Mo Ahddoud: “Critical implementation mistakes in cybersecurity strategy”

Implementing a cybersecurity strategy isn’t easy. If it was, the world would be a lot more secure! Unfortunately, the reality is that many organisations struggle to put their plans into practice.
But there is hope. Your business has a plan, a blueprint to make itself more secure.

In this series of articles, and the accompanying guide of actionable steps you can take, Mo Ahddoud, CEO, Chameleon Cyber Consultants will look at the challenges of effective strategic implementation.

Kicking off the series, Mo will first examine common mistakes that organisations make in the implementation of their cybersecurity strategy. By raising awareness of these issues ahead of time, he hopes to help you avoid any nasty surprises in your own enterprise.

Lack of executive buy-in

The successful implementation of any strategy needs to be supported from the very top. Executives are uniquely positioned to understand the entirety of an organisation’s scope of risks and activities. If your organisation still believes that cybersecurity is just the domain of the security team and shouldn’t trouble the top table, that needs to change – and fast.

Budget expectations are just one area where a lack of support can cause problems. It’s much easier to get costs signed off early when boards understand the importance of the implementation. They’ll appreciate why the resources are needed. The alternative – trying to garner support halfway through a project – is often an uphill struggle.

Even among businesses who have started to realise that cybersecurity is a board level issue, many aren’t aware of how to support cybersecurity initiatives effectively.

The first step is to ensure the relevant decision-makers understand the importance of cybersecurity as an executive function. From there, they should actively promote the cybersecurity implementation within the business, inviting ideas and communicating a clear plan as well as the progress made on it.

Many organisations struggle to achieve the stability to create a plan and implement it from the top down. The average tenure for a CISO is just 18 months, making it difficult to support and develop a multi-year plan when leadership is constantly changing.

Missing in-house resources

The right talent is hard to find. Even before the COVID-19 pandemic, it was estimated that global demand outstripped cybersecurity professionals by roughly four million jobs. Add in worldwide lockdowns, a mass migration to remote ways of working and economic uncertainty and the situation has only got worse.

It’s little wonder now that 78% of IT decision-makers say the talent shortage is impacting security operations. While more talent is needed at every level of seniority, executives like CISOs are particularly critical, as they bring significant experience that can be difficult to hire or foster internally through upskilling.

The experience of taking a strategy and leading its implementation is one that many IT teams lack and so finding ways to bring this expertise in can be critical. We offer a CISO-on-demand service and find that implementation of an existing strategy is one of the most common areas in which organisations need help.

Underestimated costs

There are multiple areas of cybersecurity in which enterprises often underestimate costs. We’ll start with one of the most common ones I see in organisations and it’s been a theme throughout this article: Personnel costs.

The true cost of attracting, hiring and retaining skilled cybersecurity staff is almost always underestimated. The scarcity of talent mentioned above certainly doesn’t help, with competition intense as qualified experts have their pick of jobs.

Personnel are often overlooked when evaluating or purchasing tools. We constantly see organisations who have bought a particular security program, say for alerting, but haven’t factored in the cost of having someone to track, manage, and report those alerts. Understanding the way resources like this tie together can make a big difference to the success of any implementation.

Other areas where costs are likely to be underestimated include incident response and recovery costs as well as employee training.

Incident response costs can even take organisations who think they’re prepared by surprise. Many have invested well in their defences and believe they’re protected, but far fewer have a plan in place to deal with an attack. It’s here that the hidden costs lie. Small businesses often underestimate costs by a factor of ten-20x and expect recovery time to be far less than the 278-day average.

The costs of recovering from an incident that many organisations overlook include replacing or upgrading vulnerable systems. It doesn’t help that the massive shift towards home working over the last few years has made a mockery of pre-pandemic estimates for these costs. Ensuring you understand the full scope of your new look IT operations is much harder than it was before.

Like it or not, human behaviour is the biggest cybersecurity risk in almost any organisation. Breaches are more often than not mistakes or slip-ups and yet companies still underfund training. Building awareness of best practices, and just as importantly, why they matter, is a critical part of any cybersecurity project.

Heed these mistakes to improve your own implementation

Cybersecurity isn’t easy, but if you can avoid these mistakes, you’ll be in a better position than most. The death of talent is a particular concern in the industry and it’s why many organisations have turned to outsourcing roles with offerings like our CISO-on-demand model.

By reading this, you’re already demonstrating a level of buy-in that many companies lack. And, with executive buy-in of a clear strategy, there shouldn’t be any nasty surprises in store.

If you want further, actionable tips to really tighten up the implementation of your own cybersecurity program, check out our free downloadable guide.

Created to complement this series of articles, it offers practical ways to prepare for and carry out successful cybersecurity initiatives.