elevenM Directors Peter Quigley (cyber practice lead) and Melanie Marks (privacy practice lead) explore why many organisations don’t have a privacy or cyber strategy, and the reasons they should.
At elevenM, we’re fortunate to work with many great organisations that are proactive and thoughtful about how they tackle challenges in cyber security, privacy, and data and AI governance.
The most mature of these organisations take a highly strategic, business-centric approach to these challenges — an approach that typically manifests in a flagship strategy — be it a cyber security or privacy strategy.
During a conversation among our team this week we reflected on the reality that many organisations we work with (or have exposure to) lack a cohesive cyber security or privacy strategy. But these organisations don’t lack an active cyber security or privacy program. In fact, in many cases they run quite large and comprehensive programs and have done for some years. But those programs aren’t anchored in a holistic, business-focused strategy.
Why not?
One reason many organisations operate without a cyber security or privacy strategy is that, while in some areas of business a strategy is critical to setting the direction for work that needs to occur, cyber security and privacy programs tend to be shaped by other imperatives.
In cyber security, well-established and internationally recognised frameworks offer a blueprint for what a cyber security team needs to do. These frameworks increasingly have board-level recognition, so are often seen as a safe choice for moulding a cyber security program.
NIST’s Cybersecurity Framework (CSF) is one such example — essentially a detailed prescription of capabilities that a cyber security team needs to build across the cyber security domains of Govern, Identify, Protect, Detect, Respond and Recover. Less comprehensive, but playing a similar role for smaller organisations, are strategies like the ACSC’s Essential Eight. For many organisations, their default “strategy” (for want of another word) is building to NIST CSF or Essential Eight and aiming to raise their maturity score over time. (UPDATE: NIST has recently released CSF 2.0, which now outlines the requirement for organisations to develop a “tailored cybersecurity risk strategy … based on your organization’s specific cybersecurity objectives, the risk environment, and lessons learned from the past”. We’ll be writing more on this in an upcoming post, but it will be interesting to see the extent to which this inclusion drives the development of bespoke cyber security strategies).
And then there’s the threat landscape. The specific dangers posed by attackers can also set the tone for what cyber security teams need to be pre-occupied with, and therefore what activities they should be pursuing.
In privacy, a list of what activities must occur is largely driven by regulatory requirements. The Australian Privacy Principles outline what Australian companies must do, and privacy compliance programs accordingly take their direction from this regulatory framework. Businesses with global footprints might also draw direction from global frameworks such as GDPR. Many organisations will also feed in customer expectations as an overlay to what the law requires but rely on infrequent longitudinal studies which are highly generalised and not specific to their customer or stakeholder base.
Audits are also commonplace in the worlds of privacy and cyber, the results of which then dictate the activities and streams of work that must be carried out. (In our experience, the agenda set by audit remediation plans can sometimes disrupt and distract from the execution of otherwise well-considered plans devised by privacy and security leaders.) In a similar vein to audits, red team exercises and reviews of incidents can similarly set out the agenda for privacy and cyber teams.
Ok, so why do I need a strategy?
All of these activities are necessary and foundational elements of building privacy and cyber security programs. But we’re often approached by organisations who, despite have well established programs of work in cyber security or privacy, need help bringing it all together in a cohesive, strategic, future-focused and business-aligned way.
This is where a strategy comes in.
Here are five benefits that organisations can get from developing a strategy to guide their cyber security or privacy programs.
- A clear mission — The ultimate value of a strategy is to create a clear sense of mission for the organisation around how privacy or cyber security helps it achieve its broader purpose and engender the trust of customers and other stakeholders. Beyond legal or compliance reasons, why does cyber security or privacy matter to your organisation? What is the motivating north star for privacy and cyber security teams, and the rest of the organisation, that drives them to achieve privacy and cyber security goals in the best interests of the wider organisation? You can read more about that here.
- Business alignment — Related to point one, a strategy brings business context. While frameworks provide the scaffolding for what you can do, a strategy articulates how cyber security or privacy needs to align to the wider business strategy and context of the business. If your business is pursing an acquisition strategy, how is this goal supported by the cyber security team? Similarly, if the business is looking to deliver more personalised data-driven services, how does the privacy program enable this while helping the business remain compliant and maintain trust? A strategy will explain how cyber security or privacy will support current and future business objectives and aspirations.
- Prioritisation — It’s a truism, but typically there is a great deal to do in privacy and cyber security and limited resources with which to do it. A strategy provides a view on priority, which is often based on factors such as levels of risk and the maturity and capability of the organisation. Multi-year strategies generally articulate these priorities through the development of an accompanying roadmap.
- Stakeholder engagement — Even the best cyber security or privacy teams rely on the rest of the organisation to achieve their objectives. A strategy reflects an understanding of organisational context, and recognises the key stakeholders and dependencies that are critical to achieving privacy and cyber security outcomes.
- A storytelling device for executives — By bringing together all of the above, a good strategy offers a cohesive narrative for boards and executive teams. It builds confidence in what the cyber security and privacy teams are seeking to do, and is thus often the foundation for engaged and supportive future conversations about the privacy or cyber security program.
If you’re interested in learning more or keen to explore how we can assist you develop a privacy or cyber security strategy, contact us at hello@elevenm.com.au.