Defining and delivering an effective cyber security strategy

The starting point is identifying and targeting the threats most relevant to your business. If you’re a major player in a global supply chain, for example, you could be the target for large scale supply chain disruption. If you’re responsible for running critical national infrastructure, you could in turn find yourself in the firing line for a state-sponsored attack.

You can’t eliminate cyber risks altogether, so it’s important to gauge not just how much risk you’re prepared to accept, but also where and when. 

Cost isn’t the only criteria for setting your risk appetite. How would a breach affect your reputation? Operationally, how long can you afford to have your systems down if they’re compromised? 

As resources are finite, it’s important to align levels of investment in cyber security with your risk appetite across the different dimensions of prevention, response and recovery. If your key priority is to reduce the likelihood of an attack from happening in the first place, then you may choose to prioritise investment in identifying and protecting against the risk you face. However, if you’re prepared to accept a higher risk of attack, or if you’re approaching diminishing returns of investing further in reducing likelihood, then the weight of investment should be focused on rapid detection, response and recovery to minimise the impact of attacks when they do occur. 

Setting your cyber risk appetite is a fundamental question to be addressed and agreed with your leadership rather than your information security team in isolation. The outcomes impinge on business strategy in key areas such as digital innovation and how you use data, as well as affecting enterprise risk management and business continuity planning. 

Building on an assessment of the threats you face and your appetite for the associated risks, you can begin to set defined objectives and measure progress against them. 

Setting both risk and maturity targets will enable you to have risk-informed discussions as you progress, as well as being able to clearly report on the maturity of your capabilities to detect and respond to cyber attacks. This will help you demonstrate your level of cyber resilience to leadership, shareholders and regulators as required. Using industry recognised frameworks, such as the US National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), can often help to demonstrate you’re aligning to good practice. This will also enable discussions on which capabilities will drive the most security benefit for you. 

However, frameworks such as the NIST CSF may not be enough to measure progress on their own. Regulation is raising the bar for businesses holding large volumes of personal data, as well as those responsible for critical national infrastructure or operating in highly regulated industries such as financial services. Key requirements include the General Data Protection Regulation (GDPR) and the Network and Information Security directive (NIS2), along with the Digital Operational Resilience Act covering financial services specifically. In the US, developments such as the SEC rules on security incident disclosure mean that SEC-listed companies need to report on material cyber incidents within four days of them occurring. Achieving and demonstrating compliance with applicable regulations is likely to be the minimum target for detection, response and recovery capabilities.

Responsibility for cyber security goes beyond IT. The starting point for delivering your cyber security strategy is therefore determining who does what. What does the ‘security team’ do versus the wider IT team and the rest of the business? For example, is it the security team’s responsibility to set policies and standards (for other functions to meet) and then provide governance and assurance? Or is their role to actually deliver cyber security capabilities? 

It’s also important to clearly define the scope of coverage. Is your strategy focused on securing the full scope of business capabilities in your organisation? What role does it play in managing third-parties, remote workers, operational technology (e.g. digital manufacturing equipment in factories) and Internet of Things devices? Where does the responsibility for business continuity planning sit? All these aspects need to play into the operating model considerations. 

Working towards establishing a clear ‘three lines of defence’ model is often good practice. 

• The first line of defence should include the operational teams (IT and the business) responsible for identifying and managing the security risks. 
• The second line is the risk management team who design the risk management framework and oversees its operation by the first line.
• The third line is internal audit, who should monitor and assure the effectiveness and enforcement of the defences. 

Other key considerations include the extent to which information security can be centralised and whether there is room for tailoring by business unit or operating territory. Do you protect everything equally (‘raise all boats’), or is there room for risk-based tailoring by region or function? 

Given the increased cyber risks and regulatory expectations, further considerations include the degree to which you have the capabilities – technology as well as scarce talent – to manage security in-house versus outsourcing to managed service providers.

As with any investment, cyber security strategies should be subject to cost-benefit analysis. 

A clear risk assessment – of the residual impact and likelihood – will help to make sure that protection is prioritised and funds are directed where they can be most effective. In some cases, the costs of protection would outweigh the potential financial impact of an attack. In turn, more technology may not always be the most cost-effective option when compared to investment in training, awareness and preparations for incident response.

Delivery of your cyber strategy will inevitably result in the need to establish a project, programme or portfolio of work depending on the scale of security improvements required to achieve your risk targets. You should not underestimate what it takes to successfully mobilise and deliver these programmes, our health check can help you see if you're managing your organisation's cyber risk effectively. Some cyber projects can also be disproportionately challenging to deliver due to their intersection with core IT systems, everyday business processes (e.g. logging-in to critical applications) and broad user impact such as Identity and Access Management (IDAM).

Cutting across the delivery of your cyber security strategy is the need for effective change management. Security projects involve far more than just delivering technology solutions. Moving towards maturity requires a shift in mindset from seeing cyber security as a technical IT problem to being part of everyone’s working life and a key foundation for business success, akin to health and safety. 

As we highlighted in ‘Making business sense of cyber risk’, the key to keeping pace with evolving threats is a systematic approach to assessing the risks, evaluating progress in addressing them and communicating this to your leadership. Conveying the risks in an intelligible way will enable senior management to judge the trade-offs and prioritise actions and resources. 

Ideally, each element of a prioritised cyber security portfolio will enhance programme maturity and lead to a measurable reduction in risk. But all that counts can’t always be counted. First, maturity assessments aren’t an exact science. And secondly, while some projects will lay the foundations for improvement, it will take a further combination of people, technology, data and governance capabilities to deliver the desired uplift and outcomes.

The purpose of the cyber security strategy is to outpace the constantly shifting threats. So it’s important to develop a pragmatic approach to governance that maintains rigour whilst allowing you to reprioritise and respond to emerging risks.