Building a successful Cybersecurity strategy is not complicated but is essential to successfully revamping a stagnant cybersecurity program. The strategy is the path from your “current state” to where you want to be—the “strategic objective”.
Reaching the desired future state requires the organization’s security posture, level of risk, and objectives be defined and understood. Consider the following five objectives when developing your strategy.
- Strategic alignment – To include leadership buy-in, the desired future state and the strategy to achieve it must align with the organization’s strategy and objectives.
- Effective risk management – The security program must include a risk management policy, and operational processes, and procedures. Without risk management an organization faces potential negative consequences and may inadvertently increase the level of risk.
- Value delivery – To receive leadership buy-in, the strategy should include a focus for continual improvement and increased efficiency. Most organizations do not have unlimited Cybersecurity budget, making it important to reduce the risk at the lowest reasonable cost.
- Resource optimization – An extension of value delivery, resource optimization focuses on the efficient use of available resources, such as employing only the necessary staff and tools to meet strategic objectives.
- Performance measurement – For leadership to drive continual improvement, security related operations must be measurable. It is important for strategic objectives to be SMART (Specific, Measurable, Attainable, Relevant, Time-based).
Whether the organization is led by a board of directors or a CEO, a complete understanding and acceptance of the proposed Cybersecurity program at all levels of the organization is critical for the program’s success.
The CISO, or security manager, may be responsible for creating and/or updating the risk management and cybersecurity operations programs, to include security processes, and procedures, and these processes must align with the organization’s, mission, goals, and objectives.
Alȳn helps organizations develop and/or enhance existing cybersecurity strategies. We provide collaborative and strategic services to help our clients design, shape, and run a security program. Working among a variety of clients, some as large as Federal Government agencies, as well as smaller commercial operations has honed our expertise in supporting operational services, building security organizations, and advising leadership on daily events.
We will discuss Control Frameworks in future publications. For now, understand that no organization needs to create Governance Frameworks from scratch. Below are three of the most popular organizational frameworks.
ISO/IEC 27001, Information Technology, Security Techniques, Information Security Management Systems and Requirements, is an international standard for information security and Risk Management.
NIST SP 800-53
Developed by the U.S. National Institute for Standards and Technology, NIST Special Publication (SP) 800-53 (“Security and Privacy Controls for Federal Information Systems and Organizations”) is one of the most well-known and adopted security control frameworks.
The U.S. Health Insurance Portability and Accountability Act established requirements for the protection of electronic protected health information (EPHI). The requirements apply to virtually every corporate or government entity (covered entity) that stores or processes EPHI.