Good information security and cyber resilience begins with creating a solid security strategy. So, how do organizations and their CISOs or Heads of IT and security create such a strategy?
There are a number of critical questions, driving factors and strategic considerations to recognize in order to develop this strategy.
Your business strategy
What is the business strategy and what are the information risks associated with it? Is your business growing through acquisition? How extensive and what is the reliance on third parties? What has been the adoption of cloud computing? Mobile adoption? Internet footprint? What is your company's risk profile and risk tolerance? Do you have the right organizational skills and capabilities in your information security organization to support this business strategy?
Your organization’s culture
Where does information security/risk management fit into the culture? Does it fit at all, or is it a core pillar of the business? Is there a clear and positive attitude to the topic from the executive team?
If you can’t remediate a risk you need to be able to clearly communicate the residual risks, including the likelihood and impact through the appropriate governance channels. Again, identify areas that you need to address to support your mission to protect and enable the company.
Your IT organization systems and infrastructure
You need to identify the key areas to focus on and the relationships you need to build. How mature are the processes? Are there organizational silos? How strong is cyber awareness across all staff in the organization? What challenges do you face in engaging all your people?
You need to standardize and simplify: having one of everything is not the ideal state and most importantly you have to have a mature hardware and software asset inventory process. If you don’t know where your enterprise assets are you can’t protect them. Minimize the unknown-unknowns. Verizon publishes their global Data Breach report every year and the compromise of an unknown asset is at the top of the list every time.
Having an understanding of your adversaries
You need to understand who your adversaries are - is it nation state, cyber criminals, hactivists, the insider, or more and more often a blended attack. What are their methods and motivations and what information or systems are they are most likely to target? What’s the effectiveness of your security controls, your threat intelligence and your ability to deploy this intelligence to your sensors in real-time to detect adversaries before they do harm to the enterprise?
Your Government and industry regulations
Understand what they demand of you and just do it -- the right way. Don’t get side-tracked by non-compliance; take care of this on your terms, not the regulators'. Compliance is just a subset of a good information security/risk management programme anyway.
What is your relative maturity?
You need to understand the other businesses in your sector and how your programme maturity compares with theirs by performing competitive benchmarking. In many cases, it comes down to economics for your adversary so make it more difficult and costly to successfully attack your enterprise than that of your competitors.
In the final blog post in this short series, I’ll look at the critical issue of people – the human factor – in information security and cyber resilience.
See our RESILIA™ section for more information about cyber security and resilience.
More blog posts in this series
Read the first post, What does good information security and cyber resilience look like?
Read the final post, Cyber resilience: we need to talk about… your people