Executives and boards make up the strategic leadership of the organization but they generally don’t know how to think strategically about cybersecurity. They know they need to adequately fund cybersecurity but they have difficulty determining what is adequate. They think of cybersecurity as a risk that must be contained as many other risks are contained. This is not wrong, most success in cybersecurity is avoiding negative impact. Boards and executives today might be able to articulate a level of risk tolerance but they do not understand whether the organization has achieved it or achieved it in an efficient way. To do so requires strategic thinking from the leadership and a cybersecurity strategy.
Boards and senior executives have taken a long time to come to terms with IT. I think we’ve hit a tipping point where senior leaders who don’t understand IT as well as the other functions of their organizations are failing. It has been a long road with IT, but now these leaders have to grasp the different but related cybersecurity domain. I’ve not seen many that can do this yet. Executives have to trust their CISOs, but they are uncomfortable doing so because they don’t understand cybersecurity well enough. A well-thought-out cybersecurity strategy is a good way to help others understand the cybersecurity program.
Having a cybersecurity strategy is a critical component of every cybersecurity program. Cybersecurity strategy is a different type than IT strategy or business strategy and therefore must be independent while it is aligned with both the organization and IT strategy. No cybersecurity program is complete without a good strategy.
Strategy is an old concept in military operations. After World War II the concept of strategy became popular in business. Most of us have the experience of starting with a SWOT analysis. We look at our organization’s strengths, and weaknesses. Then we look for organizational opportunities as well as threats to the organization. From this initial analysis goals, objectives, and roadmaps, are identified. This approach fits well with a competitive-type strategy for the overall organization but does not fit cybersecurity.
There are three purposes for strategies that drive its structure. Organizational strategies are competitive. They are also symmetrical. Organizations compete against each other for customers, profits, etc. Nonprofits compete against something they are trying to overcome like illiteracy, hunger, etc. In competing, the organizations don’t take malicious actions against each other, they strive to do better than their competitors in the marketplace. They have access to the same actions as their competition, hence they are symmetrical. As I stated above this is based on a common SWOT analysis.
IT strategies aren’t competitive, they support the competitive strategy of the organization. The IT organization doesn’t compete against other divisions or directly against IT teams in other organizations. IT strategy must flow from organizational strategy. When technology is a key competitive facet, i.e. a retailer with online sales, it is part of the organization’s competitive strategy.
Cybersecurity strategy is a third type. While it has to align with both the organizational and IT strategy it is also adversarial and asymmetrical. It is adversarial and not competitive because there are actors that want to do the organization harm. It is asymmetrical because there are actions that are available to the bad actors (spear phishing attack) that are not available to the organization. So, we have to think about cybersecurity strategy differently than either IT or organizational strategy.
You can find many different definitions of strategy. For the purpose of cybersecurity, I define a strategy with three components. The first is that it is a long-term plan for accomplishing a set of goals. The second is that it is a prioritization of resources. Third, it provides a framework for decision making throughout the organization.
Long-term goals with KPIs to measure progress set the direction. Plans to achieve those goals lay out the path. Executing those plans and achieving the goals lead to success.
The second part of a strategy is providing a framework for decision making. People throughout the organization make many decisions large and small. The more of those that are made within the context of the cybersecurity strategy the farther and faster your execution of the strategy. This requires communicating the strategy in a targeted way.
The third part is the prioritization of the resources. As the saying goes, “A vision without resources is a hallucination.” The plans have to include realistic prioritization of resources. We don’t have unlimited resources, so the purpose of strategy is to achieve its goals with the resources available. This requires the smart allocation of resources. In fact, some definitions of strategy focus solely on resources. In cybersecurity, it is also helpful to consider constraints. Below are the categories of resources and constraints that are applicable to cybersecurity.
Funding. Pretty straightforward. Capital, operating expenses, or the amount, color, and timing of money you can spend or get others to spend.
Regulations and Laws. Depending on your industry many decisions may be outside of your control. Understanding which laws and regulations apply to the activities of your organization is a prerequisite to meeting them and limits your strategic options.
Staff Time and Talent. Understanding the capacity and capability of your current staff as well as your ability to hire and retain talent. Example considerations might be high turnover due to the markets in which you operate, the pay you offer, or the capacity of your senior people to learn new skills.
Business Overhead. The goal here is to understand the culture(s) in your organization and how much you can slow operations or lower productivity with security controls. At this point, you haven’t selected any controls. However, understanding that the finance team will tolerate a lot of overhead while clinical physicians will tolerate very little is important. If you ask too much you’ll get nothing.
Political Capital. The idea here is leadership and peer support. If your organization recently suffered a major breach you may have a lot of political capital. If senior leadership just wants you to “just take care of security” you may need to avoid going head-to-head with the VP of Sales over remote wiping. Understanding how much political capital you have allows you to spend it in the most valuable ways and not develop a strategy that the organization won’t support. Understanding how much the rest of the organization trusts you and your team is critical. The more trust you have the more political capital you have. You may choose a strategy that first builds the trust you need to execute the rest of the strategy.
Accountability. This could be a sub-category of Political Capital, but I feel it deserves its own discussion. Understanding the culture of accountability in your organization is critical to a successful strategy. If your strategy depends on shadow IT, but shadow IT is never disciplined for ignoring a central edict, your strategy is in trouble.
Calendar Time. The dates that capabilities have to be in place, resources are available or constraints relaxed. Not everything in your strategy will be time critical. You might be looking for “quick wins” to demonstrate progress. You might have a gap that is so large you feel you are in a race to close it before it causes a problem. This constraint is really analyzed in two parts. During initial analysis, it is important to understand any constraints. As you put your plan together, sequencing decisions will include calendar time considerations.
Outthinking Your Adversaries
Thinking strategically about cybersecurity requires us to think from our adversaries’ perspective. Our adversaries appear to be interested in monetary rewards and/or destruction. Even nation-state attacks fall into these two categories. When they steal intellectual property, they are either trying to get a competitive advantage or to use it to increase their military effectiveness, i.e. be more destructive. I would even categorize the information operations against elections as destructive because they undermine the faith in democratic institutions. We have to know what our adversaries want.
The impact of an attack can be asymmetrical too. For example, the price that a health record gets on the dark web is less than the fines, increased scrutiny, reputational hit, and other costs to the victim organization. A company may not notice the loss of intellectual property that a foreign government provides to one of its companies in a different industry. We have to know how valuable our information is and how damaging it would be should it be stolen, modified, or destroyed. The combination of how hard an adversary is willing to work to get to a target and the damage should they succeed determines our strategy. When people understand this analysis it helps them to understand why compliance is important.
Destruction takes on broad dimensions when we include operational technology, industrial control systems, and the Internet of Things. We may not think that these are a concern because we might not have them in our organization. I’d argue that even though our landlord is responsible for the HVAC system, an attack would be just as destructive as if we owned it. The concept of supply chain security impacts us all and from sources, I wouldn’t have considered my problem a few years ago. These risks exist, but understanding them and what it would take to mitigate them helps us to prioritize our resources and communicate the level of risk we are tolerating.
Finally, I’ll get to what I think is the most interesting aspect of our environment – Cyber War. The preamble of the U.S. Constitution calls for the Federal Government to “provide for the common defense.” This has worked well for a few hundred years. However, the federal government is specifically precluded from providing for the common defense in cyberspace by that same constitution. Good or bad it is the world we live in.
Since the federal government is very limited in its defensive capability, I compare our situation to the early days of our nation. Back then the federal government was not strong enough to defend all the colonies so we formed militias to defend ourselves where the government could not. So on top of everything that we have to do, we are also a de facto militia, defending our little piece of the nation’s critical infrastructure from foreign aggressors.
We don’t have unlimited resources and will never get complete cooperation from our users. We have many adversaries, some are very sophisticated, and time is on their side. To counter this we must allocate the resources that we have in the most effective way possible. We can’t counter every threat so we must mitigate the most serious threats. Strategy is the way to set up our cybersecurity programs to keep our organizations safe.
People want to know why when they are asked to provide resources or tolerate extra security controls. A one-page cybersecurity strategy, especially a diagram is a great tool to provide an understanding of the way. You will get better compliance when people understand why. Senior leaders will feel more confident in their resourcing decisions when you have used strategy to explain how the cybersecurity program matches the organization’s risk tolerance in an optimal way.