Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
You build a cybersecurity strategy to protect your organization’s digital assets and enable its growth. Different organizations have different structures, business models and IT environments. Reviewing the internal factors helps to adjust the strategy to the unique environment and the organization’s needs.
Objectives
Inputs
Activities
Schedule the interviews
In this phase, the main focus is on key stakeholders — the ones classified as Players in the stakeholder inventory during the “1a. Analyze cybersecurity stakeholders” activity. Given their high assumed impact and interest, it is critical to understand their motivations and requirements concerning the cybersecurity strategy, as the success of strategy development relies heavily on their support.
It is best to hold initial interviews with key stakeholders one-on-one. Try to arrange them as soon as possible, taking into account the packed schedules of senior executives. Each meeting can last 30 to 60 minutes, depending on how well you know the organization and the necessity to cover all topics.
Always schedule meetings in advance, including a detailed agenda, so stakeholders can adequately prepare. The better their preparation, the more valuable the insights you will glean from these meetings.
You can use the following agenda templates as a starting point, tweaking them based on the category of stakeholders involved:
Business stakeholders. Individuals responsible for business outcomes like the CEO, COO, divisional leaders, service or product owners, and others who contribute to achieving business objectives.
Technology stakeholders. Individuals who oversee information and technology areas, e.g., CIO, CTO, and managers of key technology teams driving technology objectives.
Security and assurance stakeholders. Stakeholders responsible for security, risk, audit, compliance, and other assurance areas, including CISO, CRO, Head of Compliance, Head of Security Services, and others.
Remember, the topics you need to cover depend on several factors, including:
Familiarity with the organization. If you are new to the organization or serving as an external consultant, you might need to collect more information about the organizational environment, structure, business model, and stakeholder responsibilities. However, it is crucial to maintain a balance. You should strive for deeper knowledge and stakeholder opinions without asking questions that are too obvious or can be easily researched using corporate resources.
Stakeholder role. If your stakeholder holds a higher position in the organizational structure, you should focus more on strategic topics instead of operational ones. This approach fosters meaningful discussions and assures the stakeholders that their time is well-spent during the conversation.
Time availability. If your stakeholder has limited time, you should ask more purposeful questions. Select them carefully, and consider omitting those queries for which you can find answers in company resources or through other stakeholders.
Agenda for business stakeholders
Agenda for technology stakeholders
Agenda for security and assurance stakeholders
Prepare the interviews
The higher the stakeholder is in the organizational structure, the fewer opportunities you have to meet with them. Therefore, making a significant impact during your interactions and making every minute count is crucial. This aim demands solid preparation.
For this type of meeting, showing up with a blank sheet of paper and expecting to gather all information from scratch from your stakeholders could seem unprofessional or be perceived as a waste of their time. Instead, I suggest preparing a presentation that follows the meeting agenda and includes the summary of the research you conducted during activities “1b. Review internal factors“, “1c. Review external factors,” and “1d. Review threat landscape”.
Here is a potential breakdown for your presentation:
Section | Slide | Contents | Inputs |
---|---|---|---|
1 - Background | 1a - Project background | Purpose, objectives, timeline, and expected deliverables from the cybersecurity strategy development project. | |
2 - Business | 2A - Your role | The organizational structure of the area the stakeholder is responsible for. | Business landscape |
2 - Business | 2B - Business landscape | A summary of the business environment in which the company operates and its business model, including key customer segments, products, services and channels. | Business landscape |
2 - Business | 2C - Technology landscape | Overview of the IT operating model and IT architecture. | Technology landscape |
2 - Business | 2D - Security landscape | A summary of the security landscape, including the operating model and key frameworks used. | Security landscape |
2 - Business | 2E - Objectives | List of business and technology objectives and their prioritization. | Business and technology objectives |
2 - Business | 2F - External factors | The market, technology, cyber and regulatory trends affecting your organization, their impact and cyber implications. | External factors |
3 - Cybersecurity | 3A - Threat landscape | A summary of the prioritized organizational threat landscape presenting key risks, their criticality rating and most essential attributes. | Threat landscape summary |
3 - Cybersecurity | 3B - Benefits and challenges | Overview of the security domains or areas within the framework currently used and security objectives. | Security landscape |
4 - Project | 4A - Your expectations | Placeholder section in a slide for discussing your stakeholder expectations for project execution. | |
4 - Project | 4B - Collaboration | Placeholder section in a slide for a discussion about your stakeholder interest in the strategy development project, impact on the stakeholder and level of stakeholder involvement. | |
4 - Project | 4c - Our expectations | A section in a slide presenting key expectations for swift and efficient project delivery, like access to required information or relevant people. | |
4 - Project | 4d - Next steps | Next steps and call to action. |
The most effective approach to meetings with key stakeholders involves presenting your research documented in the slides, asking for their feedback, and using selected questions to guide an engaging discussion. This way, you can gain valuable information about stakeholders’ concerns or expectations.
Discuss project background
Kick off the conversation by explaining the basics of the cybersecurity strategy development project to your stakeholder:
Purpose. Start by describing the initial rationale, purpose, and key objectives of the strategy development project. Note that these may undergo refinements based on the discussions with key stakeholders.
Timeline. Share the estimated project timeline. This will give your stakeholder an idea of when to expect project deliverables and how long they need to keep the project on their radar.
Deliverables. Lastly, discuss the expected project deliverables. These might include a general cybersecurity strategy, high-level objectives, a supporting roadmap, and a definition of proposed cybersecurity capabilities.
Discuss business matters
Business-related matters encompass topics tied to your key stakeholders’ business responsibilities and objectives. These focus on their roles, gains, and pains as described by Alexander Osterwalder in his Value Proposition Design book. Such topics will help you understand what motivates your stakeholders and identify common interests concerning the cybersecurity strategy.
Consider these categories of discussion points:
Stakeholder roles. Discuss your stakeholders’ areas of responsibility and daily activities. What are they responsible for? What roles do they play in the cybersecurity area? This discussion might be optional, depending on your familiarity with your stakeholder’s scope of responsibilities and their impact on the strategy development process.
Organizational landscape. Delve into the business, technology, or security landscape in which your stakeholders operate. Understand the business models, IT architectures, services, and technology solutions used within the organization. Find out what factors influence their decisions and how they may impact the cybersecurity strategy. This topic is optional and depends on your knowledge of the organization.
Stakeholder gains. Understand the outcomes your key stakeholders expect from their roles. What critical business, technology, or functional objectives are they aiming to achieve now and in the future? This information will help you understand the business and technology objectives that cybersecurity should support. The more your strategy aligns with these, the higher the perceived value it will bring to the organization.
Stakeholder pains. Discover the challenges your key stakeholders face in achieving their objectives. What obstacles and risks do they consider? Understanding these will help you sidestep potential pitfalls during strategy design and implementation. The more business or technology problems your strategy helps to solve, the greater its perceived value.
Stakeholder gains and stakeholder pains are the most critical from the above conversation topics as they will help define common interests. The importance of stakeholder roles and organizational landscape topics depends on your familiarity with the organization and might be vital for external consultants with limited organizational knowledge. Focusing on gains and pains will likely be more beneficial for company insiders who know the organization well.
The tables below provide a collection of questions tailored to align with the previously proposed meeting agenda and presentation structure. These questions will aid you in extracting insightful responses. Remember, you do not need to ask all of them. Several questions are designed to derive the same type of information from different angles. Adjust them based on the time available and your stakeholder’s grasp of cybersecurity topics.
Questions for business stakeholders
- Can you share your perspective on the most critical aspects of your leadership domain?
- Could you describe how cybersecurity factors into your areas of responsibility and perhaps share any significant experiences you have had?
- Are there specific divisions, teams, products, or services within your scope that are notably affected by cybersecurity issues? Could you provide some examples?
- Can you share instances where your role demanded a high degree of support from cybersecurity initiatives?
- Based on your interactions and feedback, how do you believe our clients perceive the importance of cybersecurity?
- Could you shed light on which customer segments you believe are particularly concerned about data confidentiality and why you think this is the case?
- Can you discuss which services’ reputations might suffer the most significant impact in the event of a data breach and why?
- Among the business objectives presented, which ones would you prioritize and why?
- Could you identify those objectives which, in your view, warrant significant support from our cybersecurity efforts?
- What risks do you foresee in pursuing these objectives, and how might they be mitigated?
- Can you envisage any business challenges where a well-executed cybersecurity strategy may offer solutions?
- Can you share your perspective on the significance of the presented market and technology trends?
- Which of the presented trends are most influential in shaping our business agenda over the next few years and why?
Questions for technology stakeholders
- Can you discuss the nuances of your technology leadership role that are pivotal to the organization’s success?
- Could you describe how cybersecurity interfaces with your primary responsibilities? How has this shaped your role?
- In what ways does your role rely on strong cybersecurity support? Can you share specific instances where this was particularly evident?
- Can you share your thoughts on which teams, platforms, or services present the most significant cybersecurity considerations and why?
- Can you share some of your insights into how your internal customers view the importance of cybersecurity? Have there been any notable shifts in this perception over time?
- Can you describe some critical touchpoints between your IT operating model and cybersecurity initiatives? How have these intersections evolved?
- Can you discuss the areas within your IT architecture that require the most cybersecurity support and explain why you believe this is the case?
- In the event of a cybersecurity breach, what impact do you foresee on your IT services? How have you prepared for such scenarios?
- Can you indicate which of the presented business objectives predominantly rely on your technological support? How do you navigate these dependencies?
- Among your technology objectives, which ones stand out as your key priorities and why?
- From your perspective, which objectives bear the most weight from a security standpoint?
- Could you share the more significant challenges you face when striving to achieve your technology objectives?
- Can you provide instances where cybersecurity might be key to overcoming specific technology challenges?
- Can you share your perspective on the significance of the presented market and technology trends?
- Which trends do you see as being most influential in shaping our business agenda over the next few years and why?
Questions for security and assurance stakeholders
- Could you elaborate on the key aspects that fall within your purview?
- Among these, are there specific areas that necessitate a higher degree of your attention? Could you elaborate on why that is so?
- Based on your interactions, how would you gauge the perception of cybersecurity among your internal clients?
- Could you share your perspective on the efficiency of the current security framework? Have there been any experiences or challenges that stood out for you?
- How would you assess the existing structure of your information security team in terms of its effectiveness and efficiency?
- Are there particular security services or solutions that command more of your attention or present more significant challenges? Which ones are indispensable for the delivery of your services?
- What do you envision as the primary security objectives for the coming year?
- Could you share the hurdles you have experienced or foresee in achieving these objectives?
- Can you share your viewpoint on the importance of the market and technology trends presented, particularly in relation to security?
- Which trends do you predict will significantly impact our security agenda in the coming years, and why?
Discuss cybersecurity matters
After discussing your stakeholders’ business roles, objectives, and challenges, it is time to link the business world with cybersecurity. Address the following topics, which will help clarify what needs protection, what threats pose a risk, and how to mitigate them:
Threat landscape. Discuss the most critical cyber threats that your cybersecurity strategy should address. These threats should align with the threat landscape you previously evaluated during the “1d. Review threat landscape” activity.
Stakeholder gains. Understand the key benefits your stakeholders expect from a successful cybersecurity strategy implementation. Gain insight into their perception of the value cybersecurity teams should deliver to the rest of the organization.
Stakeholder pains. Identify the challenges and deficiencies your stakeholders observe in the current cybersecurity capabilities. Pinpoint the shortcomings in the quality of cybersecurity services. Understand what aspects of the cybersecurity area make your stakeholders uncomfortable.
Questions for all stakeholders
- Could you share your viewpoint on the threats outlined in this review? Do any particular threats stand out to you and why?
- In your estimation, which of these threats could significantly impact your specific operational area?
- Could you outline your core expectations from an effective cybersecurity strategy?
- Can you describe your vision of an ideal state of cybersecurity within our organization?
- Could you highlight the cybersecurity capabilities that are most significant for your area 8and explain why?
- What elements, in your opinion, should be implemented to enable growth while ensuring a secure business environment?
- Could you elaborate on your perception of the security teams and the services they provide?
- Can you highlight some challenges you have encountered while dealing with cybersecurity topics?
- Are there any specific cybersecurity capabilities you believe are not meeting expected performance levels? If so, could you explain why?
- Which cybersecurity risks do you feel are not effectively managed to an acceptable level?
- Are there any cybersecurity capabilities you find particularly resource-intensive or costly to maintain? Could you elaborate on why that is so?
- Are there any cybersecurity capabilities that may impede business activities or innovation? If so, could you elaborate on why?
Discuss project matters
The perception of a project’s success depends not only on the final deliverables but also on the stakeholders’ experience throughout the project execution. To ensure that their needs are met, you should discuss the following:
Stakeholder expectations. Identify the critical requirements related to the project’s execution. You can document them in your Requirements collection bucket.
Project collaboration. Collect the information necessary to finalize your stakeholder analysis and confirm your initial assumptions. This could include gauging the stakeholder’s level of interest in the strategy development project, determining the project’s impact on the stakeholder, and understanding their level of involvement.
Our expectations. Towards the end of the conversation, outline your project-related needs to ensure an effective definition of the cybersecurity strategy.
Questions for all stakeholders
- What are your requirements related to project execution?
- What specific actions would lead to a successful definition and implementation of a cyber security strategy?
- Considering our organizational context, are there any potential pitfalls we should be aware of and plan to avoid?
- How frequently and through what means would you prefer to receive updates about the project? Are there specific topics you are particularly interested in?
- How much are you interested in the strategy development project and why?
- In what ways and to what extent do you foresee the cybersecurity strategy impacting you or your area?
- How would you prefer to be involved in the project’s activities?
- In which project-related decisions would you like to be engaged?
- Level of required cooperation
- Access to relevant people and information
- Required approvals
- Initial project resources
Summarise stakeholder interviews
You can find more information on how to process the information gathered during this meeting, combine it with previous research and finalize the initial steps of the Horizon analysis in the description of the “1f. Finalize context review” activity.
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Barrow, B. (2016). Stakeholder management: 50 quick and easy ways to become brilliant at project stakeholder management. Thembi Publishing
- Giangregorio, E. (2020). Practical project stakeholder management: Methods, tools, and templates for comprehensive stakeholder management. Aikaizen Ltd.
- Jucan, G. (2017). A pocket guide to stakeholders’ engagement. Organizational Performance Enablers Network
- Osterwalder, A. (2014). Value proposition design. John Wiley & Sons
- ISACA (2012). COBIT 5 Implementation
- Information Security Forum (2014). Information Security Strategy: Transitioning from Alignment to Integration
- ISO (2017). ISO/IEC 27003: Information technology – Security techniques – Information security management systems – Guidance
- NIST (2018). Framework for Improving Critical Infrastructure Cybersecurity
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.