How to Implement Effective Cybersecurity Strategy in 7 Steps

How to develop and manage a robust cybersecurity strategy

How to develop and manage a robust cybersecurity strategy? Many security officers and managers face this question in turbulent times when they see that the world around them has changed. I had a challenge when I tried to find a single organized and practical framework that answers this question in end-to-end fashion.

Most security frameworks focus on implementing security management systems, but they are too tactical for a strategic program. Some approaches help to understand the overall strategy implementation process, but they lack sufficient details that would allow CISOs to turn the theory into practice. Some useful strategic frameworks focus on IT, but they do not cover information security or cybersecurity issues.

As a result, to develop a successful cybersecurity strategy, you either need a broad experience or you need to merge multiple frameworks available on the market, pick the most critical parts from each of them, put them in the right order and the context of your business. But who has the time for that these days?

To ease your pain, I described an organized and comprehensive approach to Cybersecurity Strategy Management. It mixes techniques inspired by best practices found in IT and information security frameworks, project management, and change management with experience of what works and what does not work in reality.

The approach is heavily impacted by 18 years of my professional experience in information security management and assessing or designing cybersecurity strategies for 14 companies.

My idea is to build a golden source of information for CISOs, security managers, and architects in Cybersecurity Strategy Management.

Structure

Description of all Cybersecurity Strategy Management phases contains the following elements:

Customer Profile

Activities

Organized list of actions to be completed during each of the phases.

Objectives

Key objectives to be achieved - why specific phases is important.

Inputs

Information needed to complete activities during a specific phase.

Outputs

Work products delivered as a result of completed actions.

Practices

Tools, methods, and accelerators that speed up proposed activities.

References

References to market frameworks and standards.

Important Notes

Practices

The following approach to Cybersecurity Strategy Management includes references to market best practices, standards, and frameworks in the area of technology and security. However, it does not follow them to the point. It blends techniques from these frameworks with practices from business strategy development, project management, time management, and change management, including agile and lean methodologies. The most relevant practices are selected based on a professional judgment. Therefore, it cannot be treated as a guarantee of compliance with any of these standards.

Updates

This article is a living article - it is continuously updated. It provides a high-level summary of each strategy management phase, its purpose, actions to complete, required inputs, references to frameworks available in the market, and the results you should produce. In the following weeks, I will focus on describing all 40 activities related to strategy development, implementation, and improvement. As a result, some of the items may change over time.

Cybersecurity Strategy Management

Cybersecurity Strategy Management Lifecycle

1 Horizon

Key objectives to be achieved - why specific phases is important.

2 Destination

Work products delivered as a result of completed actions.

3 Orientation

Tools, methods, and accelerators that speed up proposed activities.

4 Planning

References to market frameworks and standards.

5 Action

Work products delivered as a result of completed actions.

6 Tracking

Tools, methods, and accelerators that speed up proposed activities.

7 Correction

References to market frameworks and standards.

1. Horizon

Understand your territory

Before starting your journey towards a successful cybersecurity strategy, look at your cybersecurity Horizon. Before starting a new trip, a look at the horizon gives us many details about how the terrain looks, how much time we have, the weather, and the obstacles on the road.

In the cybersecurity world, the Horizon phase concentrates on a high-level overview of security change drivers. They include company environment and strategy, technology landscape and IT objectives, technology trends shaping the industry, and regulatory demands. This phase also consists of a threat landscape evaluation to identify critical assets that require protection and the risks your strategy should mitigate.

  • Ensure that security strategy supports business and technology objectives
  • Limit exposure of organization’s crown jewels to most critical threats
  • Ensure compliance with applicable legal and contractual obligations
  • Help organization to adopt emerging technologies in a secure way
  • Organizational strategy
  • Technology landscape
  • Technology strategy
  • Risk landscape
  • Stakeholder requirements
  • Factors impacting security
  • Threat landscape
  • Stakeholder list
  • Stakeholder requirements
  • Brainstorming
  • Document Review
  • Interview
  • Risk Assessment
  • Security Framework
  • Stakeholder List
  • Stakeholder Map
  • Survey

2. Destination

Define your target location

You cannot plan your journey if you do not know where to go. The vision of your Destination urges you to move. A powerful and convincing image of the future is a critical ingredient of a security strategy. It clearly shows where you want to be and is the baseline for determining your security mission.

To enhance this vision, select the security framework aligned with your Horizon. Prioritize security domains within the chosen framework. You cannot maintain them at the same level because organizational resources are usually limited. Ensure that your energy focuses on the most significant areas.

All the activities at the Destination stage should guide you to a complete target state model. It should describe agreed maturity levels for each security domain and contain a list of required components.

The traditional approaches to security strategy usually recommend defining the Destination after analyzing the current state. However, I advise switching the order of these phases. It helps ensure that you are not stuck in the presence or past and take a refreshed approach to paint the future vision. It is also more logical for me – you need a reference model ready before you can identify potential gaps.

  • 2a. Define high-level objectives
  • 2b. Select relevant framework
  • 2c. Prioritize security areas
  • 2d. Define target state model
  • Define a powerful vision for security function that motivates to action
  • Define the best in class model for security adapted to the business context
  • Focus implementation efforts on the most valuable and impactful security areas
  • Factors impacting security
  • Threat landscape
  • Stakeholder requirements
  • Capability maturity benchmarks
  • Security framework
  • Strategic vision for security
  • Security capability models
  • Blue Ocean Strategy: Strategy Canvas
  • Blue Ocean Strategy: Four Actions Framework
  • Blue Ocean Strategy: Fair Process
  • COBIT: CMMI Model
  • Prioritization
  • Security Framework
  • Workshop
  • SWOT Analysis

3. Orientation

Understand where you are now

Knowing the destination is not sufficient to plan the journey. You need a starting point to pick the best route and assess alternate ways of getting to your destination. The same approach applies to security strategy. The strategy needs an action plan to be effectively implemented. To develop a supporting roadmap, you need both reference points – your starting location and destination.

The purpose of Orientation is to help you find your current location.

At this stage, review your current state. Analyze where is the security function in terms of processes maturity, skills, and technology. Complete this analysis using your target state model supported by relevant statements from the selected security framework. Identify discrepancies between your current state and your Destination, existing issues, strengths upon which to build, and cost-saving opportunities.

The key output from the Orientation phase is a set of prioritized recommendations. They should outline what you need to do to reach your Destination.

  • 3a. Conduct maturity assessment
  • 3b. Conduct gap analysis
  • 3c. Define recommendations
  • Obtain a clear picture of what needs to be done to achieve the agreed vision
  • Ensure that current security challenges are addressed by security strategy
  • Increase the maturity of security capabilities and secure required resources
  • Identify cost-saving opportunities
  • Stakeholder list
  • Strategic vision for security
  • Security framework
  • Security capability models
  • Security documentation
  • Security projects
  • Current state documentation
  • Threat landscape
  • Current maturity levels
  • Issues
  • Observations
  • Recommendations
  • Stakeholder list
  • COBIT: CMMI Model
  • Document Review
  • Evidence Review
  • Interview
  • Lean: Waste Elimination
  • Security Framework
  • Penetration Testing
  • Red Teaming
  • Root Cause Analysis
  • SWOT Analysis

4. Planning

Plan how to reach your target

It is easy to organize a one-day trip.

It takes more to arrange an annual expedition.

The process of Planning comes into play here. It helps translate multiple actions into manageable projects, workstreams, and achievable objectives that can be tracked and controlled using a high-level plan.

During the Planning phase, aggregate all recommendations into manageable projects. Describe these projects with necessary details, including their ownership, deliverables, resources, and milestones. They will help you evaluate each project’s complexity, agree on its priority, and place associated goals on the roadmap. When the roadmap is ready, document your strategy, ask your stakeholders to review it, incorporate feedback, and organize its formal approval.

Communicate the final version of the strategy to all relevant stakeholders. As long as you engaged them in all previous stages, it should be no surprise for them. Its buy-in and successful implementation depend on it.

  • 4a. Identify implementation projects
  • 4b. Develop project charters
  • 4c. Develop roadmap
  • 4d. Document strategy
  • 4e. Obtain strategy approval
  • 4f. Communicate strategy and objectives
  • Define an effective and efficient approach to implement a cybersecurity strategy
  • Prioritize implementation initiatives to focus on achievable objectives
  • Track and manage implementation progress
  • Effectively communicate security strategy
  • Ensure buy-in for cybersecurity strategy on all levels of the organization 
  • Ensure top management commitment and support
  • Recommendations
  • Strategic vision for security
  • Security capability models
  • Stakeholder list
  • Stakeholder requirements
  • Project management methodology
  • Cybersecurity strategy
  • Implementation roadmap
  • Project charters
  • Communication strategy
  • AgileResults
  • Brainstorming
  • Business Case
  • Communication Plan
  • Fair Process
  • Opportunity Grid
  • Prioritization
  • Project Charter
  • Roadmap
  • Roles Matrix
  • Stakeholder List
  • Workshop

5. Action

Achieve your strategic objectives

The Action phase usually drains most of your time and resources.

It aims to turn your strategic vision into reality.

To implement the strategy, translate your high-level roadmap into specific operational plans. Since the implementation success depends on the people, their behaviors, and organizational culture, define a change management approach that considers human factors.

At this stage, project managers responsible for the respective workstreams will start working on defined activities. They will establish new organizational structures, document required policies, establish or change security processes, implement required technology solutions, build user awareness and implement reporting to track progress against agreed objectives.

Execution of all agreed plans should increase the maturity of your security capabilities to the levels you determined as your desired target state. As a result, the risks recognized during your Horizon phase should be minimized to an acceptable level.

  • 5a. Develop operational plans
  • 5b. Implement change management
  • 5c. Establish organizational structure
  • 5d. Define policies and standards
  • 5e. Define security processes
  • 5f. Implement technology solutions
  • 5g. Implement supporting services
  • 5h. Acquire skills and competencies
  • 5i. Build user awareness
  • 5j. Implement reporting
  • Implement strategy within agreed timeframe using agreed resources
  • Increase the maturity of selected security capabilities to defined levels
  • Resolve identified issues, remove weaknesses and mitigate identified risks
  • Cybersecurity strategy
  • Implementation roadmap
  • Project charters
  • Communication strategy
  • Change management approach
  • Operational plans
  • Policies and standards
  • Processes
  • Technology solutions
  • Organizational structure
  • Skills and competencies
  • Services
  • Reporting framework
  • Communication
  • Change management results
  • Change Management
  • Agile Project Management
  • Security Framework
  • Tipping Point Leadership

6. Tracking

Track current location and progress

To guarantee that you are heading in the right direction, you need to continually track your current location. The purpose of the Tracking phase is to help you stop for a while, have a look at your map, see if you can still recognize your surroundings and which turn to take next.

During the Tracking phase, focus on two types of activities. Measure your progress against objectives and report achieved business benefits to relevant stakeholders to ensure their continuous dedication and ongoing support. Their feedback can help you identify what is not working as intended and make revisions to your strategy or implementation roadmap.

At the same time, try to be conscious of any changes in the business factors that impact security. Parts of your strategy can change based on current business conditions.

The Tracking phase’s objective is to ensure that you are still heading in the right direction and do not follow the previous path blindly if the terrain topography has changed.

  • 6a. Monitor factors affecting security
  • 6b. Manage stakeholder feedback
  • 6c. Review progress
  • 6d. Communicate program value
  • Ensure efficient usage of security resources
  • Ensure implementation approach is updated when business conditions change
  • Incorporate stakeholder feedback to improve implementation efforts
  • Ensure the strategy is aligned with business
  • Ensure ongoing stakeholder commitment and top management engagement
  • Factors impacting security
  • Cybersecurity strategy
  • Implementation roadmap
  • Improved capabilities
  • Current KPI / KRI values
  • Security reports
  • Change triggers
  • Stakeholder feedback
  • AgileResults
  • Fair Process
  • Interview
  • Key Performance Indicators
  • Key Risk Indicators
  • Security Reporting
  • Survey

7. Correction

Correct your path to omit obstacles

Cybersecurity strategy is not set in stone. Even if your journey’s target is the same, the trail you choose may change based on obstacles you encounter on the road and alternate, better routes you can take. You may need a Correction to your course.

At this stage, based on your successes, lessons learned from your actions, and expected changes, you can identify potential improvements. Estimate their complexity. Their implementation may involve making small adjustments to your strategic vision, capability models, or strategic roadmap.

However, sometimes you may notice a severe misalignment of the current strategy with your Horizon. In this scenario, minor improvements may not be sufficient, and it may be more beneficial to restart the cycle by going into the Horizon phase. This decision is the call that you can make based on your judgment.

  • 7a. Identify improvements
  • 7b. Assess complexity of changes
  • 7c. Adjust strategic vision
  • 7d. Adjust capability models
  • 7e. Update strategic roadmap
  • 7f. Sustain strategic changes
  • Improve existing security capabilities
  • Adapt security strategy to changing business conditions
  • Improve your strategic plan
  • Change triggers
  • Stakeholder feedback
  • Security reports
  • Updated strategic vision
  • Updated capability models
  • Updated strategic roadmap
  • AgileResults
  • Fair Process
  • Root Cause Analysis

Summary

I hope that this framework will help you to define and manage your cybersecurity strategy. If you find this approach useful, please share it with your colleagues using the sharing buttons below. If you noticed some improvement areas, please use the comments section to share your feedback or contact me via email.

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use