23 October 2024

Why every good CISO needs a cyber security strategy

Arjun Ramachandran
Principal
Peter Quigley
Director

elevenM’s Peter Quigley and Arjun Ramachandran explore why many CISOs and CIOs are using a cyber security strategy to lay out a path to success.

Being a CISO is not for the faint of heart. In today’s threat environment, having responsibility for protecting an organisation from persistent and skillful cyber attackers is one of the more stressful propositions in the business world.

Perhaps less known is how truly multifaceted the role of CISO is. A typical enterprise CISO must be technically proficient enough to guide the right responses to cyber-attacks. They must also be a business-savvy executive who understands their organisation’s corporate strategy and goals, and have the skills and experience to see how cyber security enables these. A CISO must be a risk-aware pragmatist who can decipher regulator demands and persuade business colleagues to help them comply with them. And they must be and do all this while being an effective people leader and a confident communicator with board directors.

If you’re a CISO, it’s understandably daunting to be able to bring all these diverse imperatives to bear on the programs that you run, and to inform the tone you want to set with your teams and stakeholders.

What might help?

The value of a cyber security strategy

Increasingly, we’re seeing CISOs and CIOs crafting a organisation-specific and business-focused cyber security strategy as a key tool to bring together the different parts of their story and create a clear, compelling and empowering narrative that others can buy into.

The domain of cyber security already boasts several well-regarded best-practice frameworks. Some might argue these are all a CISO needs to set their direction and priorities. But as we’ve written before, using one of these frameworks – such as NIST’s Cybersecurity Framework (CSF) – to guide your program is not the same as having a cyber security strategy, nor will it necessarily ensure you’re managing your risks well.

Here are four benefits we’ve seen our clients gain from having developed a bespoke and business-focused cyber security strategy:

1 – A cyber security strategy creates purpose

While frameworks like NIST CSF might guide the implementation of specific capabilities and controls, a cyber security strategy encourages you to assess the importance of cyber security within the context of your business, its priorities and regulatory context.

This in turn illuminates the key cyber security challenges you need to solve for your organisation (both technical and organisational), and guides prioritisation. For instance, an organisation embarking on an aggressive cloud-first technology strategy may use its cyber security strategy to emphasise the need for improved third-party security governance.

By drawing out the purpose of cyber security specific to your organisation and its values, a cyber security strategy also creates a clearer sense of mission (or the “north star”) for cyber security teams.

2 – A cyber security strategy makes clear where you are on the journey.

Every CISO knows the phrase “cyber security is a journey”. Most probably wish their CEO knew it too —it’s a phrase that highlights that what a CISO can achieve today is heavily contingent on what has been done previously. It also underscores the reality that — in a constantly evolving threat environment — the job is never done.

A cyber security strategy provides a vehicle to tell this bigger story to executives and stakeholders, who might otherwise have unrealistic or disconnected expectations of what the CISO and their teams should be doing at any point in time, based on what they’re reading in the news or hearing from counterparts at other organisations. By describing your organisation’s current state of maturity, the cyber security strategy can build a case for where focus and priority should be for the next few years.

Consider these examples:

  • For an organisation only beginning to seriously invest in cyber security after a recent incident, a cyber strategy might emphasise that the near-term priority is “security hygiene” — building a baseline of foundational cyber security controls and embedding basic levels of organisational awareness and security culture.
  • For an organisation already with strong foundations, a strategy might signal the importance of shifting to a more risk-driven, threat intel-led approach — to ensure that any additional investments deliver ROI in risk outcomes.
  • For another organisation with its house in order but needing to uplift the ecosystem of suppliers, customers and partners that it relies on, a cyber strategy may give greater importance to outreach activities.

3 – A cyber security strategy activates your whole organisation.

Cyber security is a whole-of-organisation endeavour. Success relies on buy-in and action from the whole organisation, be-it front-line teams handling data in more security conscious ways or IT teams promptly patching or onboarding key security controls to systems they manage.

That’s why, when developing cyber security strategies for clients, we write them with boards and senior executives as a target audience. Articulating cyber security challenges in business-focused language not only invites these influential leaders into the problem space, it allows a CISO to spell out the role played by all parts of the organisation, hopefully creating an informal mandate for shared responsibility of a shared challenge.

4 – A strategy sharpens focus on outcomes, versus process.

Many cyber security problems are inherently complex and often technical. It’s also a domain dominated by countless vendors and solutions providers. There’s no shortage of opinions on how to solve problems, or new solutions to try.

While this “solutioning” is generally positive, it can also focus too much of a CISO’s attention on the “how” before they’ve necessarily established a clear view of “what” the right problems to solve are. A strategy is an opportunity to step back and build a razor-sharp view of what you need to solve and what outcomes you want to achieve — which a board can then endorse — before building a roadmap of solutions for how you will achieve it.

A final footnote

As of recent updates, even best-practice frameworks like NIST CSF now spell out the requirement for organisations to develop a “tailored cybersecurity risk strategy … based on your organization’s specific cybersecurity objectives, the risk environment, and lessons learned from the past”.

So not only does a cyber security strategy deliver benefits above and beyond achieving alignment to best-practice frameworks, it’s now actually a necessary part of doing so!

What’s next?

In future articles, we’ll explore the elements of a successful cyber security strategy, and common pitfalls and mistakes.

You can read our previous posts on cyber security strategies in Towards a north star — why your organisation needs a privacy or cyber strategy and Crafting a cyber security strategy — advantage and pitfalls.

If you’d like to talk us to about how we can assist you with your cyber security strategy, please get in touch.