This article is part of a series designed to help leaders (CISO’s) and security professionals define their cybersecurity strategy.
Although the article is packed full knowledge and experience I have picked up during my time in the industry, the content should only be considered as a guide or starting point because unfortunately there is no one size fits all solution.
A security strategy needs to be tailored to each individual industry and the specific threats an enterprise faces.
A threat that is considered high-risk and high probability for one organisation might not be for another.
One example of this is an organisation that is working on developing a new patented product. In this organisation the insider threat and the disclosure of a patent might set the company back several years or even put the company out of business. For this organisation the risk and impact are both high.
Compare this to another organisation where the majority of their information is public. They might still face the same threat but on a reduced target surface (e.g. finance records).
The strategy the two organizations would put together might be similar in the areas mentioned in this article but the actions and countermeasures will differ drastically.
Please consider this article as my personal opinion not a representation of my organisation.
Feel free to criticise the article (constructively) or praise it (thanks). As the topic is quite wide and vast I’ll be addressing it, as suggested by the NSC42 audience, in a number of articles.
As you might already know by reading some of my articles, I like to draw whiteboard style pictures, instead of pretty pictures, so I apologise in advance if something is not clear, please get in touch with any comments and suggestions.
Starting with the WHY
The WHY/HOW/WHAT approach covered in this range of articles is based on the ideas in Simon Sinek's book Start with Why.
I recommend both the book and Simon’s TED talk for more of an insight.
When communicating from the inside out (why to what), the why is defined as the reason to buy and the what serves as the tangible proof of that belief.
The importance of starting with the why is so you can focus on the real reason of achieving certain objectives.
WHY — defines the intrinsic motivation why do we want to achieve something
HOW — establishes the direction and the steps required
WHAT — is the process of determining the outcome of the actions as well as the outcome to achieve the WHY (vision)
“When most organizations or people think, act or communicate they do so from the outside in, from WHAT to WHY. And for good reason — they go from clearest thing to the fuzziest thing. We say WHAT we do, we sometimes say HOW we do it, but we rarely say WHY we do WHAT we do.”
“When communicating from the inside out, however, the WHY is offered as the reason to buy and the WHATs serve as the tangible proof of that belief.”
A good example of this philosophy is Apple. Apple doesn’t start with WHAT. They start with WHY. In the early 2000s, Apple started a campaign to communicate the WHY called “Think Different.”
With the iPhone, they did it again with the mobile phone industry in 2007. Each time, they stayed true to their WHY: “Think different.”
Applying the WHY principle
Recent engagements with NSC42’s clients made me realise the importance of a solid security strategy for an organisation which wants to improve their security posture.
Like any good story, an organisation that strives to improve or even better excel in security (or insecurity) requires a good script. That, in this case, is represented by the security strategy.
Don’t get me wrong, a strategy document can be a cumbersome task, I know that from my own experience, so I don’t underestimate the time and effort this might require.
But, the strategy can begin with just one sentence describing the security vision for the enterprise.
Another hindrance of a security strategy, especially for a CISO, is the expectation of the board for results to be achieved quickly. A strategy that is too visionary might leave the board members disappointed while one too short-term or absent might give the impression of a firefighting approach.
The vision — also known as the WHY
The content of the vision of the organisation’s overall security must explain why security is important for that organisation.
The message is even more powerful when is connected to the overall organisation strategy and core principles.
Ultimately security is a burden for an organisation and there is no point in taking it seriously if the organisation is not committed to it (top down commitment).
So back to the why: Why should an organisation invest time and money in security (people, process and technology)?
The above is, I guess, the key question to ask your stakeholders (usually the board of directors depending on the organisational structure).
So, what would be the first step in embarking in the journey of defining a strategy?
Let’s explore the main steps:
Identify your key decision-makers and capture their key concern.
What are the pain points and what’s on fire?
Among your stakeholders identify the supporters and the challenges, address their questions in advance of every meeting and have numbers and the how ready at your fingertips.
The sentence “I’ll come back to you later” could kill the momentum of a decision and potentially result in a loss of opportunity.
Identify the key asset/crown jewels, their value for the organisation and that will dictate how much to spend on protection: there is little point in protecting an asset that no one cares about unless you consider the actual value of the asset is misinterpreted.
The actual value, and consequently the impact of its loss, might differ from the perceived value of an organisation (e.g. impact on the brand).
Don’t reinvent the wheel: use pre-existing frameworks and guidelines (like ISO27001) and established risk assessment techniques.
Defining a security strategy is a cumbersome, but necessary journey, for an organisation.
Without a strategy, the organisation will end up firefighting but not addressing the root causes which ultimately leads to wasting a lot of resources and energy.
In this article, we’ve analysed “the WHY” (the vision) and we will head into the HOW (the methods) in the next article.
Ultimately the HOW will head into the WHAT (the plan) and that will provide a step by step action plan to execute the strategy.
Without a why and a vision, implementing security controls in an organisation is like trying to put out a fire with a napkin…if it’s is a small fire you might achieve something but, most of the time, it will result in something like this:
Other Articles on Medium: