Christian Ingram
In ‘Making business sense of cyber risk’, we looked at how to define and manage today’s complex cyber risks in a way that’s intelligible and actionable for your leadership. Building on this view of cyber risk management, this article looks at how to define and deliver a cyber security strategy capable of mitigating your most pressing threats, and establishing the right operating model and security program to deliver on your strategy.
Cyber security and operational resilience can be unfathomable for the uninitiated. So, if you could distil effective cyber security management down into one word, it would be ‘clarity’. You need to be able to cut through the noise to identify the threats that are most pressing to your business. You then need a clear, insight-driven strategy to mitigate them.
Lack of clarity could leave your business dangerously exposed to cyber attacks. Without a clear understanding of the threats and resulting risks you need to protect yourself against, you could also end up overengineering your cyber safeguards. The results could mean investing significant sums without achieving the risk reduction required to meet your risk and resilience goals.
That’s why a clear definition of the risks you face and how to combat them is so critical.
There are several elements to defining your cyber strategy.
The starting point is identifying and targeting the threats most relevant to your business. If you’re a major player in a global supply chain, for example, you could be the target for large scale supply chain disruption. If you’re responsible for running critical national infrastructure, you could in turn find yourself in the firing line for a state-sponsored attack.
You can’t eliminate cyber risks altogether, so it’s important to gauge not just how much risk you’re prepared to accept, but also where and when.
Cost isn’t the only criteria for setting your risk appetite. How would a breach affect your reputation? Operationally, how long can you afford to have your systems down if they’re compromised?
As resources are finite, it’s important to align levels of investment in cyber security with your risk appetite across the different dimensions of prevention, response and recovery. If your key priority is to reduce the likelihood of an attack from happening in the first place, then you may choose to prioritise investment in identifying and protecting against the risk you face. However, if you’re prepared to accept a higher risk of attack, or if you’re approaching diminishing returns of investing further in reducing likelihood, then the weight of investment should be focused on rapid detection, response and recovery to minimise the impact of attacks when they do occur.
Setting your cyber risk appetite is a fundamental question to be addressed and agreed with your leadership rather than your information security team in isolation. The outcomes impinge on business strategy in key areas such as digital innovation and how you use data, as well as affecting enterprise risk management and business continuity planning.
Building on an assessment of the threats you face and your appetite for the associated risks, you can begin to set defined objectives and measure progress against them.
Setting both risk and maturity targets will enable you to have risk-informed discussions as you progress, as well as being able to clearly report on the maturity of your capabilities to detect and respond to cyber attacks. This will help you demonstrate your level of cyber resilience to leadership, shareholders and regulators as required. Using industry recognized frameworks, such as the US National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), can often help to demonstrate you’re aligning to good practice. This will also enable discussions on which capabilities will drive the most security benefit for you.
However, frameworks such as the NIST CSF may not be enough to measure progress on their own. Regulation is raising the bar for businesses holding large volumes of personal data, as well as those responsible for critical national infrastructure or operating in highly regulated industries such as financial services. Key requirements include the General Data Protection Regulation (GDPR) and the Network and Information Security directive (NIS2), along with the Digital Operational Resilience Act covering financial services specifically. In the US, developments such as the SEC rules on security incident disclosure mean that SEC-listed companies need to report on material cyber incidents within four days of them occurring. Achieving and demonstrating compliance with applicable regulations is likely to be the minimum target for detection, response and recovery capabilities.
With your objectives defined, the next step is to establish the right security operating model for your organization.
Responsibility for cyber security goes beyond IT. The starting point for delivering your cyber security strategy is therefore determining who does what. What does the ‘security team’ do versus the wider IT team and the rest of the business? For example, is it the security team’s responsibility to set policies and standards (for other functions to meet) and then provide governance and assurance? Or is their role to actually deliver cyber security capabilities?
It’s also important to clearly define the scope of coverage. Is your strategy focused on securing the full scope of business capabilities in your organization? What role does it play in managing third-parties, remote workers, operational technology (e.g. digital manufacturing equipment in factories) and Internet of Things devices? Where does the responsibility for business continuity planning sit? All these aspects need to play into the operating model considerations.
Working towards establishing a clear ‘three lines of defence’ model is often good practice.
Other key considerations include the extent to which information security can be centralized and whether there is room for tailoring by business unit or operating territory. Do you protect everything equally (‘raise all boats’), or is there room for risk-based tailoring by region or function?
Given the increased cyber risks and regulatory expectations, further considerations include the degree to which you have the capabilities – technology as well as scarce talent – to manage security in-house versus outsourcing to managed service providers.
As with any investment, cyber security strategies should be subject to cost-benefit analysis.
A clear risk assessment – of the residual impact and likelihood – will help to make sure that protection is prioritized and funds are directed where they can be most effective. In some cases, the costs of protection would outweigh the potential financial impact of an attack. In turn, more technology may not always be the most cost-effective option when compared to investment in training, awareness and preparations for incident response.
Delivery of your cyber strategy will inevitably result in the need to establish a project, program or portfolio of work depending on the scale of security improvements required to achieve your risk targets. You should not underestimate what it takes to successfully mobilize and deliver these programs, our health check can help you see if you're managing your organization's cyber risk effectively. Some cyber projects can also be disproportionately challenging to deliver due to their intersection with core IT systems, everyday business processes (e.g. logging-in to critical applications) and broad user impact such as Identity and Access Management (IDAM).
Cutting across the delivery of your cyber security strategy is the need for effective change management. Security projects involve far more than just delivering technology solutions. Moving towards maturity requires a shift in mindset from seeing cyber security as a technical IT problem to being part of everyone’s working life and a key foundation for business success, akin to health and safety.
The cyber threat landscape keeps evolving. So should your cyber security strategy.
As we highlighted in ‘Making business sense of cyber risk’, the key to keeping pace with evolving threats is a systematic approach to assessing the risks, evaluating progress in addressing them and communicating this to your leadership. Conveying the risks in an intelligible way will enable senior management to judge the trade-offs and prioritize actions and resources.
Ideally, each element of a prioritized cyber security portfolio will enhance program maturity and lead to a measurable reduction in risk. But all that counts can’t always be counted. First, maturity assessments aren’t an exact science. And secondly, while some projects will lay the foundations for improvement, it will take a further combination of people, technology, data and governance capabilities to deliver the desired uplift and outcomes.
The purpose of the cyber security strategy is to outpace the constantly shifting threats. So it’s important to develop a pragmatic approach to governance that maintains rigour whilst allowing you to reprioritize and respond to emerging risks.
We’re working with businesses across all sectors to help them make sense of the cyber risks they face and strengthen security and resilience. Talk to us if you’d like to know more.
Share: