The rate of change in our technology, regulatory and business environment is increasing. All these changes impact our cybersecurity strategy and supporting roadmap. We have two options available: do nothing and follow the plan or respond to change using agile security approach.
Information security programs depend on multiple internal and external factors. Continuous changes in these factors increase the level of uncertainty. They change the assumptions we made for the initiatives we placed on the implementation roadmap supporting our cybersecurity strategy.
In result, long-term security roadmaps become quickly outdated.
We can observe the following categories of changes:
These are only basic examples of factors that impact your security roadmap. Almost always you have no control over those conditions. But you can always respond to them in an organized fashion.
Responding to change over following the plan
If key factors impacting security strategy change, we need to adapt. The more flexible your strategy is, the easier to adapt your implementation roadmap. You can use the following ideas to make your security roadmap easily adaptable.
Table of contents
Use a shorter planning horizon
The longer the time perspective of your security roadmap:
- the more variables you need to consider,
- the more initiatives on your roadmap,
- the more time to produce it and maintain it.
This approach usually leads to paralysis by analysis. You can spend extensive amounts of time trying to anticipate every detail of the future ahead of your company. But what is the guarantee that the whole universe will align to make this detailed vision realistic? Probably, none. In result, making detailed plans for the next five years is a waste of time and energy.
Shorten the planning timeframe to annual.
It is better to work smarter, not harder.
You can always define high-level, long-term objectives. But when defining your roadmap, it is easier to focus on the next year. It is easier to adjust annual roadmap instead of the big plan for the next three to five years.
Start with Minimum Viable Product
If you use a shorter planning horizon, it might be challenging to implement comprehensive security capability across the entire organization. But you can modify your strategy and concentrate on your Minimum Viable Product.
As an example, instead of committing to implementing full-scale Data Loss Prevention solution that monitors all the channels, and all information flows, you can take a different route. You can concentrate on the top three most critical use cases. Especially those that can you can manage using simple, pre-defined rules. You can begin monitoring most often used communication channels. And you can implement essential functionality during the first iteration.
This approach allows you to test your solution and adapt in case of challenges. You can work in small increments and adjust next objectives based on the results you achieved.
Update your strategy often
The plans are not set in stone. We need to review our strategy and check how well is it aligned with the current business context. If a misalignment appears, we need to fix it.
We need to assess how well our strategy is performing. Some security solutions may not work as expected. Selected KPIs may show that some of our processes are inefficient. It is better to cut the losses promptly than to follow the plan that leads to nowhere. It is better to get rid of the ineffective security solution after the first iteration instead of deluding yourself that a miracle will happen.
Make sure that your team reviews your security roadmap often.
Check if it still delivers expected results.
Promote continuous improvement of your plan.
Include change factors in your policy
Information security policy is an excellent place to include key events that should trigger changes to your cybersecurity strategy and supporting roadmap. You can use the list from the beginning of this article as a starting point for creating your policy statement.
Integrate security with business processes
One thing I notice in multiple organizations is a misalignment between business and security. We can see it when the business owner transfers personal data to a new supplier without engaging the security team. It happens when the product owner defines new functionality without incorporating security requirements. It occurs when the development team establishes a new cloud platform without security authorization.
These are examples of a clear misalignment.
The most critical consequence is that the security organization is not aware of the essential business factors that impact company threat landscape and should be addressed correctly. In result, the strategy is not in line with new business expectations, and misalignment extends.
To avoid that scenario, integrate security with business processes.
Make sure that business considers security during the following processes or more substantial transformations.
Triggers for security consideration
- Adoption of new technologies,
- Design of new products or services,
- Business and technology strategy development,
- Mergers and acquisitions,
- Buying services from third-party suppliers,
- Design or redesign of processes that rely on confidential data.
All of them could be triggers to revise your security controls, adjust your strategy and supporting roadmap. To play an active role during those events, your team members must have a business-oriented mindset. They must become business advisors.
They should think in terms of ‘How can we enable this business activity within acceptable risk?’ Not in terms of ‘Why this is dangerous and how we can stop it?’
They should think in terms of ‘How can we make security transparent within this process?’ Not in terms of ‘How many controls we can add to highlight importance of security?’
Monitor your environment
To make sure that your strategy is flexible and adapts to changing requirements, regularly scan what is happening in your business environment.
How to scan your environment
- Read reports about emerging risks in your industry,
- Subscribe to relevant news sources,
- Subscribe to threat intelligence services,
- Learn about new technologies, at least on a conceptual level,
- Attend security conferences and events,
- Attend events organized by your industry associations,
- Join communities where other CISOs and security professionals exchange their ideas.
The primary purpose here is to understand what are the hot topics in your industry. And to prepare in case your organization would like to adopt the most recent developments.
Summary
These are only sample ideas that can help you increase the flexibility of your security planning. If you find them useful, share this advice with your colleagues using social sharing buttons below. If you would like to stay in touch, please join my network on LinkedIn. I will be happy to exchange your thoughts on this.
Comments are closed.