We are on the third installment of our cybersecurity for mid-sized companies program! If you missed our introduction, consider reading the Cybersecurity Strategy & Budgeting Guide overview before proceeding further.
Now that you have conducted your active threat assessment, vulnerability assessment, penetration testing and compliance audits, as applicable, you are feeling one of two emotions: significant relief or high-level stress. Our job is to now turn those two emotional states into an actionable plan.
If you are feeling relief, congratulations. Your existing cybersecurity measures are in good operational order. Typically, there are some observations that need to be addressed, but you can plan those adjustments at a pace that is comfortable with your organization. Your focus on strategic cybersecurity planning should be on business drivers and needs. Where is the business going and how will your security planning accommodate foreseeable changes? Don’t neglect to consider unforeseen changes.
If your results have left you just shy of panic, then we have more work ahead of us. The roadmap should be laid out as soon as possible to present to senior management. It is understandable if you are viewing this phase with some trepidation. Management never likes to receive news that security needs to be beefed up, but consider this process as an opportunity to get buy-in on the elements you have probably asked for in the past. Now you have solid third-party data and recommendations to back up your request for resources.
You now must make the decision to patch or replace the identified areas in need of improvement. But before you start gathering quotes, you should take a step back and evaluate your business’ situation and strategy as it relates to cybersecurity. A traditional strategic analysis format of Strengths, Weaknesses, Opportunities and Threats (SWOT) is insufficient for a cybersecurity strategy.
Cybersecurity has evolved from building a sequence of ever stronger fortifications around your environment and data. The landscape is changing dramatically, and cyber security strategy must be flexible enough to accommodate unforeseen changes in the future. For example, 3 years ago, the internet of things was not even a term. 3 years from now, what technology will impact your business in unexpected ways? How will changing compliance requirements impact your organization?
Further, shadow IT is increasing as employees take it upon themselves to utilize “consumerized” tools at work. It is virtually impossible to stop every download and deployment of unsanctioned applications or prevent employees from clicking on a phishing email. Your security strategy needs to account for user behavior that is unplanned and outside of corporate policy.
Let’s Look Farther Out
The first step in formulating a go-forward cybersecurity plan is to assess the organization’s strategy for the next 2 years. Planning beyond 2 years tends to be something of a crystal ball gazing session for most organizations, as well as the cybersecurity industry. If your company does not have a documented 2-year plan, reach out to the management team individually and ask their perspective. Hopefully, you get a consistent vision. If executive management is not aligned on the next 2 years, look back at the previous 2 years for your best indicator as to what the future may hold.
Be sure to discuss the future with your Sales, Marketing and Product Development teams. What initiatives do they have planned? Sales and Marketing’s time horizon may be longer than 2 years, depending upon your industry. Sales may be looking at opening new markets, establishing new channel partnerships or enabling the salesforce with new technology. [Wouldn’t that be nice to know that in advance?]. Marketing may be planning on implementing a large on-line development effort or launching mobile applications. Product Development could be looking to introduce an entirely new line of product that relies on internet access (the internet of things). These business initiatives will impact your security strategy into the future.
On the Operations side, what business drivers will they be pursuing in the coming years? Will they seek closer networking relationships with vendors? Will they add new sensors to production facilities that require internet access, and therefore, security?
The last component of our forward-looking business planning view is to assess the risks of these plans. If the business leaders seem confident and consistent in their vision, then your planning will be confident and consistent too. If, however, the plans are tentative, then your strategy must reflect more uncertainty and be sensitive to changes in the organizational vision.
Once you understand the landscape out to a reasonable horizon, you can lay out a cybersecurity strategy that supports the plans. Being flexible is a key component. Keeping your options open for changes in landscape, ownership, or markets will elevate your security planning to a strategic exercise, rather than a tactical one.
Building a Cybersecurity Strategy
So far, we have assembled a summary of your current state through 3rd party testing and assessments. We have assembled the forward-looking changes to the organization that we will have to accommodate in our strategy. Now we start to construct the strategy around a comprehensive cybersecurity fabric.
With these two components, you can construct a cybersecurity vision that lays out the strategic objectives. An example security vision statement might be: “ABC Company will establish a cybersecurity practice that will maintain a high level of protection from external and internal threats. The environment will be tested and updated regularly to ensure ongoing compliance. Costs will be minimized while flexibility to support strategic initiatives and acquisitions across the organization is maintained.”
The vision is then broken down into objectives. A sample set of objectives may be:
- Protection of critical systems
- Constructing a manageable framework
- Ensure a successful recovery when a breach does occur
- Identify resources that can assist your efforts
We will explore these objectives thoroughly in the next segments. In the meantime, don’t panic. ARG is here to help and as always, our consulting is free of charge. If you’d like to engage with our experts, please contact ARG directly at 703-770-2400 or at info@myarg.com.
For more education on security, register for ARG’s January 18th Event: 2 Steps to Cybersecurity and take home an education on the security marketplace along with dinner for 4 from Maggiano’s! Click the button below to register.
ARG works objectively with over 350 service providers across disciplines such as: cybersecurity, cloud computing, backup and recovery, unified communication as a service, mobility, conferencing and collaboration, data center, bandwidth and voice and data networks. We can find the right service provider to meet any need.
As always, our consulting is free of charge. If you’d like to engage with our experts to validate your 2018 security budget, please contact ARG directly at 703-770-2400 or at info@myarg.com.
Your business runs on technology. Protect your business.