How To Build Your Cybersecurity Strategy

When measuring your company’s cybersecurity performance, having the right context is necessary. And the ideal context is a cybersecurity strategy that aligns closely with your company’s overall business strategy.

At the heart of any cybersecurity strategy is:

• a business risk assessment
• an enabling set of capabilities
• a target state to reach, and
• a portfolio of initiatives.

“Once your company understands its risks, you can then focus on understanding what capabilities you need to build to protect it from an attack,” says Patrick Butler, CEO of Loop Secure.

To do this, there are a number of frameworks you can use to build your company’s resilience. Here are some suggestions:

• Understand your company’s most critical business assets based on business risk. Typically, most organisations have little awareness of what assets need protecting and which are critical to the business. Therefore, it’s essential that security teams work with organisational leaders to understand the risks across all facets of the business, and then prioritise the assets accordingly.
• Once you understand your company’s most important assets, differentiate their protection. This means correlating the level of protection given to assets based on their importance to the business. Putting in place differentiated controls, such as encryption, ensures that you’re allocating the most appropriate resources to safeguard the assets that matter most to your organisation.
• Cybersecurity shouldn’t be seen as a risk in isolation. Rather, it should be integrated as part of the wider enterprise risk management and governance process. The potential for a cyber attack should be seen on equal footing as other risks to the organisation, and presented in relevant management and board meetings. This is a two-way street, with executive teams and boards needing to be involved in the strategy like they would for any other key business risk.
• With more and more devices being connected to the corporate network (i.e. personal phones and laptops), users now pose a greater risk to an organisation. They send personal emails, surf the web and choose weak passwords. Therefore, the practice of building an organisation’s resilience against potential attacks should be included as a part of staff training. Organisations should segment users based on the assets they need to access and train each segment to understand the business risks associated with the everyday use of those assets.
• The time it takes to respond to a threat can be as critical as the threat itself. All staff should understand how to spot a threat and report it immediately.
• Companies need to review their approach to incident detection, containment and eradication. Compared to their level of Cyber Risk, many companies are underfunded when it comes to Cyber Security. Further to this, many companies have allocated the majority of their limited budget towards preventative controls. A much stronger focus needs to be placed on identifying and resolving security incidents.

Every organisation wants to have a high level of capability, but the complexity of reaching this level is challenging.

“It requires a combination of awareness and training across all business functions, and a level of expertise and experience on the cybersecurity team to manage threats and build resistance against attacks,” says Butler.