Adopting a Smarter Cybersecurity Strategy

Enterprise cybersecurity was once considered an information technology (IT) function and a challenge for the IT team, but I think it’s safe to say that most directors of companies understand that much has changed in the past decade. Today, cybersecurity is a strategic business imperative—boards and senior executives are actively involved in cybersecurity strategy because it has become a closely entwined part of enterprise risk management. Enterprises are increasingly digital, and decisions made at the board and C-suite level will ultimately have tremendous influence over an enterprise’s future business success or failure.

Those key strategic decisions often revolve around the three interlocking elements that form the basis for true cyber resiliency:

• SecOps. Security Operations, or SecOps, encompasses the effective integration of security and IT operations in areas such as mission priorities, secure and available technology, and threat information.
• Mature security capabilities. This element includes all capabilities for managing cybersecurity risk, from cybersecurity planning and governance through incident detection and recovery.
• Workforce readiness. The workforce is the greatest point of vulnerability—and that means it’s also the greatest opportunity for improving cyber resilience.

These three components must work together to be successful; no single component is enough on its own to achieve cyber resilience. Yet, many organizations have an imbalance in their three-pronged approach.

The reasons for gaps vary and are sometimes understandable. For example, some enterprises may be attracted to technology solutions and the silver-bullet answers they may provide. However, it is critical to remember that people implement those solutions, and that the solutions are operating in an environment with many other interlocking functions.

In order to build a smarter cybersecurity strategy, enterprises—and the boards that oversee them—must take a holistic view of cyberstrategy and operations, and be ready to make the changes and investments necessary to see these three prongs operate in harmony.

A Smarter Approach Is Needed

While boards and senior executives shouldn’t favor one component of resiliency over another, enterprises can’t afford to do it all, either. Prioritization is the answer. But what is the best approach to allocation of technology, resources, and training?

The creation of a smart cyberstrategy is best done when the security executives at a company view all activities through the lens of business risk, and then consult the rest of the executive team and the board to ensure that their plan is thorough.

It is important for directors of companies to note that enterprises shouldn’t be swayed by headlines or the last threat encountered. Rather, the company’s security leadership should start by recognizing where the enterprise is most likely at risk and where the most damage could be done by a potential threat. This type of comprehensive review will produce a status report of the enterprise’s current cybersecurity maturity and a roadmap to increasing resilience across all three components of cybersecurity.

The company’s cybersecurity maturity status and resiliency roadmaps are valuable policies and information for a board to review for a number of reasons. By reviewing maturity status over time and understanding how resiliency maps are being developed and acted upon, boards can get a better understanding of strategic concerns the company faces and a comprehensive view of the options available.

Maturity and resilience reports provide a common language that is useful for prioritization and eventually gaining consensus, making investment plans more sound and increasing communication through the organization about operational imperatives. In addition, by consistently and habitually following updates to its own maturity ratings and resulting roadmaps, the enterprise will be in the position to evolve with changing threats.

Planning, Budgeting, and Operations

Armed with knowledge reflecting the unique risk profile the enterprise faces, decision-makers can target investments in the resiliency roadmap across all three components of cybersecurity. Enterprise leaders can have confidence that the most likely and pressing cybersecurity concerns are being addressed and balanced, and can then report to the board the strategic successes brought about by those investments.

So, what kind of investments should be made? The board should ensure that decision-makers carefully consider technology purchase decisions, as well as their impacts on the enterprise environment and workforce. Imbalances in maturity of the company’s overall cybersecurity function can be seen holistically and addressed by priority of true need if the company has carefully mapped and measured its progress.

The enterprise’s cybersecurity workforce—likely the biggest investment and biggest potential threat—can be aligned to areas of greatest need. However, that staff realignment process is the most difficult of these tasks. An enterprise’s training needs for building the right cybersecurity team should be aligned to the most recent maturity ratings and resiliency roadmaps.

While it is not the board’s role to be involved in selecting the right training team, the board should probe to get an understanding of whether the training provider has been selected that can partner with your enterprise’s unique needs. What does a strong fit look like?

The right training partner will leverage cyber training that tests skills as opposed to knowledge. That partner will be able to determine the difference between having a cyber team that actually knows how to implement a solution and a team that just knows about the solution. The right provider also will offer flexibility in its training portfolio, its training platforms, and training outcomes. An enterprise’s cyber maturity and resiliency evolve over time (as will the threats), so training needs should as well.

Moreover, the current skills gap in cybersecurity means there are not enough cyber practitioners to fill the need. This, in turn, results in high rates of turnover for not only cyber workforce but for chief information security officers (CISOs) as well. In such an environment, seeking consistency becomes even more vital to enterprises.

Anchoring cybersecurity activities around a risk-based smart strategy, combined with proper training, ensures that, over the long term, strategy, planning, and budgeting won’t be unduly influenced by rotations of new cyber leaders and staff. Smart cybersecurity strategy is a long-tail activity—properly re-evaluating your cyber risks and achieving consistency in execution will help boards and senior leaders be more confident in their enterprise’s approach to cybersecurity.

What Your Board Can Ask Next

Your board is committed to adopting a smarter cybersecurity strategy at your company. What’s next? Consider asking your security team these questions at your next meeting with them, or in an outside-the-boardroom, candid discussion. Alternatively, ask your own board these questions, and ask the same set every year at the same board meeting to further benchmark your success:

• Does your enterprise cybersecurity strategy properly balance the three interlocking elements of true cyber resiliency (SecOps, mature security capabilities and workforce readiness) in a way that meets the unique needs of the enterprise?
• Does the organization have a way to measure and show progress relative to cyber maturity?
• Is the enterprise over- or under-invested in one or more areas? How would you accurately measure that balance?
• How does the organization stack up when compared to other similar, high-performing organizations?
• Is our company applying recognized cybersecurity best practices?
• Does the enterprise view cybersecurity activities through the lens of risk to best prioritize where the organization is most vulnerable and where it may not need extra attention?
• Does the organization have a roadmap to cyber resiliency that codifies those risk-adjusted priorities into a plan, and can the plan withstand internal changes to leadership or staffing, or outside influences like other organizations’ high-profile cybersecurity breaches?
• Since the company’s cybersecurity workforce presents the greatest challenges and opportunities in achieving cyber resilience, do we partner with a training provider that offers flexibility in skills development and learning platforms, so as the roadmap to cyber resilience evolves, the training partner can adapt its offerings to match those needs?

Robert Clyde, CISM, is board chair of ISACA, an association of information systems professionals that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices.