In Part One of my series on defining a security strategy I am going to focus on the WHY aspect of developing a security strategy. If you are a CISO, Head of Security, or a technologist focused on cybersecurity, the material described in this article sums up the thinking, methodology and process that my team and I have developed over the last decade offering advisory services to our customers.
The content of this article should be considered a guiding principle because ultimately no one solution fits all. Organization security strategy needs to be tailored to the individual industry and the specific threats that an enterprise faces.
Some threats that would be considered a high risk high probability for one organization might not viewed in the same way by a different organization.
One example of the above is an organization that works on developing new patented product, in this organization the insider threat and the disclosure of a patent might set back the company of several years if not put the company completely out of business. For this organization the risk is high and impact is high.
Another organization where the majority of information are public might still face the same threat but on a reduced target surface (e.g. finance records).
The strategy the two organizations would put together might be similar in the areas illustrated in the article but the actions and countermeasures will differ drastically.
Starting with the WHY
This and my other articles often reference to start with the why and you should refer to these articles/books to get more insight on this concept, but even if you have not, for this series of articles, you must be aware of the following:
When communicating from the inside out the WHY is offered as the reason to buy and the WHAT serves as the tangible proof of that belief.
The importance of starting with the WHY is refocusing on the real reason (the why) of achieving certain objectives. To summarise:
- WHY - defines the intrinsic reason of why do we want to achieve something.
- HOW - defines the direction and the steps required.
- WHAT - defines the outcome of the steps as well as the final outcome to achieve the WHY (vision).
A good example of this philosophy is Apple. Apple doesn’t start with WHAT. They start with WHY. In the early 2000s, Apple started a campaign to communicate the WHY called “Think Different.” With the iPhone, they did it again with the mobile phone industry in 2007. Each time, they stayed true to their WHY.
Applying the starting with the WHY principle
Recent engagements with NSC42’s clients made me realise the importance of a solid security strategy for an organisation that wants improve their security posture.
Like any good story, an organisation that strives to improve or even better excel in security (or insecurity) requires a good script (not python :)...that in this case is represented by the security strategy.
Don’t get me wrong, a strategy document can be a cumbersome task, I can tell from my own experience, hence don’t underestimate the time and effort this might require.
Anyway the security strategy can begin with just a sentence describing the security vision for the enterprise.
Moreover another hindering element of a security strategy, especially for a CISO, is the expectation for the board to achieve result in a very short timeframe. A strategy too visionary might leave the board members disappointed while one too short term or absent might give the impression of work scattered around (firefighting).
The vision - also known as the WHY:
The content of the vision inside the overall organisation’s security must explain why security is important for that organisation. The message is even more powerful when is connected to the overall organisation strategy and core principle. Ultimately security is a burden for an organization and there is no point in doing security, take this with a pinch of salt, if the organisation is not committed to it (top down commitment).
So back to the why: “why should an organisation invest time and money in security (people, process and technology)”.
The above is, I guess, the key question to ask your stakeholders (usually the board of directors depending on the organisational structure).
So what would be the first step in embarking in the journey of defining a strategy? Let’s explore the main steps:
- Identify your key decision-makers(as the board of directors) and capture their key concerns: what’s are the pain point and what’s on fire;
- Whitin your stakeholders identify the supporters and the challenges, address their questions in advanced of every meeting and have numbers and how ready at fingertip. The sentence “I’ll come back to you later” could kill the momentum of a decision and potentially result in a loss of opportunity.
- Identify the key asset/crown jewels, their value for the organization, and that will dictate how much to spend on protection: there is little point in protecting an asset that no one care about, unless you consider the actual value of the asset is misinterpreted. The Actual value, and consequently the impact of its loss, might different from perceived value for an organization (e.g. impact on the brand).
- Don’t reinvent the wheel : use pre-existing frameworks and guidelines (like ISO27001) and established risk assessment techniques.
Next steps - expand on the vision - start heading toward the HOW
For this phase you’d want to start choosing a framework and a narrative depending on the audience: There is no point in having a lengthy discussion on technical implementation to senior stakeholders or discuss the conceptual strategy vision to engineers. The point I’m trying to make is to tailor the security topic to the audience you are targeting.
The framework can be enriched with topics depending on your organization. The content inside the topics can be more or less detailed depending on the audience.
The above is just a quick sketch based on ISO framework/use the domains in the picture below to enrich and expand the above diagram
ISO27001 framework additional details:
ISO is not the only reference framework. Alternative Frameworks are available from NSCS and NIST as well as many other organisations.
The important factor in choosing one framework and commit to it. The framework can be expanded if necessary or act as a guide to propulse topics that you might otherwise have overlook or skept.
NIST proposes, in the cyber security framework, a 5 steps approach that can be adapted to various organization. The underpinning strategy around each steps can take your high level vision to the next level.
The framework proposed can be summarized in the following:
- 1. Identification of assets
- 2. Decision on protective controls based on value and risk assessment
- 3. Detection method based on the deployed controls
- 4. Incident response based on the detection methods
- 5. Recovery plan based on the various incident response plan
The steps 3-5 will lead to playbooks that can be replicate and improve consistency of response in a Security Operation Centre (SOC) and maturity of the organization.
The discussion around the Cybersecurity framework from NIST is too wide and outside the scope of this article.
NIST framework with additional details:
Once the you’ve defined the vision and identified the various areas of improvements (based on the framework) start detailing the details in the various pillars (like the above one) and continue with details up to the implementation level and plan.
Once this is ready you’ll have a solid plan due to the underpinned details that will lead to a solid case. Nonetheless please note that the business case will only work if it really addresses, and solves, your organization, and the stakeholders, painpoints.
There is no point in having a great plan that is not fit for purpose for your organization.
NCSC 10 steps to cyber security:
An alternative framework to NIST is the NSCS framework: 10 steps on cyber security.
The 10 steps provide different areas of improvement. The framework is particularly indicated for Small and Medium Businesses or organization that wants to start the security improvement journey.
Again the purpose of this article is to provide pointers to common framework to use/or the one I’ve used.
Other Alternative Frameworks
There are multiple framework available and they are just one google search away. One that I’ve found useful in my consulting activity with NSC42 is the 20 cyber security actionable items described in the picture below.
The list result a bit more detailed than other framework, and might not be applicable in every case. What i did like of this list is the fact that comprises a number of actionable tasks/topics.
Framework selection considerations:
Be mindful that a long list of actions, like the one in the picture above, will probably be not not be fit for purpose when talking to high level management or stakeholders. You will be better off in including the detail list in simple and high level level building blocks (read as major topics or categories).
The content of a strategy, sorry for stressing the topic, needs to be adapted depending on the audience. When presenting to a board of directors you have a concise timeframe and little attention span from the audience. Focus on 2-3 areas of improvements at the time as it is, really, the optimal amount of options that a brain can evaluate in one go.
This will simplify the decision making process and avoids, hopefully, the decision fatigue
Cornerstones of a security strategy
The framework and the topics described above provide guidance on defining a security strategy.
The prerequisite and key cornerstones of a security strategy are the followings:
- Identify the Crown Jewels (what is important for the organization)
- Understand the pain point of the stakeholders and of the organization (sometimes they are not aligned)
- Identify the key stakeholders and what is important for them
- Identify who will challenge and who will support your strategy in the board
- Address the challengers outside the board meetings, this will enable to either fix the challenge root cause. Alternatively if the challenge can’t be resolved outside the board, addressing it outside it will provide you with enough to prepare addressing it during board meeting.
- Understand the business risk appetite
- Identify quick wins in the strategy (what can be fixed quickly)
- Identify the big ticket items that can bring attention to the the success of the security strategy.
- Identify the failure of previous strategy and built on the past experience, don’t be afraid to ask what did not work before. Nonetheless don’t get too much biased by the failure as there might be a wide number of factors to the failures (people, timeline, etc…)
- Formulate key success factor and define gates to celebrate success
After defining the above you can proceed in defining the vision and select the reference framework.
Defining a security strategy is a cumbersome, but necessary journey, for an organisation. Without a strategy the organization will end up firefighting but not addressing root causes and ultimately wasting a lot of resources and energy.
In next article we will explore more in depth the detailed steps to develop the strategy. Without a why and a vision implementing security controls in an organization is like trying to put out a fire with a napkin...if is a small fire you might achieve something but, most of the time, it will result in something like this: