Cyber Strategy Management – 1B. Review internal factors

Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.


You build a cybersecurity strategy to protect your organization’s digital assets and enable its growth. Different organizations have different structures, business models and IT environments. Reviewing the internal factors helps to adjust the strategy to the unique environment and the organization’s needs.


Align strategy with business and technology landscape
Ensure that the cybersecurity strategy fits the business environment and technology landscape.
Support business objectives
Assure that cybersecurity strategy provides value to the business by helping to achieve business objectives and provide product or service differentiation.

Review business landscape

The general business environment will heavily impact your cybersecurity strategy and implementation approach you can take.

Consider and review the following elements:

Organizational structure. Organizational structure determines responsibilities for information security and related areas, reporting lines, decision rights and escalation points. It can either support effective cyber strategy implementation or be the source of inefficiencies and conflicts of interest. The geographical coverage of your company will determine the complexity of factors impacting the strategy, especially the threat landscape and regulatory requirements.

Business model. A business model depicts the purpose of your organization. It demonstrates the way your company fulfills the expectations of your clients. Take some time to understand key customer segments, value propositions, channels, customer relationships, revenue streams, essential resources, key activities, key partnerships and cost structure. Depending on the complexity of your organization, multiple business models can be in place.

Principles, policies and frameworks. A thorough inventory of all organizational policies is not necessary. However, consider the fundamental frameworks your organization uses for governance and management that might impact cybersecurity. Integration of cybersecurity with other frameworks will help achieve synergies and avoid excessive administrative overhead.

Culture and values. Numerous change initiatives fail because they do not consider the human factor. Leading by example is one of the change management levers. Shaping cyber security culture is one of the most crucial success factors in a threat landscape where most cyber attacks start with social engineering. Reach out to HR or use your experience to judge the organizational culture, management style and ways of working.

As a result of this activity, you should have a summary of the business landscape with the following items or links to existing documentation that will help to proceed with the subsequent actions in the strategy development process:

  • Organizational chart
  • The business model or business models
  • List of governance and management frameworks
  • Summary of organizational culture

Review business strategy

Effective cybersecurity strategy needs to support business objectives. It is easier to secure the budget for a cyber program aligned with business direction and find the motivation among key stakeholders to implement it.

“Global Security Outlook 2023” published by World Economic Forum and Accenture, indicates that 51% of business leaders treat cybersecurity as a vital business enabler and 10% of them suggest that it helps to achieve product and service differentiation.

Identify strategic objectives. Review available materials, including websites, presentations and documents or reach out to selected stakeholders to identify strategic objectives.

Assess objective priority. Try to assess the priority of each objective based on your assessment of the organizational pressures. You can later adjust it after your interviews with key stakeholders. This information will help you to prioritize cyber security objectives.

Identify supporting initiatives. If possible, identify critical initiatives supporting business objectives at this stage. This information will help you to identify specific programs or projects where your support can demonstrate the value of cyber security strategy. It will also help you to identify potential dependencies.

Identify common interests. Identify and document common interests between each of the objectives and cybersecurity. The more common interests you have, the more support you can expect from your stakeholders after effectively communicating it to them.

To structure the information collected at this stage, you can use the approach proposed in the “5. Document strategic objectives” section of this article.

Review technology environment

Cyber security helps to protect digital assets. The approach to this protection depends on how these assets are developed, deployed and maintained to provide technology services in your organization.

Obtain at least a high-level understanding of the following topics:

IT operating model. IT operating model defines how a technology organization delivers its services to the rest of the company to meet stakeholder requirements. In most cases, it includes the governance model, organizational structure, list of IT services, supporting processes and IT sourcing model.

IT architecture. IT architecture will impact security architecture, including required controls, solutions and processes. It should help you to understand the scope of supported business processes, critical systems, types of infrastructure components and technologies used.

Understanding these elements is crucial for leading initial conversations with key stakeholders, assessing technology trends important for your organization and reviewing the threat landscape.

As for the business landscape, a short technology landscape summary covering the following items will help you with future activities:

  • IT architecture summary
  • IT organizational structure
  • IT service catalog

Please note that the purpose is to focus on cybersecurity strategy and not on documenting different aspects of the organization. Try to refer to existing documentation to which you can refer during subsequent activities.

Review technology strategy

As in the case of business strategy, it is essential to ensure that cybersecurity supports IT strategy and that you can map cyber objectives to relevant technology goals.

Based on available materials or conversations with selected stakeholders, identify and document strategic technology objectives, their priority, common interests and supporting initiatives.

You can use the format proposed in the “5. Document strategic objectives” section of this article.

Document strategic objectives

You can use the structure below to document strategic business and technology objectives. In most cases, I used a single table in a spreadsheet to define business, technology and security objectives and make references between them.

Clear and short title of the objective.
Definition of the objective.
Business objective, technology objective or other classification.
The initial importance of the objective based on your understanding of the organizational pressures. You can adjust it after your discussions with key stakeholders.
Parent objective in case of cascaded goals. You can use this for technology objectives to refer to supported business objectives.
Initiatives supporting business objectives, if already available. This information will help you to identify specific programs or projects where your support can demonstrate the value of cyber security strategy. It will also help you to identify potential dependencies.
Common interests between objective and cybersecurity.

You can use this inventory later to map your cybersecurity objectives to business objectives. This information will also be helpful when prioritizing cybersecurity domains.

IDTitleDescriptionTypeCommon InterestsPriority
OB01Increase customer baseIncrease customer base by enhancing our software features and by improving user experience in mobile applicationsBusinessEnsure secure software development, Protect customer data, Protect supporting infrastructure5 - Very High
OB02Simplify the organizationSimplify our business by focusing on key markets and reducing engagement in less profitable business areasBusinessSupport divestment and secure disposal of assets, Protect customer data, Protect confidential information, Protect against insider threats4 - High
OB03Reduce operating costsReduce operating costs by simplifying our business processes, enhancing process automation and reducing infrastructure maintenance costsBusinessAutomate security operations4 - High
OB04Agile software developmentImplement agile software development methodology to shorten the time-to-market of new platform features and mobile apps for clientsTechnologyEnsure secure software development4 - High
OB05Multicloud adoptionAdapt services across multiple cloud offerings to reduce infrastructure maintenance costs and allow developers to use enhanced capabilitiesTechnologyProtect infrastructure, Enable secure cloud adoption, Manage third party risks, Protect customer data, Protect confidential information4 - High
OB06Remote workingIncrease employee productivity and satisfaction by implementing secure remote working capability and tools for efficient collaborationTechnologyProtect customer data, Protect confidential information, Protect infrastructure3 - Medium
OB07Single Sign OnFinalize Single Sign On implementation for all our backoffice applications to simplify access management and improve user experienceTechnologyImprove access management3 - Medium


Business landscape
Summary of the business environment in which the company operates and its business model, including customer segments, products and services, sales, distribution and communication channels.
Technology landscape
Summary of IT operating model, IT architecture, an overview of key technologies used by the company and critical infrastructure components.
Business and technology objectives
List of business and technology objectives, their prioritization, supporting initiatives and definition of common interests.
Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.