ISJ Exclusive: Strategic implementation in organisational cybersecurity
James Thorpe
Share this content
Successfully implementing a solid cybersecurity strategy isn’t easy, but it is essential for your business, writes Mo Ahddoud, CEO, Chameleon Cyber Consultants.
Throughout my 25 years of experience in the cybersecurity field, I’ve seen that securing your business requires a marriage of acute strategy and effective implementation.Even a mediocre plan, well executed, will offer greater protection than thoughtlessly investing in expensive tools without direction. Of course, organisations should aim to develop a cohesive, personalised and flexible plan and try to implement it well.
In other articles for ISJ, I have previously discussed strategic planning and, therefore, this piece will instead focus on implementation. How do you put a plan into place in a way that ensures you get the most out of it in terms of protection, return on investment and supporting the growth of your business We’ll cover the pitfalls you need to watch for, the skills you will want among your personnel, tips for working out where to start and how to select a trusted partner.
Avoid the most common implementation mistakes
Cybersecurity isn’t a forgiving field. A 2022 report showed that the frequency of cyber-attacks is rising, with almost one in three UK businesses experiencing attacks on a weekly basis. You can’t afford to continuously make mistakes and learn from your failures for very long while staying in profit. Getting security right the first time is important.
Absent executive buy-in
Most boards recognise this, but not all of them back it up with action. Lack of executive buy-in is the biggest killer of successful implementations. You need to have that authority, oversight, comprehension and approval from day one.
Top level buy-in gives your initiatives the credibility and backing they need for uptake across the organisation. It secures the resources you need to get started and adapt to changes. And, it firmly locates cybersecurity as a critical business function that ties into wider business objectives.
Missing skills
With global demand for skilled cybersecurity professionals far outnumbering those actually in the industry, it isn’t easy to find, let alone hire and retain, the right personnel for the job. While upskilling existing staff can be a successful strategy, it’s much harder to do when IT teams are already stretched thin and taking on responsibilities beyond their remit and skillset.
Finding the right expertise at every level of your organisation is one of the biggest obstacles to implementation. Cybersecurity leadership is particularly difficult to source. It’s no surprise that we’ve seen a surge in the popularity of our CISO-on-demand service as businesses look for ways to bring in top level direction without recruiting full time roles.
Poorly estimated costs
Whether it’s under-budgeting for hiring skilled staff or discovering the true cost of recovering from a breach, cybersecurity is full of ways that costs can spiral out of control. The most common mistakes we see are around personnel costs, whether that’s hiring and retention, training or as part of an investment in new tools. What good is that fancy monitoring software if there’s nobody to review the reports from it?
Incident response costs are also an overlooked area. With the COVID-19 pandemic causing a significant shift in how we work across the world, many enterprise IT systems have changed more in the last three years than in the previous ten. That invalidates a lot of assessments and assumptions about recovery costs from before 2019. Updating your estimates will ensure that you’re not caught out.
Identify skills shortages
We’ve already touched on the dearth of skilled cyber-resources out there, but what about within your organisation? Taking stock of what you have is an important step towards putting your grand plan into action.
If you don’t have anyone qualified to perform penetration testing, then making that part of your regular schedule becomes a lot more difficult. But it’s at the top that many organisations are struggling the most. Implementing a strategy without clear direction is almost impossible; many C-Level executives don’t have the cybersecurity knowledge to lead these programmes.
Prioritise high impact actions and quick wins
If your organisation is anything like the many others I’ve worked with, there will be potential remedial actions everywhere you look. If your organisation already has an effective, dynamic, objective-focused strategy in place and widely adopted, you probably needn’t be reading this!
For everyone else, there are plenty of things you could do to improve your security posture. Some will make a big difference, others a small difference. There likely aren’t enough hours in the day to do everything – and besides, an attack could happen at any time. So, where should you start?
Assessing the impact and effort of your risk mitigation activities will show you not only what will have the biggest impact, but also how easy each one will be to undertake. Low effort, high reward activities are obviously your priority, and beyond that, it may help to have a balance of longer term investments and small quick wins.
Sure, changing a few settings on your firewall isn’t likely to have a huge effect, but for the effort it takes, the extra 0.5% protection it could give you can quickly add up when combined with other easy fixes. Giving yourself and your team these regular wins will keep motivation high as you tackle the tougher projects.
Find a supplier or partner you can trust
Cybersecurity is big business. That makes the supplier landscape a tricky one to navigate. What’s more, it’s an industry that naturally runs on FUD tactics: Fear, uncertainty and doubt. No one wants to be the CEO or CIO whose company succumbs to an infamous breach. These instinctive feelings sometimes drive people to make hasty, knee-jerk decisions, only to quickly regret them.
The first step is to take the time to understand your organisation’s posture and what it needs. Yes, cyber-attacks happen every day, so you shouldn’t dawdle, but you have a far better chance of long term success if you invest wisely rather than rashly. Assessing your business’s strengths and vulnerabilities, as well as its goals and processes, will provide a better idea of what you need in terms of tools and skills – and what you have in terms of resources.
Choosing the right provider is about fit. A generic cybersecurity tool with all the bells and whistles might be overkill if your business already has a good handle on its endpoint security or an excellent firewall.
What works for a giant multinational might not fit with your organisation. Look through case studies from providers that showcase work they’ve done with similar companies. Ask them what they can’t do as well as what they can do. A smart firm will work with organisations where they can achieve great results, rather than taking on a job they’re poorly suited to. Consider whether you need tools, expertise or personnel and find a partner that provides what you need.
Even the best cybersecurity strategy can’t protect your business if you don’t follow the right processes to put it into action. Effective implementation begins at the very top with executive support. It takes into account its organisations weaknesses and strengths, particularly around personnel, to prioritise the right actions first.
Follow this process and it will lead you to a trusted cybersecurity partner or vendor whose products and expertise can help secure your perimeter. Good luck!
