Traditional long-term cybersecurity strategy gets quickly outdated when challenged by continually fluctuating market conditions. We can save much time and make security roadmap more relevant by shortening the timeframe and using agile methods.
Our business environments are evolving at speeds that create an impression of endless chaos. Intense market volatility challenges companies to adjust their strategies more often. High-level uncertainty about the future direction makes long-term planning similar to reading tea leaves than making predictions based on reasoning.
It also affects the way we develop cybersecurity strategy and supporting roadmaps. Our aim is to make sure that they are aligned with business objectives. But those objectives may change in the long run.
Table of contents
Approaches to security planning
There are two ways to develop cybersecurity roadmap:
Traditional approach. With a conventional method, we design roadmap using a waterfall style and select a set of initiatives for the next one to three years. This technique works well when you need to plan substantial and long-term investments. However, it requires you to engage multiple subject matter experts who have rich experience managing initiatives that you outline. It also makes the planning process longer.
Agile approach. An agile way of cybersecurity roadmap development boils down to using timeboxes with a length of one to three months and dividing security initiatives into smaller objectives to be completed within a single year. It works well for organizations that want to be flexible and respond to shifting business context.
In my experience, I use the second approach more often. It influences the time horizons I use to develop security roadmaps.
Time horizons for cybersecurity strategy
The time horizon is an overall scope of your planning – a total length in time of your roadmap. The best time range for your security plan usually depends on the following circumstances:
- Industry in which your company operates,
- The pace of change observed in this industry,
- An organizational approach to business planning and
- Expectations of your board or investors.
I had an opportunity to deal with the following time horizons:
Over 3 years. The traditional approach to strategic planning in business recommends developing plans for the next three to five years. The exact timeframe depends on the type of environment in which the company operates. The shorter timeframes are better for fast-moving markets impacted by technology innovations. More extended strategies are expected for firms in more stable industries. However, in my recent experience, I have not encountered a request to develop a security roadmap that was longer than three years.
2-3 years. Organizations use this planning horizon most often. It helps to plan more long-term actions when the implementation of complex security solutions or establishing the extended functions is required. Simultaneously, it allows adjusting the actions in case of significant changes to business objectives, technology, or regulatory landscape. However, this timeframe requires you to revise your strategy on an annual basis to reflect changes in business factors that impact cybersecurity.
Up to one year. I can see this timeframe more often, especially in technology companies. It works well for firms that adopted agile approaches to project management and strategic planning. This short-term approach does not imply a lack of long-term thinking. You can always define high-level, long-term strategic objectives in your strategy. But it does not mean that you have to plan their execution in detail upfront. This timeframe requires using an MVP approach to implement essential capabilities first, and then extend their functionality or scope. It is the most flexible time horizon that allows you to adapt to fast pacing markets quickly.
Time boxes in cybersecurity roadmaps
Using an agile approach to develop security roadmaps, I usually set a planning horizon for one year. But a selection of the planning horizon is not enough. We also need to specify the length of our time box – a chunk of time used to set deadlines for specific objectives for initiatives defined on our roadmap.
We can use two paths here:
- Fixed-length time boxes,
- Variable-length time boxes.
Fixed-length time boxes
In this case, we agree on fixed length. Usually, this is one month, two months, or a quarter. One month might be too detailed for a strategic roadmap. Two or three months work better, and the exact choice depends on the timeframe your organization uses to set objectives for your teams.
Variable-length time boxes
I use this approach very often. Primarily, if the strategy covers the implementation of emerging technologies that have to be tested under standard business conditions or CISO wants to be flexible regarding the final scope of solution adoption. This method also allows you to prioritize your actions based on associated risk level or urgency.
If you decide to use variable-length time boxes, you can divide the security roadmap into the following areas and assign your security objectives to them accordingly:
Simple time boxes for agile roadmaps
Variable-length time boxes allow you to plan more specific objectives for immediate future and more generic goals for the next six months or a year. After the first 90 days, you can repeat your planning cycle – the objectives that you previously set for six months are now your targets for the next 90 days. You can see if they are achievable, taking into consideration your current progress. You can also refine or adjust them based on lessons learned from the activities you already completed.
I hope this article will help you select the best planning approach for your next security roadmap. In case you would like to exchange your thoughts on this, you can use the comments section under this post on my LinkedIn profile.