The events of 2020 have caused organizations to consider how their business models may need to adapt to the “new normal”. These changes, coupled with rapidly evolving security threats, are leading organizations to reevaluate whether their cybersecurity strategies can support their needs while being grounded in principles. We have seen several of our clients struggle to implement a cybersecurity strategy and the underlying tools that help to operationalize that strategy. In this post, we want to draw on their lessons learned and share some of the foundational elements that have helped our clients compose an effective cybersecurity strategy.
A cybersecurity strategy should lay out a single, coherent method for identifying what the organization needs to protect, how they assess threats and risks, and how they protect their assets. This strategy may sit on top of the tools that you use to identify risks and plan for security investments – for example, your annual or periodic risk management processes, audits, and other tactical measures that help you implement your strategy.
Determine What You Need to Protect and Why
The first element of a sound cybersecurity strategy is a thorough understanding of what needs to be protected. This may sound trivial, however, careful thought should be given to all of the drivers of your data protection needs. Security needs are typically driven by one of two considerations:
- Regulatory and Legal Requirements. This may vary by industry or geography. For example, healthcare organizations and covered entities may be exposed to risks under the Health Insurance Accountability and Portability Act (HIPAA). However, organizations in all industries may have requirements under the General Data Protection Regulation (GDPR) if they offer products or services to residents of the European Union. Regulations, like the GDPR, with extraterritorial scope require organizations to perform a thorough analysis of requirements that may not seem to apply at first glance.
- Business Objectives. Developing a cybersecurity strategy is not an “IT exercise”. Technology and the supporting security measures should align with the business objectives. These objectives include the current business model and planned changes. A common way to prioritize what must be protected first could be the ways in which the organization generates revenue – i.e., what would have the greatest financial impact if a threat were to be realized? Known future changes may also help determine what should be a priority today or several months from now, so that proactive measures can be taken.
Both of these drivers create a pressing need for business stakeholder involvement when developing a cybersecurity strategy. Business unit leaders can provide unique insight into current initiatives to expand into new geographies, planned changes to the business model, and acceptable risk tolerances and thresholds. A well-defined strategy should then define how the security team will identify what needs to be protected, which will help determine in-scope threats that must be mitigated.
Understand Your Threats
After identifying what needs to be protected based on legal requirements or business objectives, organizations can enumerate the threats that operate in those spaces. Organizations should also be careful not to overlook security threats that exist regardless of industry, size, or other factors. Case in point: ransomware continues to impact organizations regardless of size and industry, given the strictly financial incentive for a malicious actor. Coming up with a threat or risk universe for your environment can involve playing out different scenarios including potential threat actors (intentional and un-intentional/internal), regulatory non-compliance, known weaknesses and vulnerabilities, technology limitations, etc.
The cybersecurity strategy should lay out the process that the organization follows to identify threats. This may include regular risk assessments, security planning with stakeholders, and other security and privacy-related audits. Integrating your regular assessment processes with your larger strategic objectives is critical, including privacy impact assessments or data protection impact assessments (PIAs and DPIAs). These tools may identify changes to your needs in real time and help you address them as quickly as possible.
Create a Strategic Plan
Although a strategy is often interpreted as a high-level view of a problem, every strategy needs a complementary tactical plan. Creating this “strategic plan” is the method by which you solve the problems that you have identified when reviewing your security requirements and threats. The most common way to do this is to identify a framework that allows you to align your objectives with a commonly accepted approach for achieving those objectives. For example, adopting a framework such as NIST 800-53 will prescribe a set of controls that you can tailor to meet your needs. The controls identified in the NIST framework also provide options for different levels of maturity. This will help tailor the controls to your current practices while providing a target for higher levels of maturity.
As with other strategic efforts, selecting and tailoring controls should not be done in a vacuum. Security teams should make an effort to strike a balance between the benefits a control provides and the impact on stakeholders (customers, employees, etc.). A risk mitigated by particularly burdensome controls may have the benefits outweighed by losses to productivity.
Conclusion
As organizations reflect on 2020 and plan for the coming year, there has never been a bigger need for ensuring that you have a strategic view of cybersecurity and risk management. Organizations must have a cohesive set of processes and tools for planning for, assessing, and mitigating risks. Defining a cybersecurity strategy will help organizations lay out their approach for addressing cybersecurity risk. While ad hoc risk management efforts can solve these problems, creating a strategy will establish a consensus around how you identify your data protection needs, the resulting threats, and the methods by which you address those threats. While a strategy can mean different things to different organizations, defining these core elements will ensure a consistent approach to addressing rapidly evolving cybersecurity threats.
Interested in talking more about cybersecurity? Get in touch with us.