9 October 2023

Crafting a cyber security strategy – advantages and pitfalls

Arjun Ramachandran
Principal
Peter Quigley
Director

elevenM’s Peter Quigley and Arjun Ramachandran discuss the value and purpose of a cyber security strategy, and tips and tricks for developing an effective one.

As elevenM’s cyber practice lead and its head of strategic communications respectively, Pete and Arjun have developed cyber security strategies for CISOs and technology leaders from several major Australian organisations over the last few years – including for government agencies, major banks, major telcos, and large insurance providers. They typically work hand-in-hand on these projects (alongside the broader elevenM team), bringing together cyber security and strategic communications perspectives.

Below is a summary of a recent conversation they had about their approach and learnings when developing cyber security strategies for clients.

What is the role and purpose of a cyber security strategy?

Pete:

It’s an important question to start with, because clearly understanding what you’re trying to achieve is the first step to success.

Ultimately, a cyber security strategy is about defining the mission of the cyber security team. It’s about setting out why cyber security matters and how achieving your goals as a cyber security team will contribute towards the best interests of the organisation, its customers and employees.

More specifically, the strategy needs to be a clear-headed statement about what the organisation is trying to defend against. This can be expressed in terms of both the key assets and processes that are of importance to the business, as well as the key threats the organisation is facing and how they could impact the organisation.

Beyond that, the strategy needs to provide a view of how well-placed the organisation is to defend those threats and assets, and what needs to change to manage current and ongoing challenges in a way that is aligned to the risk appetite of the organisation.

Arjun:

I’d re-iterate your comment about defining the mission. One of the most important attributes of a cyber security strategy is that it can be a clarifying document for a wide range of stakeholders about what the “cyber problem” is, combined with a high-level view of how that problem needs to be tackled, and what should be done by whom.

Cyber security is a vast, complex and dynamic field and at any time there are large number of activities underway. For those outside of the cyber security team (eg. boards, executives and teams from other business units) this can make the topic of cyber security feel dizzying and impenetrable. Even for those within cyber security, the volume of activity and constant change in priority can contribute to teams feeling uncertain where and how they fit and what they are ultimately contributing towards.

So from my perspective, the cyber security strategy is an opportunity to speak with purpose about the “why” (why cyber security matters) and “how” (the big picture view of how the problem is to be solved), without getting too far into minutiae around the “what”. We’ve worked with several CISOs and tech executives who find that, having presented their cyber security strategy, they get better engagement and reception from stakeholders.

In a few words, what outcomes should organisations expect from a cyber security strategy?

Arjun:

In my view, the strategy shouldn’t be seen as an end-state. It won’t solve the whole problem (nor should it try to) but rather it sets out the mission, the key imperatives that frame this mission, and the broad directions the organisation needs to take.

With that in mind, the main outcomes I’d be looking to for a strategy would be improved understanding of the mission and problem space across the organisation, and improved engagement from executives and other parts of the business.

Pete:

I’d add that the strategy should create a common narrative and principles for members of the cyber security team to unite around. Cyber security teams are diverse and each individual can’t always see how what they do contributes towards the big picture, but the strategy can create that clarity by speaking to the higher-order principles or imperatives that are important.

To add to your first point about solving the problem, the strategy should set up the framing and structure for a more detailed roadmap of activities and programs – though I don’t think the strategy itself needs to include this level of detail. Instead, the strategy should articulate the key themes in plain English – for instance, “Heightened assurance” or “Collective resilience” – which then provide the foundation for a roadmap of detailed activities to developed against each theme.

What should be the inputs to a cyber strategy?

Pete:

We cast the net pretty wide. Typically, we start with the latest organisational strategy, purpose statements and re-visit the organisation’s recent public statements and key priorities.

Then we’re looking at the organisation’s risk appetite, and its threat profile, which involves analysing the threat landscape and relevant threat intelligence. It’s also vital to get a true current-state picture of the organisation’s cyber posture and maturity, so we’ll consider recent assessments of controls.

It’s important to also get a picture of financial appetite, as this will influence what’s possible and appropriate to pursue in the strategy, and over what timeframes. The “problem” of cyber security for an organisation is not necessarily confined to what happens within its perimeter, so a strategy could go as far as seeking to influence and shape public policy, building partnerships and educating the community. It’s good to get a sense of how ambitious the appetite is early on.

Finally, I’d stress that these inputs and artefacts don’t need to be in the final strategy, but rather play a key role in shaping and informing it.

Arjun:

I love this part of the process.

We often gather this information via documents and interviews – and it’s in the analysis of the materials and in extended conversation with CISOs and key stakeholders that you really start to surface the themes of most relevance and pain points of greatest significance for the organisation. It’s these listening tours that bring out what CISOs, their teams and their stakeholders are most worried about, what’s working, and what’s not – both in terms of cyber threats and risk, but also in terms of how well the organisation is collaborating on the challenge.

It might be simple enough to come up with a generic cyber strategy with generic themes (especially in the age of ChatGPT!), but that’s not going to land as effectively. What makes a strategy successful and meaningful for an organisation is understanding and reflecting its own needs and context.

What happens next?

Pete:

There’s a bit of alchemy that takes place at this point – can I say that? 😊

Essentially, we bring together our understanding of what we’ve heard, analyses of the organisation’s risk profile, and our awareness and experience of best-practice to lay out the high-level direction for the organisation’s cyber activities. And we’re concurrently thinking in terms of narrative, is that fair?

Arjun:

That’s right – it’s not a parallel process so much as interdependent. I’d typically hear you and the cyber team thinking out loud (or on the whiteboard) about the “big rocks” or key strategic imperatives from a cyber perspective, and then finding ways to reflect that in compelling messaging and relatable concepts. At this point, we’ve also more often than not got our graphic designer involved to start play with some design concepts.

The ultimate aim is a strategy that is “cyber sound”, but also narratively engaging and visually appealing.

What are some common pitfalls in developing a strategy?

Arjun:

Don’t overcomplicate it! The recurring issue I come across is the attempt to do too much with a strategy, or the crafting of a strategy without sufficient foresight (or clarity) about how it will be used. In a complex and technical space like cyber security, it’s tempting to create a strategy that lays out specific controls that need to be deployed, or how emerging technologies like AI will be contemplated, or how frameworks or architectures like Zero Trust will be deployed.

But this kind of technical or architectural roadmap (while important) is a very different artefact to a whole-of-organisation cyber strategy that needs to get buy-in and endorsement from across the organisation … including from board directors.

Don’t underestimate the value that comes from a clear, strategic, high-level story.

Pete:

Along the same lines, I encourage clients to not try and embed specific milestones and a detailed roadmap of activities into their cyber security strategy. For two reasons.

First, strategies span 2-3 years and should not be made to appear outdated if there’s an issue or de-scoping of any given set of activities on the roadmap for some reason (which is possible). Secondly, by virtue of listing out a roadmap of activities, the strategy shouldn’t primarily become a tool for external teams to track and audit the cyber security team’s delivery against its plans.

This undermines its value as a future-focused, direction-setting and unifying message for the entire organisation’s cyber mission.

Get in touch

If you’d like to talk us to about how we can assist you with your cyber security strategy, reach out to elevenM: email hello@elevenM.com.au or phone 1300 003 922.