Strategy implementation - How to prioritise your programme of work

Implementing a cyber-security strategy isn’t easy. If it was, the world would be a lot more secure!

Unfortunately, the reality is that many organisations struggle to put their plans into practice.

But there is hope. Your business has a plan, a blueprint to make itself more secure.

This article is the third instalment of our four-part series on the challenges of effective strategic implementation. It is written to give you a fundamental understanding of implementation best practices.

That can then be built on using our free downloadable guide, which is full of actionable tips to make immediate, meaningful changes in your organisation. Click the link at the end of this article to download it.

Both the series and the guide draw on the experience of Chameleon Cyber Consultants’ Mo Ahddoud, who has honed his expertise in cyber-security for 25 years.

We’ve already covered common implementation mistakes and the shortage of skills in the cyber-security industry. Armed with that knowledge, it’s time to get down to formalising your plan of action. Today, we are looking at how to prioritise your programme of work.

Why prioritisation matters

The nature of cyber-security can frustrate organisations and their leaders. That’s because cyber-security isn’t a discrete project with a clearly defined end goal. You never get the satisfaction of putting the last part of your shields in place and saying, “Now my business is completely secure.”

Instead, cyber-security is constantly evolving. Your organisation changes and grows, technology continues to evolve at lightning speed, and the threat landscape is full of malicious actors tirelessly looking for new ways to infiltrate and penetrate defences.

This is why we always consider cyber-security strategies as living documents, constantly adapting to new circumstances and keeping your level of risk within defined acceptable levels. To be clear, there is always risk. We can’t protect ourselves against everything, and even if we could, it might not make financial sense to do so. Spending millions to secure a trivial program devoid of valuable data isn’t going to win you any favours with the board.

Instead, building your cyber-security defences is a case of choosing your battles. Of working out what you need to protect based on the costs of doing so, balanced against the risks your face and their potential impact. So how do you do that?

Work with top management to identify critical assets

Cyber-security is a business-level risk, and senior executives are often best-placed to understand the big picture of an organisation’s data use, system dependencies, risk appetite, and more. These variables will all help determine your business’s most important assets.

It could be customer data, your external image and reputation, products, financial information, system uptime, and more. Wherever losses or interruptions would be most damaging, that’s where you should be looking to prioritise your security efforts.

Of course, while it would be wonderful to completely secure all your assets, that’s likely to be extremely difficult and expensive, if not impossible. Your aim instead is to bring the overall risk facing your key assets down to acceptable levels.

That overall risk is a combination of the likelihood of an incident occurring and the impact it would have on your business, taking into account direct and recovery costs as well as reputational damage. From there, it’s a balance: how much can you save in potential costs with a given investment?

For instance, if you can spend £1000 to reduce the likelihood of a £20,000 disaster from 20% to 10%, you’re getting a good deal. Spend £1000, save £2000. If getting that risk down from 10% to 5% would cost another £2000, it’s no longer worth it.

Should you take quick wins?

Every organisation is different. That’s what makes it so hard to give one-size-fits-all advice, but equally why going into an organisation and understanding how it works is such a key part of my job. So while you should always be wary of opportunities that seem too good to be true, the fact is that your organisation may well have them!

If there are gaps in your cyber-security posture, fixing them could be quick and easy. We talked in the last series about how your existing digital services may have overlooked security features. Small changes like this can often give you great returns on investment—activating a free feature of software you’re already using will be worth it if it reduces your risk at all.

While it’s important to ensure that your organisation’s most valuable assets are protected, you can definitely make improvements by going after some low-hanging fruit as well. With insider threat incidents up 44% from 2020, the most effective fix could simply be reviewing access levels across your organisation.

A security partner can offer an outside perspective

It’s often easy to miss straightforward opportunities like this if you’re embedded in how your business works. This can mean that you can’t see the low-hanging fruit for the trees, to mangle a couple of sayings!

Bringing in someone external who will naturally question how things are done is often effective. It can highlight what areas you could prioritise to make quick and easy changes. This approach complements the expertise of your board, who will be able to identify larger strategic objectives to protect your organisation’s crown jewels.

So how do you choose the right partner? Our next article will wrap up this four-part series by diving into vendor selection, whether it’s bringing in external expertise or investing in new security products.

And as ever, you can download our free guide for actionable tips you can implement in your organisation today.