We are continuing our cyber strategy leadership series and diving deeper into the core elements. If you have missed the first article where we introduced the concept, check it here.
CISO, leadership, and cross-departmental co-operation
A robust strategy with an assigned CISO or Information Security Manager is now a critical requirement for any medium to large businesses. Appropriate resources must be agreed andaligned, and an op-ex and cap-ex budget assigned to achieve organizational aims.
Cyber leaders must now be much more than just technical specialists. For a CISO to be truly effective, they must hold a place on an organization's board or senior leadership team and be integral to the business's decision-making bodies.
Global and national markets are facing a shortage of suitably qualified cyber security specialists leading many organizations to, sensibly, consider outsourcing of this expertise to third parties. An outsourcing strategy can be cost-effective while still providing access to the knowledge needed.
Many different characteristics and backgrounds make up an excellent CISO, and there is not a generic CV which a hiring manager can look for. An ideal candidate or outsourced partner will have the right cultural fit for the organization and understand the technological environment in which the business operates.
Equally, if not arguable more critical, a successful CISO is an inspirational and practical leader who can inspire and motivate employees from the post room to the board room. They should have the ability to present technical information in a format that is easy to understand, and they must be able to communicate threats and provide guidance on solutions.
An effective cyber security strategy must sit across the whole business, and therefore, an effect CISO is one who can build relationships and influence decision-makers across the spectrum. Having an engagement management team and workforce is critical to the success of any business strategy or program for change, and cyber security is both.
Cyber Strategy the Core Elements
Cyber touches every business process and function, from day to day operational activities to service and product development, finance, HR, marketing, and customer relations. Implementing a strategy can at first appear to be a completely overwhelming task. Where do you start? What do you tackle first? How do you spend your budget?
For any strategy to succeed, you must first understand your baseline, what are your organizational goals, and where are your most substantial deficits. An excellent cyber strategy should start with a useful risk management framework that works as an integral part of an enterprise risk program.
Senior leadership must accept a reasonable level of cyber risk within the organization and establish its risk appetite. Cyber security gaps must be identified, analyzed, risk assessed, and an agreement on the prioritization of mitigation activities must be reached.
A risk-based approach is critical for the success of a cyber strategy. A strategy that is born out of an understanding of the facts and the agreement on a considered approach is always better than an approach that seeks to act reactively to events as they occur.
Cyber strategy can be broken down into many elements; however, in this series, we are going to look at the four core foundation stones of cyber security: Governance, People, Technology, and Supply Chain. These are by no means exhaustive categories, but they seek to provide the core elements of an excellent cyber strategy on which to build a tailored organizational program.
Good governance starts with good leadership, a CISO's first hurdle will be to educate the board, and the rest of the C-suite on cyber security. Cyber maturity modeling can help organizations assess their maturity against internationally recognized models and put in place key performance indicators to measure the success of any cyber security implementation strategy.
A maturity model helps to quantify and qualify the potential threat to the organization and the remedial activities which need to be undertaken. This can involve challenges, not least of which may be the perception that cyber security puts barriers in the way of organizational innovation.
A CISO may also have to persuade a board that cyber security must no longer be just an 'IT problem.'IT is an operational department driven by targets on availability, accessibility, and ease of use. Cyber security sits across many more domains than this, and for an effective program to be implemented,a CISO must first create the best governance environment to achieve it.
Often the best foundation on which to build an effective governance strategy starts with choosing an appropriate compliance framework to follow. Compliance frameworks provide cyber leaders with the foundations on which to develop their plans. The adoption of a structure such as NIST or ISO27001 helps organizations contextualize cyber security in their environment and provides a baseline of good practice to implement.
Below we list links to various compliance standards which may be suitable for your organization. Alternatively, a cyber maturity modeling exercise with a reputable consultancy firm help assist your organization in the identification of an appropriate compliance framework.
Compliance frameworks can provide organizations with a universal language in which to communicate their strategies. It can provide a measurement of success and show the board a tangible return on their investment. Adherence to a framework also means that an organization can demonstrate its level of commitment and security to customers and suppliers, promoting confidence in its activities.
Choosing the right compliance and governance framework can help to provide an organization with an increased competitive advantage. For businesses that store, process, or transact cardholder data, PCI is a requirement to indicate that your company operates in line with the industry requirements. For the business seeking a market differentiation to demonstrate their commitment to information security, ISO27001 certification provides a clear indication of a level of cyber organizational maturity.
Cyber security standards have increasingly become mandatory for an organization looking to tender for new business, or in the development of software, technologies, services, and applications. Many organizations will now find that certification to a compliance standard is a requirement for the procurement and onboarding process for the provision of goods and services.
In the next article of this series we will discuss how to build the right team, policies, processes and procedures.
If your company wants to take its the cyber security strategy to the next level, get in touch with us and our team will guide you through this process.