
objectives should you have? There’s no “right” answer, but<br />
we would probe into any strategy with more than five or<br />
six. Are they high-level enough? Do they really prioritise the<br />
things which are most important to your business?<br />
A good objective might say “Cyber security risk will be a<br />
business accountability, and we will engage with business<br />
stakeholders to enable them to manage their risk…”.<br />
This isn’t the place to define which standard you’ll use to<br />
build your risk framework, or which person will help them to<br />
use it!<br />
Many organisations also struggle to make the bridge from<br />
strategy to execution, so if you are struggling to distil down<br />
to that number of strategic objectives, consider adding a<br />
subordinate layer of enabling objectives which can be more<br />
targeted and can help you make the leap from objectives to<br />
a plan of action to deliver them.<br />
In order to deliver your strategy effectively, whomever is<br />
responsible for it needs to be appropriately empowered. In<br />
our Global State of Information Security Survey 2016 we<br />
found that 54% of respondents had a CISO in charge of their<br />
security programme. One way to ensure that the CISO is<br />
able to effectively discharge their responsibilities is to use a<br />
CISO mandate and charter.<br />
Defining these often means<br />
The CISO mandate sets out the authority of the CISO with<br />
respect taking to cyber inputs security and from delivering four the key strategy. The<br />
Charter itself will ensure the accountability of the CISO, and<br />
sources of influence:<br />
give the board and other leaders the ability to hold the CISO<br />
to account for delivering the strategy. Many organisations<br />
also<br />
Business<br />
tackle this<br />
strategy:<br />
by setting<br />
analyse<br />
themselves<br />
the business’<br />
objectives<br />
strategic<br />
around<br />
how<br />
objectives<br />
the security<br />
and<br />
function<br />
understand<br />
will integrate<br />
how cyber<br />
with<br />
security<br />
its business<br />
can<br />
stakeholders<br />
enable them,<br />
(which<br />
and<br />
naturally<br />
what support<br />
leads on<br />
business<br />
to the question<br />
leaders<br />
of<br />
target<br />
will<br />
operating<br />
need to deliver.<br />
model, which will be the focus of a future<br />
article in this blog).<br />
Business risk: look both at the current risk appetite,<br />
Ultimately, and at a how cyber strategy security is likely strategy to modify needs to the be risk tailored map, to<br />
suit the and organisation ask what that in will question mean – for whilst cyber there risk. is no “one<br />
size fits all” or silver bullet approach, there are certainly<br />
some<br />
External<br />
key steps<br />
forces:<br />
that all<br />
what<br />
organisations<br />
are the disruptive<br />
can take<br />
forces<br />
to ensure<br />
that acting their strategy on the business is as effective from as outside, possible. what does<br />
that mean for cyber security, and more importantly<br />
Formulate how can your cyber cyber security security enable vision the and business objectives to based<br />
on your react overarching to those forces. information risk appetite and business<br />
goals. This way not only will your information risks be<br />
addressed Regulation: in a coordinated what are the manner, “must do’s” it will in be your done in a way<br />
which business, engages and the how rest is of that the business likely to evolve? and helps achieve<br />
the wider business strategy.<br />
34<br />
34