Building a cyber-security strategy

So far in this series on cyber security strategy, we’ve tackled several misconceptions around cyber-security. From where responsibility for cyber-security lies to the importance of having a clear strategy, we hope we’ve demonstrated why cyber-security is critical to your organisation.

It’s no wonder that a recent McKinsey report stated cyber-security was of strategic importance in technology and business decision making.

With that in mind, this article, alongside our latest masterclass video produced by Business Reporter, will delve into how you can start to build your own cyber-security strategy.

As ever, these articles draw on Mo Ahddoud’s 25 years of cyber-security experience. He’ll use real-life examples to highlight key takeaways and best practices. Meanwhile, our free downloadable guide provides actionable advice to improve your business’s strategy.

Commit to a process, not an end goal

We previously mentioned that, because both your organisation and the wide cyber landscape are constantly evolving, good cyber-security is a process governed by a living document. Cyber-security never ends; your business is unlikely to ever become completely secure.

But by maintaining an awareness of the important internal and external factors, you can ensure you remain well positioned to counter and respond to serious threats. So let’s look at how you can capture the current status of cyber-security in your organisation, define clear aims, and outline the steps to make continuous incremental improvements.

Capture your current story

The first step is understanding the current posture of your business in terms of its cyber-security maturity. To do this, you and other decision-makers in the organisation need clarity on several key aspects of how you operate, which I’ve outlined in the video above. These include:

  • What your business does
  • How your business works
  • Your organisation’s culture
  • Your risk appetite
  • The key internal and external factors affecting your business

From these questions and others, you can ‘tell the story’ of cyber in your organisation. Where is it most vulnerable and how can cyber-security play a role in achieving your wider business goals?

As a simple example, if your customer-facing business’s reputation is built on the trust of your consumers, and their information and privacy is a key asset, then protecting that data will be a high priority for your cyber-security activities. The impact that a breach could have would clearly be disastrous.

Conversely, an industrial manufacturing company’s biggest threat might be network downtime that could halt production and cause the business serious financial damage.

When we work with organisations on defining their strategy, the next step is to conduct interviews with the executive team that flesh out these answers, delving into how cyber is implemented at every level across the business.

Back up the ‘soft’ picture with hard data

The above steps give us context and a qualitative understanding of an organisation’s cyber-security maturity. We combine that with quantitative data: hard figures generated by a 32-step technical audit.

This compares the organisation’s processes to industry best-practices and ranks them between 0 and 5, giving us a clear picture of threats and weaknesses as well as strengths.

For instance, ‘Security Incident Response & Recovery’ is one of the 8 categories we evaluate. It contains 4 areas: ‘Security Incident Management’, ‘Information Security Program’, ‘Security e-Discovery & Forensics’, and ‘Infosec in Business Continuity Planning’.

The maturity of the business in these areas is graded between 0—relying on ad hoc, reactive programs with no strategy—and 5—an optimised program based on best practices and key risk indicators that continually evaluate service effectiveness.

Build a roadmap

With a clear picture in mind, it’s time to build a roadmap through consultations and workshops.

“This is where we are. This is where we want to get to. How do we do it?”

That’s the crux of the conversation, and from that we’ll see a strategy start to emerge. Again, this isn’t a fixed plan—the environment, the business, and thus the end state will all change along the way.

So we create a living document that is continually updated to reflect the latest plan. New or changed risks are identified and their impact assessed. The situation evolves and the strategy does as well.

In the second half of the video above, I delve a bit more into my observations around IT investments. These are often a cause of some distress in organisations!

But as part of our assessment, we can look at the tools that have been purchased, the value they bring, and how best to utilise them going forwards. Lots of businesses have tools they aren’t using properly or to their full potential, but that needn’t stop them from ever doing so.

Look ahead to considered investment

Highlighting those areas for improvement is just one of the ways we at Chameleon Cyber Consultants enhance a business’s cyber-security knowledge and capabilities. It’s part of our mission to help businesses understand and manage their cyber-security risks. We do that through working with them to develop adaptable strategies that match the evolving threat landscape.

We’ll tackle the subject of cyber investments in much more detail in the next article. Until then, you can download our free cyber-security guide, which complements these articles by providing clear steps to make positive changes in your business. You can also learn more about our technical audit and how to assess your own organisation’s cyber maturity. Download the guide here.