Exclusive: Risk by Risk, Business to Business – Part 3

In the third instalment of this International Security Journal series, Mo Ahddoud, CEO, Chameleon Cyber Consultants describes why formalising a cybersecurity strategy is an essential step in defending against threats and protecting an organisation’s assets.

Threat actors, attack vectors and IT system complexity are changing quickly and organisations that do not adapt will be implicitly accepting higher risk of a breach.

Regardless of the size of the organisation, a good security program must be proactive about closing security gaps because ignorance is never blissful. The full extent of damage from an attack can extend past the loss of data and finances. Reputational damage as a vulnerable entity can cost organisations critical relationships that they depend on to survive.

Organisations that use a systematic and proactive approach to cybersecurity not only create an effective security strategy and improve stakeholder satisfaction they also see other benefits:

• Addresses the nature of cybersecurity

Numerous projects and components are involved in a security program, including IT requirements and functions as well as countless other elements to consider. A structured approach creates a detailed plan and allows teams to focus on high value security projects first whilst moving toward a target state

• Highlights functions that were previously overlooked

A systematic approach lays a foundation across all areas of cybersecurity upon which a complete program can be built. Instead of pursuing new projects in an ad hoc nature, using a systematic methodology builds a comprehensive security program today and enables the ongoing management of inevitable changes to the initial program of work

• Justifies IT budget changes

Following a systematic investigation of all security functions and understanding of program gaps, businesses can effectively estimate their necessary security budget or shine a light on areas where intolerable risks will persist without budgetary relief

Assess security requirements

Identifying corporate goals is the first step in aligning the cybersecurity strategy with the business vision so security leaders need to understand the direction the business is headed in.

Cybersecurity must support the primary business objectives. A strong cybersecurity program will enable the business to compete in new and creative ways, support operational performance and ensure brand protection and shareholder value. Failure to meet business obligations can result in operational problems, impacting the organisation’s ability to function and the bottom line. Wise security investments also depend on aligning security initiatives to business objectives.

Gaining this understanding with non-security staff and senior stakeholders is the best way to start security socialisation and get an understanding of what their concerns are. We recommend undertaking the following steps:

• Introduce security management.
• Understand business and IT strategy and plans.
• Define business, compliance, and customer security obligations.
• Define the organisational risk tolerance level.

Perform a gap analysis

Understanding the current state vulnerabilities enables not only security leaders but also business leaders to gain clarity on the current state vs. target state, a high level understanding of the gaps between states and an understanding of common initiatives for each area of security.

The cybersecurity strategy should also identify what you do not need, as well as what you do need, to provide the most value to the organisation. We recommend undertaking the following steps:

• Assess current security capabilities.
• Identify security gaps.
• Build initiatives to bridge the gaps.

Prioritise initiatives and build a roadmap

A good security program will not provide perfect security, but it will enable organisations to make educated decisions about which projects are most important and why. It provides cost to effort alignment for security initiatives as well identifying easy win tasks and high value projects that will close the current/target state gap. It also supports decision making on whether to begin or not to begin initiatives based on resourcing and alignment. We recommend undertaking the following steps:

• Consolidate gap initiatives
• Estimate and prioritise your initiatives
• Build your roadmap

The roadmap is the list of tactical efforts – it is not the strategy itself. The strategic elements are that: 1. Targets are aligned with what the business wants and needs; 2. It is being executed not by a dogmatic framework, but in the order that will best benefit the organisations unique circumstances.

Benefits

Today, most customers or clients expect some level of security to protect their data. For many organisations, customer data privacy is the largest driving factor for developing a mature cybersecurity program. However, leaping from pre-foundation to being completely optimised in one step is an ineffective goal. Systematic improvements to your security performance deliver value to the organisation, each step along the way.

Including stakeholder and executive input from the outset will also help to ensure that the strategy is aligned with the business needs and fosters a relationship in which cybersecurity is seen as an enabler rather than a cost centre.

The benefits of a cybersecurity strategy:

• An understanding of current security practice capabilities and performance
• An understanding of the organisation’s security obligations and responsibilities
• Establishes a security target state based on the organisational context
• Develops a roadmap to help the business achieve its desired security target state
• CEOs and other business leaders gain an understanding of which elements of a good cybersecurity strategy they must be involved in
• Determines at a high level the organisation’s current risk tolerance

At Chameleon Cyber Consultants we pride ourselves on facilitating business success through secure environments. Our mission is to use the very latest security thinking, practices and technology tailored to your specific business needs and objectives.

If you would like support creating a cybersecurity strategy tailored to your business contact us today www.chameleoncyberconsultants.com