Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
You build a cybersecurity strategy to protect your organization’s digital assets and enable its growth. Different organizations have different structures, business models and IT environments. Reviewing the internal factors helps to adjust the strategy to the unique environment and the organization’s needs.
Objectives
Activities
Review business landscape
The general business environment will heavily impact your cybersecurity strategy and implementation approach you can take.
Consider and review the following elements:
Organizational structure. Organizational structure determines responsibilities for information security and related areas, reporting lines, decision rights and escalation points. It can either support effective cyber strategy implementation or be the source of inefficiencies and conflicts of interest. The geographical coverage of your company will determine the complexity of factors impacting the strategy, especially the threat landscape and regulatory requirements.
Business model. A business model depicts the purpose of your organization. It demonstrates the way your company fulfills the expectations of your clients. Take some time to understand key customer segments, value propositions, channels, customer relationships, revenue streams, essential resources, key activities, key partnerships and cost structure. Depending on the complexity of your organization, multiple business models can be in place.
Principles, policies and frameworks. A thorough inventory of all organizational policies is not necessary. However, consider the fundamental frameworks your organization uses for governance and management that might impact cybersecurity. Integration of cybersecurity with other frameworks will help achieve synergies and avoid excessive administrative overhead.
Culture and values. Numerous change initiatives fail because they do not consider the human factor. Leading by example is one of the change management levers. Shaping cyber security culture is one of the most crucial success factors in a threat landscape where most cyber attacks start with social engineering. Reach out to HR or use your experience to judge the organizational culture, management style and ways of working.
As a result of this activity, you should have a summary of the business landscape with the following items or links to existing documentation that will help to proceed with the subsequent actions in the strategy development process:
- Organizational chart
- The business model or business models
- List of governance and management frameworks
- Summary of organizational culture
Review business strategy
Effective cybersecurity strategy needs to support business objectives. It is easier to secure the budget for a cyber program aligned with business direction and find the motivation among key stakeholders to implement it.
“Global Security Outlook 2023” published by World Economic Forum and Accenture, indicates that 51% of business leaders treat cybersecurity as a vital business enabler and 10% of them suggest that it helps to achieve product and service differentiation.
Identify strategic objectives. Review available materials, including websites, presentations and documents or reach out to selected stakeholders to identify strategic objectives.
Assess objective priority. Try to assess the priority of each objective based on your assessment of the organizational pressures. You can later adjust it after your interviews with key stakeholders. This information will help you to prioritize cyber security objectives.
Identify supporting initiatives. If possible, identify critical initiatives supporting business objectives at this stage. This information will help you to identify specific programs or projects where your support can demonstrate the value of cyber security strategy. It will also help you to identify potential dependencies.
Identify common interests. Identify and document common interests between each of the objectives and cybersecurity. The more common interests you have, the more support you can expect from your stakeholders after effectively communicating it to them.
To structure the information collected at this stage, you can use the approach proposed in the “5. Document strategic objectives” section of this article.
Review technology environment
Cyber security helps to protect digital assets. The approach to this protection depends on how these assets are developed, deployed and maintained to provide technology services in your organization.
Obtain at least a high-level understanding of the following topics:
IT operating model. IT operating model defines how a technology organization delivers its services to the rest of the company to meet stakeholder requirements. In most cases, it includes the governance model, organizational structure, list of IT services, supporting processes and IT sourcing model.
IT architecture. IT architecture will impact security architecture, including required controls, solutions and processes. It should help you to understand the scope of supported business processes, critical systems, types of infrastructure components and technologies used.
Understanding these elements is crucial for leading initial conversations with key stakeholders, assessing technology trends important for your organization and reviewing the threat landscape.
As for the business landscape, a short technology landscape summary covering the following items will help you with future activities:
- IT architecture summary
- IT organizational structure
- IT service catalog
Please note that the purpose is to focus on cybersecurity strategy and not on documenting different aspects of the organization. Try to refer to existing documentation to which you can refer during subsequent activities.
Review technology strategy
As in the case of business strategy, it is essential to ensure that cybersecurity supports IT strategy and that you can map cyber objectives to relevant technology goals.
Based on available materials or conversations with selected stakeholders, identify and document strategic technology objectives, their priority, common interests and supporting initiatives.
You can use the format proposed in the “5. Document strategic objectives” section of this article.
Document strategic objectives
You can use the structure below to document strategic business and technology objectives. In most cases, I used a single table in a spreadsheet to define business, technology and security objectives and make references between them.
You can use this inventory later to map your cybersecurity objectives to business objectives. This information will also be helpful when prioritizing cybersecurity domains.
| ID | Title | Description | Type | Common Interests | Priority |
|---|---|---|---|---|---|
| OB01 | Increase customer base | Increase customer base by enhancing our software features and by improving user experience in mobile applications | Business | Ensure secure software development, Protect customer data, Protect supporting infrastructure | 5 - Very High |
| OB02 | Simplify the organization | Simplify our business by focusing on key markets and reducing engagement in less profitable business areas | Business | Support divestment and secure disposal of assets, Protect customer data, Protect confidential information, Protect against insider threats | 4 - High |
| OB03 | Reduce operating costs | Reduce operating costs by simplifying our business processes, enhancing process automation and reducing infrastructure maintenance costs | Business | Automate security operations | 4 - High |
| OB04 | Agile software development | Implement agile software development methodology to shorten the time-to-market of new platform features and mobile apps for clients | Technology | Ensure secure software development | 4 - High |
| OB05 | Multicloud adoption | Adapt services across multiple cloud offerings to reduce infrastructure maintenance costs and allow developers to use enhanced capabilities | Technology | Protect infrastructure, Enable secure cloud adoption, Manage third party risks, Protect customer data, Protect confidential information | 4 - High |
| OB06 | Remote working | Increase employee productivity and satisfaction by implementing secure remote working capability and tools for efficient collaboration | Technology | Protect customer data, Protect confidential information, Protect infrastructure | 3 - Medium |
| OB07 | Single Sign On | Finalize Single Sign On implementation for all our backoffice applications to simplify access management and improve user experience | Technology | Improve access management | 3 - Medium |
Outputs
References
Use the following links to deepen your knowledge about this topic.
- COBIT 5 Implementation: Phase 1. Establish desire to change
- ISF Information Security Strategy: A.1. Understand the business context
- ISF Information Security Strategy: A.3. Define the information security function’s mission, vision and objectives
- ISO 27003: 4.1. Understanding the organization and its context
- NIST Cybersecurity Framework: Step 1. Prioritize and scope
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.