Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
The primary goal of this activity is to assimilate stakeholder input and address their needs and expectations to ensure efficient project implementation and strategy acceptance.
Objectives
Inputs
Activities
Prepare collection buckets
Over the course of your meetings with key stakeholders, you have captured significant notes related to the agenda items discussed. These notes typically fall into four categories, aligning with your meeting agenda:
Stakeholder feedback. This category encompasses comments and insights about the materials you prepared, including your understanding of the business and technology landscape, objectives, threat landscape, and other presentation elements.
Stakeholder pains. This category refers to the obstacles or issues your stakeholders confront while executing their jobs, trying to achieve their objectives, or dealing with cybersecurity topics.
Stakeholder gains. These are the positive outcomes your stakeholders expect from their roles, the accomplishment of their objectives, and the successful execution of the cybersecurity strategy development project. Gains can be tangible, such as cost savings, or intangible, like an enhanced customer experience or improved security posture.
Project requirements. These are the conditions that the cybersecurity strategy, or the capabilities developed or enhanced due to its execution, must satisfy.
You can use the following structures to organize your note collection categories defined below. Please note that all of the proposed fields may not be completed due to processing your meeting notes. However, they may prove useful when expanding on specific items or tracking them.
Stakeholder feedback
Feedback on the materials you have presented does not require a specific, long-term tracking structure. You can summarize this feedback using simple bullet points when sending meeting summaries and incorporate it into the deliverables you have presented.
Stakeholder pains
Stakeholder gains
Project requirements
Integrate stakeholder feedback
In your activities “1b. Review internal factors” and “1c. Review external factors,” you outlined the internal and external factors that affect cybersecurity. You presented these factors during your meetings with key stakeholders, conducted as part of the “1e. Interview key stakeholders” activity.
Now is the time to process and incorporate the feedback collected during these discussions:
Refine business landscape. Review and update your understanding of the business landscape. This understanding includes the organizational structure, business model, governance and management frameworks, and a summary of the organizational culture.
Refine technology landscape. Use a similar approach to update your summary of the technology landscape. This summary should cover IT architecture, IT organizational structure, and IT operating model.
Revise business and technology objectives. Reflect on the feedback you received about the list of business and technology objectives. Reevaluate their priorities and common interests based on your discussions’ outcomes. Aim to align these common interests closely with the challenges and benefits that stakeholders identified.
Incorporating stakeholder feedback assists in addressing their needs and expectations. This process builds a sense of project ownership and assures the acceptance of the final product.
Review stakeholder gains
As part of “1e. Interview key stakeholders” activity you have had valuable discussions with key stakeholders regarding the benefits they expect in the following areas:
Role. These benefits pertain to the outcomes your key stakeholders expect from their roles. Understanding these expectations will prove beneficial for future stakeholder management activities and ensuring stakeholder support.
Objectives. These are the benefits stakeholders expect from achieving organizational business or technology objectives. If these benefits are already encapsulated within these objectives, there is no need for additional documentation. However, if there are specific benefits not clearly articulated as part of these objectives, include them in your Gains collection bucket. This information will also help in future stakeholder management activities and garnering stakeholder support.
Cybersecurity. These represent key benefits your stakeholders expect from the successful implementation of the cybersecurity strategy. Including these in your Gains collection bucket will be useful when crafting your collaboration and communication plans related to the cybersecurity strategy project.
To effectively process your meeting notes concerning stakeholder gains, consider these steps:
Identify stakeholder gains. Review your meeting notes to identify critical benefits mentioned by your stakeholders. Try to understand why each benefit might be essential for them. Often, you might uncover underlying motivations beyond those openly expressed.
Allocate stakeholders. Assign all stakeholders who mentioned a specific expected benefit. The more stakeholders interested in a particular benefit, the higher its priority.
Determine priority. Prioritize each benefit. Gauge priority by examining how many stakeholders will directly or indirectly gain from a particular benefit based on your discussions. Another method is analyzing how many business or technology objectives might reference this benefit. Then, you can use a pre-agreed qualitative rating scale (e.g., 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, 5 – Very High) to rate the priority.
Select a measurement metric. Choose a metric to measure the realization of each benefit during project execution. It is better to have a single metric related to a specific benefit or even try to find a metric that can track the achievement of a group of similar benefits. The more metrics you have, the more complex it is to manage them, and administrative overhead can unnecessarily grow. The best metrics are PRAGMATIC, as described by W. Krag Brotby and Gary Hinson in their book “PRAGMATIC Security Metrics: Applying Metametrics to Information Security.” These metrics are Predictive, Relevant, Actionable, Genuine, Meaningful, Accurate, Timely, Independent, and Cheap.
Review baseline metric value. Evaluate the current metric value before the project commences. This value will help you track progress during the project execution and communicate achievements to maintain stakeholder interest in the project and articulate its value for the organization.
Establish target metric value. If feasible at this stage, you can try to define the target value for metrics. However, in some cases, it may be better to wait until you complete an assessment of the current state of cybersecurity capabilities. Your approach depends on your organizational culture and management style. Some strategists prefer to establish inspiring targets to keep teams motivated, while others opt to underpromise and overdeliver.
| Title | Description | Stakeholders | Priority | Metric |
|---|---|---|---|---|
| GA001 Regulatory compliance | Ensure compliance with new data privacy laws that must be implemented by the end of next year. | CIO, CTO | 5 - Very High | Information security compliance management maturity, Status of compliance with externally imposed information security obligations, Historic consequences of incompliance |
| GA002 Secure cloud adoption | Implement comprehensive framework supported by required teams, processes and tools to allow secure cloud adoption with a focus on protection of customer data and availability of our services. | CEO, CIO, CTO | 4 - High | Cloud security maturity |
| GA003 Secure software development | Allow secure implementation of agile software development approach to ensure that speed to market is increased but not at the cost of software security. | CIO, CTO | 4 - High | Software security maturity, Number of unresolved vulnerabilities |
| GA004 Lean security | Reduce the cost of security by removing obsolete and duplicate controls, simplifying the technologies used by security teams and simplifying security processes that hinder employee productivity. | COO, CTO, CFO | 3 - Medium | Information security budget variance, Percentage of controls that are ossified or redundant, Annual cost of information security controls, Information security expenditure |
Review stakeholder pains
During your stakeholder meetings, you have asked your stakeholders about their pains – the issues, problems, or challenges they are facing. These could fall into the following categories:
Role. These are the challenges your stakeholders face in their roles when conducting their daily responsibilities, which are part of their job description. You discussed them as the “2A – Your role” point in your meeting agenda.
Objectives. These are obstacles or risks that stakeholders need to address to achieve their business or technology goals, as discussed under the “2E – Objectives” agenda item.
Cybersecurity. These are the significant challenges or problems your stakeholders perceive in the cybersecurity area, discussed under the “3B – Benefits and Challenges” agenda item. Please note, this initial list of challenges will be expanded during the “3b. Conduct maturity assessment” activity.
To document them in an organized fashion, you can process your meeting notes related to stakeholder Pains in the following way:
Identify stakeholder pains. Review the notes gathered in your Pains collection bucket. Aim to understand the root causes of these issues, challenges, or problems. Addressing these root causes could yield more beneficial outcomes than dealing with their effects alone.
Define pain type. Categorize pains into different types like policy, process, technology, cost, resource, skills, quality, communication, stakeholder, regulatory, service. This categorization can help you identify the majority of the work required in strategy development.
Assign stakeholders. Link the stakeholders who have mentioned specific challenges that affect them. The more stakeholders a particular challenge impacts, the more likely you are to secure support when your strategy proposes viable solutions to these problems.
Describe the impact. Illustrate the effect each challenge has on your key stakeholders. Categorizing the severity of these impacts can help to define the priority of the pain.
Assess impact rating (optional). If you wish, you can rate the impact based on your stakeholder discussions using a qualitative scale, like:
Assess issue frequency (optional). This step involves assessing the frequency of the issue based on discussions with your key stakeholders. You can use a qualitative rating scale such as 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, 5 – Very High. We presented a similar scale in our approach to reviewing the threat landscape, as documented in the “1d. Review threat landscape” activity under the “7. Estimate the inherent likelihood” section. Ideally, this scale should denote the timeframe in which you assess the frequency to ensure comparable results.
Define priority. The previously outlined steps, “Assess impact rating” and “Assess issue frequency,” are optional. There may be occasions when these steps are excessive. However, if you have undertaken these assessments, you can use them to determine the priority of the stakeholder pain. You can employ a similar rating scale as the one used in the “8. Calculate inherent risk” section of the “1d. Review threat landscape” activity. If not, you can attempt to determine the issue priority based on the impacts identified by your stakeholders and the number of stakeholders impacted by the issue. For prioritization, you may use a simple qualitative rating scale like 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, and 5 – Very High.
| Title | Description | Stakeholders | Impact Description | Priority |
|---|---|---|---|---|
| PA001 Outdated infrastructure | Our hosting infrastructure is outdated, with 25% of applications relying on unsupported legacy software. | CTO, CIO, CISO | In 2022, 60% of incidents with an impact classified as High or Very High were caused by exploiting known vulnerabilities in legacy systems. | 5 - Very High |
| PA002 Data leakage issues | We lack efficient tools to identify, classify, and control the storage and transfer of unstructured confidential data. | CISO | Last year, we experienced three incidents related to data leakage via web and email channels, leading to regulatory actions. | 5 - Very High |
| PA003 Outdated cybersecurity strategy | Our existing cybersecurity strategy does not support new use cases, including cloud adoption, machine learning, and agile software development. | CEO, CTO, CIO, CISO | The lack of secure approaches to new technologies hinders their implementation and may affect our competitive advantage. | 4 - High |
| PA004 Inefficient software testing | Our current approach to security testing is inefficient. It relies primarily on penetration testing and does not support agile software development methodologies. | CTO, CIO, Product Owner | The cost of penetration testing doubled last year. Coding mistakes are detected too late, thereby increasing remediation costs. Our existing security approach hampers software development. | 3 - Medium |
| PA005 Inefficient access management | We use too many access management solutions. The onboarding process for new employees is time-consuming, and they often do not have all the necessary access permissions on their first day of work. The review process for user entitlements is overly complex, causing line managers to spend excessive time or simply approve access without adequate consideration. | COO, CTO | Delays and mistakes during the employee onboarding process lead to decreased productivity. There is too much administrative overhead for line managers. Unremediated excessive user permissions increase the risk of fraud or insider threats. | 3 - Medium |
Document project requirements
The success of a cybersecurity strategy in any organization significantly depends on the active involvement and buy-in from its stakeholders. These stakeholders bring their perspectives on cyber topics and a set of requirements to the table. Addressing these requirements is a crucial step in defining an effective cybersecurity strategy for the following reasons:
Utilize lessons learned. Stakeholder requirements can provide valuable insights that guide the direction of strategy implementation. Their diverse experiences and expertise can offer a well-rounded understanding of critical factors required for successful strategy implementation within your organizational context.
Ensure buy-in. Addressing stakeholder requirements fosters engagement and secures buy-in. When stakeholders see their needs and concerns being considered, they are more likely to support the project. This support can manifest in various ways, from championing the strategy within the organization to providing resources or helping overcome obstacles.
Manage expectations. Taking stakeholder requirements into account helps manage risks and expectations. By understanding stakeholders’ expectations, you can align them with project realities, reducing the risk of future disappointment or conflict. Additionally, being aware of stakeholder requirements can help you foresee potential challenges or opposition, enabling proactive risk management.
To leverage these benefits, review the requirements discussed during the “4A – Your expectations” agenda item in the “1e. Interview key stakeholders” activity:
Process your meeting notes. Process the notes you collected in your Requirements bucket. Also, consider other points you noted to elicit statements that could be reflected as project requirements. Note any requirements related to project execution and specific security capabilities mentioned by your stakeholders. However, detailed requirements related to specific capabilities will be collected later in the strategy development process.
Keep track of stakeholders. Maintain a record of who requested specific requirements. This information will be valuable for prioritizing your requirements and communicating the progress of these requirements to relevant individuals.
Prioritize the requirements. Addressing all requirements may be challenging due to limited project resources. Additionally, stakeholders may have varying views on the importance of different requirements. Therefore, it is essential to prioritize these requirements. During prioritization, consider stakeholder power and interest levels and the overall alignment with the objectives you previously identified. A popular approach is to categorize the requirements as Must Have, Should Have, Could Have, and Will Not Have. This categorization delineates non-negotiable, desirable, and optional requirements.
Track the status of requirements. Keeping track of different project requirements allows you to monitor progress toward fulfilling each requirement, adjust the allocation of project resources, identify potential bottlenecks, and provide updates on project progress. This also promotes accountability and transparency concerning project-related decisions. To keep track of your requirements, assign a simple status to each of them, e.g., New, In Review, Approved, In Progress, Completed, Rejected, or Cancelled.
| Title | Description | Stakeholders | Priority | Status |
|---|---|---|---|---|
| PRQ001 Alignment with organizational objectives | Cybersecurity strategy objectives must be aligned and support achieving business and technology objectives. | CEO, COO, CTO, CIO | 1 - Must Have | Approved |
| PRQ002 Cost-saving opportunities | The strategy development process must include a review of current capabilities to identify cost-saving opportunities in line with agreed budget targets. | CEO, COO, CFO | 1 - Must Have | Approved |
| PRQ003 Review existing programs | The strategy development process must include reviewing existing cyber programs to avoid duplication of efforts and ensure cost synergies. | CSO, CISO | 1 - Must Have | Approved |
Update stakeholder characteristics
During your discussions with key stakeholders, you may need to revise your initial assumptions about stakeholder characteristics or identify new ones. Therefore, at this stage, you should finalize your stakeholder analysis based on your interviews. For some of the items specified below, you may have clear answers from your discussions with key stakeholders. For other stakeholder categories, you can make initial assumptions. Even when you assess some of the items below based on stakeholder feedback, you need to balance what you were told during the meetings with your own judgement of your stakeholders.
Add new stakeholders. Include any new stakeholders identified during the interviews to ensure that your list is as comprehensive as possible.
Classify new stakeholders. Determine the interest and power of new stakeholders as described in the activity “1a. Identify and classify stakeholders“. Classify them according to the matrix presented in that article.
Understand stakeholder relationships. If time permits, try to identify stakeholder relationships to understand their networks and who may be influenced by whom. Stakeholders with larger networks may have a greater stakeholder impact rating than is implied by their formal job title and position within the organizational structure.
Review stakeholder characteristics. Review your initial assumptions about stakeholder impact, interest, and classification based on the results of your stakeholder interviews. Update your stakeholder inventory as necessary. Interview additional stakeholders if they have become key players and their input could impact the success of the cybersecurity strategy development project.
Assess strategy impact on stakeholders. Assess the potential impact of a new cybersecurity strategy on your stakeholders. This is an optional activity at this stage, considering you will understand the real impact on specific stakeholders after defining strategic objectives for cybersecurity and a list of supporting initiatives. However, a rough estimate at this stage may help you define better collaboration and communication plans. You can measure this impact using a qualitative scale (e.g. Low, Medium, and High) or a quantitative approach using a scale of 1 to 10.
Assess level of involvement. Evaluate the degree to which your key stakeholders would like to be involved in the project, based on your conversations with them. This will influence the definition of your collaboration and communication plans. If their interest in the project is high and they have available time, their level of involvement will usually be high. At other times, they may appoint delegates who should be included in your collaboration and communication plans to prevent surprises for your key stakeholders.
Update stakeholder inventory. The results of all the activities defined above should be documented in your stakeholder inventory. Below, you can see an example of a completed stakeholder inventory at this stage, which will be helpful when defining collaboration and communication plans. By now, your stakeholder inventory should contain the following information:
Send meeting summaries
As part of the activity “1e. Interview key stakeholders“, you have held numerous meetings with key stakeholders to understand their value drivers and expectations about cybersecurity. These meetings provided a platform for stakeholders to offer their feedback on your research related to the business context, elaborate on expected benefits, express the challenges they encounter and articulate their requirements for the cybersecurity strategy development project.
A fundamental step following these meetings is to summarize their outcomes. Precise, succinct, and actionable meeting summaries aid in maintaining alignment and momentum throughout the strategy development project.
Your meeting summaries can include the following elements:
Key insights. Summarize the key points of discussion for each agenda item. Focus on critical facts and statements from your stakeholders. Highlight any substantial insights or discoveries from the meeting. These might include challenges or benefits that stakeholders identified, new requirements, or valuable feedback.
Actions. Compile a list of actions that need addressing. This list could include areas that need more research, disagreements that need resolution, or tasks that await completion. Clearly assign each action to its owner and provide expected completion dates. Presenting this section in a tabular format can be beneficial, as it offers an easy reference for those with assigned tasks.
Decisions. Spotlight the decisions made during the meeting. Articulate these decisions clearly and leave no room for misinterpretation. Be specific about what was decided. Include a sentence explaining the reasoning behind each decision to help communicate the context to those not that were not initially part of the discussion.
Next steps. Wrap up the summary with a brief outline of the next steps. This outline should include any upcoming meetings or deadlines. It helps keep everyone on track and aligns with the project’s timeline.
Remember to keep your language clear and straightforward. Ensure to distribute the summary promptly while the meeting remains fresh in the participants’ minds.
Lastly, encourage recipients to review the summary and provide any necessary corrections or additions to ensure that shared information is correct.
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Barrow, B. (2016). Stakeholder management: 50 quick and easy ways to become brilliant at project stakeholder management. Thembi Publishing
- Brotby, W. K., & Hinson, G. (2013). PRAGMATIC Security Metrics: Applying Metametrics to Information Security. Taylor & Francis Group
- Giangregorio, E. (2020). Practical project stakeholder management: Methods, tools, and templates for comprehensive stakeholder management. Aikaizen Ltd.
- Jucan, G. (2017). A pocket guide to stakeholders’ engagement. Organizational Performance Enablers Network
- Osterwalder, A. (2014). Value proposition design. John Wiley & Sons
- Project Management Institute. (2021). A Guide to the Project Management Body of Knowledge (PMBOK Guide). Project Management Institute
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.