Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
You build a cybersecurity strategy to protect your organization’s digital assets and enable its growth. Different organizations have different structures, business models and IT environments. Reviewing the internal factors helps to adjust the strategy to the unique environment and the organization’s needs.
Objectives
Activities
Select key environment areas
During the definition of business strategies, their designers frequently start with mapping the business environment. Alexander Osterwalder describes this process well in his “Business Model Generation” book. He proposes mapping four areas for business strategy definition:
Market forces. They cover market issues, major market segments, market needs and demands, switching costs, and revenue attractiveness.
Industry forces. They concentrate on your company’s competition and include competitors, new entrants, substitute products and services, suppliers and stakeholders.
Key trends. They include technology trends, regulatory trends, societal, cultural, and socioeconomic trends.
Macroeconomic forces. They include global market conditions, capital markets, commodities, and economic infrastructure.
These areas affect your organization, and their understanding helps define the business strategy. But to define cybersecurity strategy, I found that the most value comes from the following key groups that cover essential items from the list above:
Market trends. Key market trends encompassing societal, cultural, and socioeconomic trends. Global market conditions.
Technology trends. They will influence your technology landscape in the future. The purpose of the cybersecurity strategy is to prepare the organization for the secure adoption of new technologies. Helping business leaders to achieve this objective presents cyber teams as proactive and cybersecurity as a business enabler.
Cybersecurity trends. Trends observed in the cybersecurity market help to identify modern approaches supported by actively developed technologies. The purpose is to outsmart cyber criminals, which cannot be achieved using outdated solutions.
Regulatory requirements. Key trends and existing regulations affecting cybersecurity. Noncompliance with laws leads to regulatory actions and financial losses because of legal proceedings and fines.
If you desire to look at other essential factors for your business, include them. However, check if they have a tangible impact on the cyber area.
Identify market trends
To examine market trends, start with what your firm already has. Companies complete such analysis as part of the design or update of the business strategy. If this data is not accessible, evaluate market reports and studies. Look at the following details:
Societal and cultural trends. Societal and cultural trends affecting your industry may have technological implications. For example, they influence how the clients use your company’s products or services. They may also affect the digital communication and distribution channels that require adequate cyber protection.
Socioeconomic trends. Socioeconomic trends cover demographics, your clients’ income, spending patterns and their way of living. They also affect how they perceive the importance of cybersecurity and data privacy.
Global market conditions. Overall market conditions influence the entire economy, including your clients and the financial health of your business. As a result, they may also affect the budget available for cybersecurity and your approach to cyber investments.
To identify the key market trends, you can use the following sources:
World Economic Forum. It is one of the richest information sources bringing insights into market trends and global issues. World Economic Forum website and their digital membership give you access to reports, articles and podcasts on artificial intelligence, blockchain, cybersecurity, digital economy, workforce and employment, climate change, economy and many more. One of the most valuable tools on their website is their Strategic Intelligence tool. It presents interactive maps depicting relationships between almost 300 topics and links to articles describing recent developments.
EY Megatrends. EY Megatrends report provides business leaders with observations on crucial topics they need to track to keep up with the competition. Their framework focuses on the following areas:
- primary forces that are the source of disruption,
- megatrends created by the interaction of primary forces,
- future working worlds,
- weak signals with potential impacts further in the future.
Forrester Predictions. Forrester issues annual Forrester Predictions reports tailored to North America, Europe, and Asia. Market, industry and macroeconomic aspects are what they concentrate on. They provide observations on possible market disruptions and support many of them with statistics showing the probable impacts. They are accessible after registration.
Other reports. Many companies in the Financial Services Industry and consulting firms issue other studies on the market trends they observe. Additional Internet research with the “megatrends” keyword should yield multiple results.
However, the information sources mentioned above should be sufficient for this exploration. The more data you analyze, the more convoluted the overall picture becomes and the more time you require to complete your analysis.
For each identified trend, decide if it applies to your organization and the business landscape you analyzed in step “1b. Review internal factors”. If the trend is relevant, include it and try to weigh the level of its impact on cybersecurity strategy. You will use this information later to prioritize your security areas.
You can document each of the trends in the way proposed in the “6. Document external factors” section of this article.
Identify technology trends
Technology trends are linked to recent technological advancements. They may introduce new threats, but they may help to improve your business or enable new business models. Eventually, your business stakeholders may want to adopt new technologies. Therefore, it is better to be prepared for them to ensure that business leaders perceive cybersecurity as the business enabler and not a show-stopper.
To identify new technology trends, you may use many resources provided by research and consulting companies. I found the following sources most useful:
Gartner Top Strategic Technology Trends. Gartner Top Strategic Technology Trends report summarizes the strategic technology trends and describes their business value, use cases, technical profile, and critical recommended actions.
Deloitte Tech Trends. Deloitte Tech Trends report groups the trends into defined categories and shows their evolution in the previous years. The document characterizes the trends, way forward, implementation examples from selected companies, and cyber or risk perspectives.
Accenture Technology Vision. Accenture Technology Vision highlights key emerging trends that will shape the business for the next few years. They produce observations on each of the trends, what to expect, how to plan for their adoption and examples of efforts taken by companies to adopt fresh approaches.
World Economic Forum. World Economic Forum includes a section related to emerging technologies. In addition, many topics in their Strategic Intelligence tool also cover the most recent technology trends.
Web research. An additional Internet search will identify multiple websites, articles, videos and podcasts, providing predictions about emerging technologies.
For each identified trend, decide if it applies to your company and its technology landscape you evaluated in step “1b. Review internal factors”. If the trend is relevant, include it and try to determine the degree of its impact on cybersecurity strategy. You will use this information later to prioritize your security areas.
You can document each of the trends in the way proposed in the “6. Document external factors” section of this article.
Identify cyber trends
The arms race exists in the cyber market as well. Cybercriminals use modern technologies to conduct new types of cyber attacks. However, solution vendors and organizations use emerging technologies and current approaches to improve their cyber defenses against cyber criminals and be ahead of them.
To ensure that your cyber security strategy adopts a contemporary approach, identify the trends in the cyber market. The following resources can help you with this identification:
Gartner Planning Guide for Security. The guide issued annually outlines major information security trends for the coming year. The paper describes each trend, presents planning considerations and proposes related research to give you more details on a specific topic.
World Economic Forum. World Economic Forum website covers an array of topics in its cybersecurity area. In addition, the Strategic Intelligence tool allows you to generate advanced briefing that comprises the strategic landscape on cybersecurity, covering key challenges and directions. The organization also publishes other papers devoted to selected cybersecurity topics.
Other reports from Gartner and Forrester. These organizations publish various reports on selected cybersecurity issues. They include planning guides for chosen cyber domains, quadrants presenting the positioning of cybersecurity products, and other materials that offer observations on cyber trends.
Recognizing these trends will help you invest in solutions that support modern use cases and not rely on outdated approaches that can hinder the adoption of new technologies by the business.
As for other trends analyzed before, decide if they apply to your organization and assess their potential impact.
You can document each of the trends in the way proposed in the “6. Document external factors” section of this article.
Review regulatory requirements
Disruptive technologies and a growing number of data breaches provoke governments to impose new regulations. It often happens in industries that deal with client data. Many of these regulations focus on information security controls.
To ensure that your strategy helps manage regulatory requirements, you must identify the existing ones and the ones on the horizon. However, this can be daunting, especially if your company operates in multiple jurisdictions.
The most workable approach at this stage is to define a simple list of existing and forthcoming regulations with their brief description. The focus should be on the most important ones that will keep your organization busy.
Please note that studying them in detail and listing individual controls is not the purpose of this activity. It would be time-consuming and too detailed to define cyber security strategy. Instead, dedicated compliance assessment projects are a better place for this task.
You can document each of the regulations in the way proposed in the “6. Document external factors” section of this article.
Document external factors
To document market, technology, cyber and regulatory trends, you can use a single table in a worksheet with the following columns:
Please note that this document should be a synthesis of your analysis. It is better to come up with a top 10 strategic trends that are a short synthesis of data from multiple sources than tenths of very similar trends or duplicates of trends from various sources.
| ID | Title | Description | Type | Cyber Implications | Sources | Priority |
|---|---|---|---|---|---|---|
| TR01 | Distributed enterprise | Customer journey becomes a blend of physical and digital experiences. Digital and remote business models improve client, employee and partner experiences. Metaverse enhances physical activities. | Market | Need to ensure similar standard of data privacy and data protection across multiple channels without heavy impact on customer experience. Need to improve remote working capabilities for efficient and secure collaboration. | Deloitte Tech Trends 2021, Gartner Top 10 Strategic Technology Trends 2023, Gartner Top Strategic Technology Trends 2022 | 4 - High |
| TR02 | Cloud adoption | Organizations are progressing with cloud adoption using multi-cloud offerings. Industry-specific cloud platforms are established. Server-less approaches and cloud-native platforms become more popular. | Technology | Ensure consistent security controls in multi-cloud environment. Need to improve DevSecOps capability in a server-less world. | Deloitte Tech Trends 2021, Gartner Top 10 Strategic Technology Trends 2023, Gartner Top 10 Strategic Technology Trends 2022 | 5 - Very High |
| TR03 | Artificial intelligence | Adaptive AI uses real-time feedback to retrain models and adapt to changing conditions. MLOps (AI Engineering) helps to scale machine learning. Next-generation data stores are required to support AI data modeling. | Technology | Prepare for secure implementation of next-generation data sources. Investigate application of DevSecOps to machine learning development. | Deloitte Tech Trends 2021, Gartner Top 10 Strategic Technology Trends 2023, Gartner Top 10 Strategic Technology Trends 2022 | 4 - High |
| TR04 | DevSecOps | Organizations use DevSecOps practices to integrate, automate and speed up security processes within the software development lifecycle. | Cyber | Include DevSecOps as part of the cyber strategy. | Deloitte Tech Trends 2019, Gartner Integrating Security into the DevSecOps Toolchain | 5 - Very High |
| TR05 | Zero Trust | Zero Trust architectures are implemented as a response to dissolution of a traditional security parameter. Cybersecurity mesh is an extension of this architecture to integrate widely distributed security services. | Cyber | Include Cybersecurity Mesh as part of the security program. | Deloitte Tech Trends 2021, Gartner Top 10 Strategic Trends 2022 | 5 - Very High |
| TR06 | DORA | Digital Operational Resilience Act (DORA) defines requirements for financial sector regarding ICT risk management, incident reporting, digital operational resilience testing, cyber threat intelligence and third party risk management. | Regulation | Ensure that risk management, incident management, cyber resilience and third party security domains are adapted. | European Parliament | 5 - Very High |
Outputs
References
Use the following links to deepen your knowledge about this topic.
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.