Cyber Strategy Management – 1A. Analyze cybersecurity stakeholders

Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.

Objectives

Identify stakeholders
Identify all persons or groups that may influence or may have an interest in a cybersecurity strategy to understand their expectations and requirements.
Categorize stakeholders
Categorize stakeholders into specific tiers to define adequate communication and collaboration approaches and ensure successful strategy adoption.

Activities

1. Identify stakeholders
Identify all persons or groups that may influence or may have an interest in a cybersecurity strategy.
2. Refine stakeholder list
Review aggregated groups and divide them if there are subgroups with different characteristics.
3. Create a stakeholder matrix
Create a power-interest grid to position and visually group identified stakeholders based on their power and interest.
4. Determine stakeholder power
Determine to which degree stakeholders can impact your development process, decisions and resources.
5. Determine stakeholder interest
Determine stakeholder interest and assess the extent to which the strategy must address their needs.
6. Determine stakeholder tiers
Assign stakeholders based on chart data to one of the groups: Players, Context Setters, Subjects, or Crowd.
7. Update stakeholder inventory
Update stakeholder inventory with details about their power, interest, as well as their classification.

Identify stakeholders

Cybersecurity strategy stakeholders are people or groups engaged in its development, interested in it, who can influence its shape, or will be impacted by it. Some project managers also add to this group people who are not directly affected by the initiative but perceive themselves as being impacted.

In smaller organizations, you can identify them by conducting simple desk-based research. In bigger companies, it will be more beneficial to engage your strategy development team and identify relevant stakeholders during a dedicated workshop. 

No matter what your approach will be, you can start by asking yourself or the whole team the following questions.

Questions to identify cybersecurity stakeholders
  • Who is and who should be in the strategy development team?
  • Who will provide the budget and other resources for strategy execution?
  • Whose cooperation will you need to drive its implementation?
  • Who will receive and approve the strategy?
  • Who will be its ultimate owner?
  • Who will be interested in the strategy?
  • Who will be affected by it?
  • Who can influence it?
  • Whose opposition may hinder your progress?
  • Who is the source of requirements for cybersecurity?
  • Who are the subject matter experts that will participate?

Think about internal as well as external stakeholders. To identify internal stakeholders, start with your organizational chart. To determine external ones, look at various relations that your company has.

You can use the following list as your starting point. Please note that it is not exhaustive and that its items are displayed in alphabetical order.

Internal stakeholders

Audit teams continuously assess the design and effectiveness of controls implemented to mitigate the risks relevant to the organization. Therefore they have a good overview of these risks, and this information can be helpful during the “1g. Conduct risk assessment” activity. Additionally, the audit teams can objectively identify problem areas in the cybersecurity capabilities and repeating patterns in their root causes. Examine these most common root causes to see if there is potential to address them on a strategic level.
Cybersecurity needs to be elevated to the Board level to be effectively implemented and considered while making crucial business decisions. The more persuasive you are to ensure the buy-in for your efforts between Board members, the greater your odds of getting the required time, people, and funding.
Business Continuity Managers establish and maintain the framework for continuity risk assessments, impact analyses, the definition of continuity strategies, and the development of business continuity plans. Because business continuity is interconnected with cybersecurity, collaborate with the person responsible for this area to understand the current state and agree on potential improvements that should be addressed in your strategy.
They are accountable for managing end-to-end business processes, which frequently cross multiple departments. It could be challenging for you to engage all of them actively in the strategy development process. However, as a minimum, you should consider their input when designing the target state and assessing its impact on the execution of critical processes. Pay special attention to processes during which there is an interaction with the clients. The objective is to ensure a satisfactory level of data privacy without an adverse impact on customer experience.
CEO is accountable for shaping and communicating the overall business strategy. You should understand his or her view on strategic business priorities to ensure that cybersecurity strategy supports them. It is one of the critical traits of a successful cybersecurity strategy. Without it, its effective implementation will be nearly impossible.
They are interested in the financial impacts of cybersecurity risks, the cost of protection against them, and identifying cost-saving opportunities. They also usually establish the framework for financial planning you need to follow to approve funding for your strategic initiatives.
CIOs most often drive digital transformations of their organizations, oversee IT services, and implement new technologies to increase the efficiency of business operations. You will need their input to recognize the nature of risks introduced by these new technologies and ensure that security strategy allows their secure adoption. Based on the Fortinet report, 82% of CIOs also have cybersecurity under their roof, which only increases their importance when designing cybersecurity strategy.
If you are working as a consultant to develop a cybersecurity strategy and are not CISO yourself, you will probably deliver your services for him or her. CISO will be your most important stakeholder, as this person will be the owner of the strategy. They are responsible for design, implementation, and monitoring the whole information security program.
Their teams frequently select software and equipment required for business operations, which impacts the cyberattack surface. They have to deal with challenges related to the complexity of the IT/OT environment necessary for business operations and address the risks associated with the complex technology landscape. They also have a strong focus on operational level efficiency, so they may push back on security practices that do not address material risks while hindering business operations.If you are working as a consultant to develop a cybersecurity strategy and are not CISO yourself, you will probably deliver your services for him or her. CISO will be your most important stakeholder, as this person will be the owner of the strategy. They are responsible for design, implementation, and monitoring the whole information security program.
CROs establish and maintain risk management frameworks used to assess, measure, and report the risks across the organization. Because cyber threats become increasingly crucial in the era of digitization, they may support your cybersecurity strategy agenda. Additionally, risks assessments conducted by teams reporting to CRO may provide input into “1g. Conduct risk assessment” activity.
The work of the compliance teams focuses on meeting regulatory requirements and ensuring adherence to internal controls. They should be a great source of information about information security obligations in multiple jurisdictions. You will need this information for “1f. Review external factors” activity.
Your cybersecurity strategy will impact all employees. Recommended security solutions may influence their productivity. Additionally, a lot depends on the human factor in the current threat landscape because multiple cyber attacks start using social engineering or are possible because of human mistakes. Therefore, building security awareness among your employees is crucial when changing your cybersecurity strategy.
This person should provide you with an overview of IT architecture strategy and walk you through technology solutions and environment roadmaps. These inputs will be valuable for you during the “1e. Review internal factor” activity because strategic objectives for cybersecurity should help to achieve readiness for secure implementation of new technologies.
Secure software development lifecycle, application protection, and cloud security are important security topics in the era of agile software development, continuous integration, delivery, and deployment. The input from this person is needed to understand current and planned development approaches because they will impact selected security domains.
HR teams should help you understand different factors you need to weigh in when designing capabilities for the HR security area. They can also support you in understanding the organizational culture, which is essential when defining the change management approach. The human factor is the most significant factor when managing a change in a modern business environment.
Parts of your strategy may impact the obligations of information owners – people responsible for ensuring correct identification, classification, and protection of information assets throughout their lifecycle. Include them in your communication plans so that they could prepare for possible changes.
They usually manage particular security domains. You will interview them to understand the current state of their respective areas. You also need to actively involve them in the strategy development process to build a sense of ownership of the resulting projects. They should also understand the rationale behind the strategic decisions to plan tactical actions in line with the high-level objectives.
These are the people responsible for the execution of security processes. Your strategy may change those processes, implement new ones, or whole new capabilities. Ensure that your change management plans include education and training for security professionals to help them embrace those changes. Establish a process to gather feedback from them to improve implemented security capabilities continuously.
The committee concentrates on monitoring the information security framework, tracking the progress of the security program, and making strategic decisions about information security. Include members of this committee when defining requirements for cybersecurity strategy, strategic objectives, and proposed target state. Members of this committee will also be interested in tracking the progress of your implementation.
Privacy regulations include requirements related to data security. Interaction with the privacy officer will help you to identify these requirements in multiple jurisdictions. It will also help you design capabilities supporting data protection and ensure the integration of processes related to data security.
System owners are accountable for procurement, development, implementation, and maintenance of information systems. If your strategy affects system development lifecycle, system security, or vendor management, include these owners in your communication plans and consider their feedback about proposed changes.

External stakeholders

Customers share their information more willingly if they believe that it will be adequately protected. At the same time, their primary focus is on the quality and features of the product or service they receive. Therefore, keep the customers in mind when defining cybersecurity recommendations and ensure that security controls will not impact the customer experience negatively (link to agile). If the product or service is too complex to use because of its security features, the customer will look elsewhere for a better customer experience and product usability.
Industry associations often establish their code of practices related to information security. These can be another source of security requirements to examine when defining cybersecurity strategy.
Depending on the industry and jurisdictions in which your company operates, your strategy may be affected by various regulations. As part of the strategy development, you need to identify the essential requirements relevant to cybersecurity domains. Regulations are also one of the key drivers for security investments.
Shareholders and investors are interested in the current and future value of the firm and critical factors that may affect it. Their perception of cyber risks and their potential impact on company value may affect the size of the budget for cybersecurity investments. Therefore, the better you build their awareness, the bigger chance of obtaining sufficient funding.
Suppliers are one of the entry points into your organization. A compromised supplier network can be utilized as a platform to get access to your corporate network. The strategic decisions you make can reshape the information security requirements relevant to your suppliers. Try to keep the right balance – the more demanding the requirements, the fewer suppliers can meet them and the higher the price for their services.

These are essential stakeholders you should recognize when preparing for the development of a cybersecurity strategy. The number and nature of stakeholders relevant to your situation will depend on your industry, the size of your organization, and its cybersecurity maturity.

Here are a couple of tips for identifying strategy stakeholders:

Focus on discovery. Your main objective at this stage is to scan your strategic environment and identify all stakeholders. Refrain from discussions about stakeholder characteristics and justification for their selection. If you keep the discovery perspective and continue listing stakeholders, you will get more complete results. You can refine your list later.

Do not overlook important stakeholders. Ensure that you have the most critical stakeholders. If you miss major stakeholders, you may need to revise your strategic assumptions later, delaying the strategy development process.

Use agile approach. Your initial list may expand. You may uncover further stakeholders during interviews with those already identified. You may also need to update your stakeholder list and analysis during other stages of strategy management.

Identify representatives. When you identify a group of stakeholders, consider also determining its representative. It will help you keep a manageable list of attendees when scheduling interviews, meetings, or workshops.

StakeholderRepresentativeTier
CEO-Internal
CFO-Internal
CTO-Internal
Data Protection AgencyAndy SmithExternal
EmployeesCasey JonesInternal
Information OwnersJassie MillerInternal

Refine stakeholder list

Review your initial list and verify if it is granular enough. Avoid leaving big aggregates of stakeholders that have different characteristics in terms of power or interest. For example, you may have different tiers of suppliers, and the strategy impact on them will be different.

In this scenario, it may be beneficial to divide “all suppliers” into separate groups for relevant third-party tiers.  In some instances, you may also have individuals who will be managed more effectively as separate stakeholders instead of part of a wider group.

Create a stakeholder matrix

There are different tools to visualize stakeholder characteristics. They include Stakeholder Sector Analysis, Salience Model, Influence-Involvement Grid, Power-Influence Grid, Stakeholders Map, and many more. You can read about them in the books listed in the Reference section of this article if you would like to deepen your knowledge about stakeholder management.

However, the most simple and usable at this stage is Power-Interest Grid. It helps to visualize stakeholder power and interest, identify key stakeholders and make decisions about required stakeholder management activities.

To develop a stakeholder matrix, draw a chart with the Power and Interest axes as illustrated in the following picture. Use a scale of 1 to 10 on each axis or any other scale that will fit your needs in terms of granularity you would like to achieve.

Cybersecurity stakeholder matrix

Determine stakeholder power

Understanding your stakeholders’ influence means understanding their power over your cybersecurity strategy. This Stakeholder power is the ability to influence people’s behaviors and get things done. Stakeholders with a high level of power can influence critical decisions during cybersecurity strategy definition, provide resources for its implementation and motivate people to take necessary actions.

To understand the level of stakeholder influence, consider their formal and informal power. The formal power will typically be bound to stakeholder position within the organizational structure and their authority regarding cybersecurity. The informal power will often be exercised by networks your stakeholders have built with the rest of the organization and their observed reputation.

You can assess the level of influence by asking the following questions.

Questions to assess stakeholder power
  • How high is the stakeholder in organizational structure?
  • What is the perceived importance of their department?
  • What is his or her formal authority over cybersecurity?
  • What is their influence on cybersecurity resources?
  • What informal power do they have through their networks?
  • What are their leadership skills?

Next, position each of the analyzed stakeholders on the power axis of your stakeholder matrix. The easiest way of doing it is to place the most powerful person on the right side of the grid, the least powerful person on the left side, and use their positions as anchor points for putting remaining stakeholders. You can also create low, medium, and high power ranges and place stakeholders inside them. These positions do not have to be precise. The purpose is to classify stakeholders according to their power quickly and efficiently.

Cybersecurity stakeholder matrix

Determine stakeholder interest

To have a better picture of your stakeholders, you also need to assess their interest in the strategy. You can measure it by determining how the cybersecurity strategy will impact them. You can also estimate it by evaluating the extent to which the strategy must address their needs to become successfully executed.

You may not have enough information to make a final decision at this stage, so make your best call using professional judgment. Make initial assumptions about what may follow after strategy implementation.

Consider the following questions.

Questions to assess stakeholder interest
  • How important are their needs and expectations for strategy success?
  • What is the level of common interests between them and strategy?
  • To which point can the strategy impact their roles?
  • To which degree could they benefit or lose because of the strategy?
  • How could their duties change?
  • How could their expected behaviors change?

After considering these questions, you should move your stakeholders on the stakeholder matrix along the interest axis. Similarly, as before, you can identify most and least interested, put them in relevant positions and use them as anchor points for positioning remaining stakeholders.

You will have to update this assessment after the “2d. Define target state model” activity because then you will have a better sense of proposed changes and their impact on specific stakeholders.

Cybersecurity stakeholder matrix

Determine stakeholder tiers

Using the stakeholder matrix presented in “Managing Strategy: Mapping Out Strategic Success,” you can distinguish four stakeholder groups.

Cybersecurity stakeholder matrix
Stakeholder tiers
Subjects
Low Influence, High Interest. Cybersecurity strategy will significantly impact this stakeholder group. The success of your strategy will depend on how well these stakeholders adopt it.
Players
High Influence, High Interest. They are your key stakeholders. The success of your cybersecurity strategy will profoundly depend on them. This group will include senior executives that have the authority to provide the resources required for its implementation.
Crowd
Low Influence, Low Interest. This group will not be heavily impacted by cybersecurity strategy. However, people in this group may help you build the critical mass required for successful change adoption.
Context Setters
High Influence, Low Interest. These stakeholders may significantly influence your strategy implementation. However, cybersecurity is not on a list of critical priorities for these stakeholders.

Grouping your stakeholders into tiers presented above will help define collaboration plans described in “1d. Define collaboration plan” activity.

Update stakeholder inventory

At the end of this activity, you can update your stakeholder register with details that you collected, including stakeholder power and interest levels as well as their tiering.

StakeholderPowerInterestTier
CEO107Players
CFO84Context Setters
CTO910Players
Data Protection Agency81Context Setters
Employees24Subjects
Information Owners48Crowd

Outputs

Stakeholder inventory
List of cybersecurity stakeholders with their characteristics, including the level of influence, interest, and assignment to appropriate stakeholder levels.
Stakeholder matrix
Matrix showing stakeholders positioned against their power and interest in a cybersecurity strategy.

References

Use the following links to deepen your knowledge about this topic.

Articles
Books
Standards
Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.