Agile security – Responding to change in your cybersecurity strategy

Flexible approach to cybersecurity strategy planning. How to make your security roadmap flexible? How to align your strategy with changing conditions?

The rate of change in our technology, regulatory and business environment is increasing. All these changes impact our cybersecurity strategy and supporting roadmap. We have two options available: do nothing and follow the plan or respond to change using agile security approach.

Information security programs depend on multiple internal and external factors. Continuous changes in these factors increase the level of uncertainty. They change the assumptions we made for the initiatives we placed on the implementation roadmap supporting our cybersecurity strategy.

In result, long-term security roadmaps become quickly outdated.

We can observe the following categories of changes:

Changes to global market conditions, client needs and key market issues. Changes related to your company supply chain and key partnerships. All of them impact your organization and need an adequate response.
When external changes happen, businesses decide to adapt. They alter the qualities of their products and services to surprise clients with new delighters. They transform operating models, organizational structures, internal processes and skills to improve their efficiency.
Mergers and acquisitions ignite a revolution across all business functions, including security. Expectations and focus points of your key stakeholders shift. The economic condition of your company impacts your security budget.
Requirements imposed by regulatory bodies increase the complexity of the business. Sometimes they conflict with each other. We need to make sure we manage them efficiently under the hood of a consistent security framework.
Innovative solutions generate new opportunities and improve operating efficiency. However, their adoption also expands the attack surface. Internet of things, 5G connectivity, neural networks, cloud services and other business enablers are or will be the targets of attackers.
Motivation and skills of threat actors targeting our companies are changing. They build complex structures, operate like businesses and use new technologies. They invented ransomware. They created malware on steroids – malware supported by artificial intelligence. We should reflect those advancements in our prevention and detection capabilities.
When risks materialize, incidents occur. In case of serious events, the post-incident analysis may uncover underlying root causes that led to those incidents. Recommended solutions may require drastic changes to the security framework and cybersecurity strategy.

These are only basic examples of factors that impact your security roadmap. Almost always you have no control over those conditions. But you can always respond to them in an organized fashion.

Responding to change over following the plan

If key factors impacting security strategy change, we need to adapt. The more flexible your strategy is, the easier to adapt your implementation roadmap. You can use the following ideas to make your security roadmap easily adaptable.

Table of contents

  1. Use a shorter planning horizon
  2. Start with Minimum Viable Product
  3. Update your cybersecurity strategy often
  4. Include change factors in your policy
  5. Integrate security with business processes
  6. Monitor your environment

Use a shorter planning horizon

The longer the time perspective of your security roadmap:

  • the more variables you need to consider,
  • the more initiatives on your roadmap,
  • the more time to produce it and maintain it.

This approach usually leads to paralysis by analysis. You can spend extensive amounts of time trying to anticipate every detail of the future ahead of your company. But what is the guarantee that the whole universe will align to make this detailed vision realistic? Probably, none. In result, making detailed plans for the next five years is a waste of time and energy.

Shorten the planning timeframe to annual.

It is better to work smarter, not harder.

You can always define high-level, long-term objectives. But when defining your roadmap, it is easier to focus on the next year. It is easier to adjust annual roadmap instead of the big plan for the next three to five years.

Start with Minimum Viable Product

If you use a shorter planning horizon, it might be challenging to implement comprehensive security capability across the entire organization. But you can modify your strategy and concentrate on your Minimum Viable Product.

As an example, instead of committing to implementing full-scale Data Loss Prevention solution that monitors all the channels, and all information flows, you can take a different route. You can concentrate on the top three most critical use cases. Especially those that can you can manage using simple, pre-defined rules. You can begin monitoring most often used communication channels. And you can implement essential functionality during the first iteration.

This approach allows you to test your solution and adapt in case of challenges. You can work in small increments and adjust next objectives based on the results you achieved.

Update your strategy often

The plans are not set in stone. We need to review our strategy and check how well is it aligned with the current business context. If a misalignment appears, we need to fix it.

We need to assess how well our strategy is performing. Some security solutions may not work as expected. Selected KPIs may show that some of our processes are inefficient. It is better to cut the losses promptly than to follow the plan that leads to nowhere. It is better to get rid of the ineffective security solution after the first iteration instead of deluding yourself that a miracle will happen.

Make sure that your team reviews your security roadmap often.

Check if it still delivers expected results.

Promote continuous improvement of your plan.

Include change factors in your policy

Information security policy is an excellent place to include key events that should trigger changes to your cybersecurity strategy and supporting roadmap. You can use the list from the beginning of this article as a starting point for creating your policy statement.

Integrate security with business processes

One thing I notice in multiple organizations is a misalignment between business and security. We can see it when the business owner transfers personal data to a new supplier without engaging the security team. It happens when the product owner defines new functionality without incorporating security requirements. It occurs when the development team establishes a new cloud platform without security authorization.

These are examples of a clear misalignment.

The most critical consequence is that the security organization is not aware of the essential business factors that impact company threat landscape and should be addressed correctly. In result, the strategy is not in line with new business expectations, and misalignment extends.

To avoid that scenario, integrate security with business processes.

Make sure that business considers security during the following processes or more substantial transformations.

Triggers for security consideration

  • Adoption of new technologies,
  • Design of new products or services,
  • Business and technology strategy development,
  • Mergers and acquisitions,
  • Buying services from third-party suppliers,
  • Design or redesign of processes that rely on confidential data.

All of them could be triggers to revise your security controls, adjust your strategy and supporting roadmap. To play an active role during those events, your team members must have a business-oriented mindset. They must become business advisors.

They should think in terms of ‘How can we enable this business activity within acceptable risk?’ Not in terms of ‘Why this is dangerous and how we can stop it?’

They should think in terms of ‘How can we make security transparent within this process?’ Not in terms of ‘How many controls we can add to highlight importance of security?’

Monitor your environment

To make sure that your strategy is flexible and adapts to changing requirements, regularly scan what is happening in your business environment.

How to scan your environment

  • Read reports about emerging risks in your industry,
  • Subscribe to relevant news sources,
  • Subscribe to threat intelligence services,
  • Learn about new technologies, at least on a conceptual level,
  • Attend security conferences and events,
  • Attend events organized by your industry associations,
  • Join communities where other CISOs and security professionals exchange their ideas.

The primary purpose here is to understand what are the hot topics in your industry. And to prepare in case your organization would like to adopt the most recent developments.


These are only sample ideas that can help you increase the flexibility of your security planning. If you find them useful, share this advice with your colleagues using social sharing buttons below. If you would like to stay in touch, please join my network on LinkedIn. I will be happy to exchange your thoughts on this.

Comments 1

Comments are closed.

Agile security – Customer collaboration

Agile security – Customer collaboration

Customer-centric and collaborative approach to security strategy

Cybersecurity priorities in COVID-19 aftermath

Cybersecurity priorities in COVID-19 aftermath

Cybersecurity strategy priorities for security officers in COVID-19 aftermath

You May Also Like