Unfortunately, the reality is that many organisations struggle to put their plans into practice.
But there is hope. Your business has a plan, a blueprint to make itself more secure.
(If you’re not yet at this stage, I advise you to start with our first series on Strategic Planning.)
This series of articles, and the accompanying guide of actionable steps you can take, will look at the challenges of effective strategic implementation. It will draw on the experience of Chameleon Cyber Consultants’ Mo Ahddoud, who has honed his expertise in cyber-security for 25 years.
Kicking off the series, we will first examine common mistakes that organisations make in the implementation of their cyber-security strategy. By raising awareness of these issues ahead of time, we hope to help you avoid any nasty surprises in your own enterprise.
Lack of executive buy-in
The successful implementation of any strategy needs to be supported from the very top. Executives are uniquely positioned to understand the entirety of an organisation’s scope of risks and activities. If your organisation still believes that cyber-security is just the domain of the security team, and shouldn’t trouble the top table, that needs to change—and fast.
Budget expectations are just one area where a lack of support can cause problems. It’s much easier to get costs signed off early when boards understand the importance of the implementation. They’ll appreciate why the resources are needed. The alternative—trying to garner support halfway through a project—is often an uphill struggle.
Even among businesses who have started to realise that cyber-security is a board-level issue, many aren’t aware of how to support cyber-security initiatives effectively.
The first step is to ensure the relevant decision-makers understand the importance of cyber-security as an executive function. From there, they should actively promote the cyber-security implementation within the business, inviting ideas and communicating a clear plan, as well as the progress made on it.
Many organisations struggle to achieve the stability to create a plan and implement it from the top down. The average tenure for a CISO is just 18 months, making it difficult to support and develop a multi-year plan when leadership is constantly changing.
Missing in-house resources
The right talent is hard to find. Even before the COVID-19 pandemic, it was estimated that global demand outstripped cyber-security professionals by roughly 4 million jobs. Add in worldwide lockdowns, a mass migration to remote ways of working, and economic uncertainty, and the situation has only got worse.
It’s little wonder now that 78% of IT decision-makers say the talent shortage is impacting security operations. While more talent is needed at every level of seniority, executives like CISOs are particularly critical, as they bring significant experience that can be difficult to hire or foster internally through upskilling.
The experience of taking a strategy and leading its implementation is one that many IT teams lack, and so finding ways to bring this expertise in can be critical. We offer a CISO-on-demand service and find that implementation of an existing strategy is one of the most common areas in which organisations need help.
There are multiple areas of cyber-security in which enterprises often underestimate costs. We’ll start with one of the most common ones I see in organisations, and it’s been a theme throughout this article: personnel costs.
The true cost of attracting, hiring, and retaining skilled cyber-security staff is almost always underestimated. The scarcity of talent mentioned above certainly doesn’t help, with competition intense as qualified experts have their pick of jobs.
Personnel are often overlooked when evaluating or purchasing tools. We constantly see organisations who have bought a particular security program, say for alerting, but haven’t factored in the cost of having someone to track, manage, and report those alerts. Understanding the way resources like this tie together can make a big difference to the success of any implementation.
Other areas where costs are likely to be underestimated include incident response and recovery costs, as well as employee training.
Incident response costs can even take organisations who think they’re prepared by surprise. Many have invested well in their defences and believe they’re protected, but far fewer have a plan in place to deal with an attack. It’s here that the hidden costs lie. Small businesses often underestimate costs by a factor of 10-20x, and expect recovery time to be far less than the 278-day average.
The costs of recovering from an incident that many organisations overlook include replacing or upgrading vulnerable systems. It doesn’t help that the massive shift towards home-working over the last few years has made a mockery of pre-pandemic estimates for these costs. Ensuring you understand the full scope of your new-look IT operations is much harder than it was before.
Like it or not, human behaviour is the biggest cyber-security risk in almost any organisation. Breaches are more often than not mistakes or slip-ups, and yet companies still underfund training. Building awareness of best practices, and just as importantly, why they matter, is a critical part of any cyber-security project.
Heed these mistakes to improve your own implementation
Cyber-security isn’t easy, but if you can avoid these mistakes, you’ll be in a better position than most. The dearth of talent is a particular concern in the industry, and it’s why many organisations have turned to outsourcing roles with offerings like our CISO-on-demand model.
By reading this, you’re already demonstrating a level of buy-in that many companies lack. And with executive buy-in of a clear strategy, there shouldn’t be any nasty surprises in store.
If you want further, actionable tips to really tighten up the implementation of your own cyber-security programme, check out our free downloadable guide. Created to complement this series of articles, it offers practical ways to prepare for and carry out successful cyber-security initiatives.