Want a really good cyber security strategy? Skip to the end.

If you’re finding it difficult to develop a consistent cyber security strategy, you’re not alone. The current landscape is a complex one – and that makes it hard for leaders to take a few big steps backwards to think strategically.

Meanwhile, everyone is dealing with escalating volumes of information and noise about cyber security threats. We know the threats are there and are on the rise. The Australian Cyber Security Centre reported an 13% year-on-year increase in cyber crimes in its most recent threat report. Most of us are also aware that many of the threats are coming from within our organisation, thanks to the rise of Shadow IT and other human factors.

It’s no wonder that IT teams are fatigued. We’re suffering from the endless demands on our time and attention, and it’s tough to keep up with the BAU – let alone look at strategic projects. Leaders are also tired, especially if they’re being peppered with information about cyber security products, services and strategies from incumbent and prospective vendors and partners.

It seems we’ve reached a cultural tipping point. Cyber security has moved to the foreground of the agenda, and is now a significant contributing factor to organisational strategy and operations. And that has an impact on not only your people, but also your processes and systems.

As a leader in your organisation, it can be difficult to know where to start with cyber security strategy. What to do, who to hire and what to buy to step up your security posture.

Our simple advice is to forget about starting. Instead, focus on keeping it simple and manageable by starting at the end. It’s the foundation of strategy development, and it’s no different for the world of cyber security.

What does really good look like for you?

When we say “start at the end”, we’re talking about developing an understanding of what really good looks like for your organisation. Taking some time to have an unfiltered look at your organisation, and map out all the decisions you’d make if you had no barriers, influences or history with incumbent providers and partners.

This process has many benefits, the main one being that it will remove much of the complexity you’re grappling with in the cyber security realm. It will also change the way you interact with your people, your vendor network and your strategic partners. Rather than making ad hoc decisions about investments and renewals, for example, you are making them in a strategic fashion (because they are aligned with your vision of really good).

It’s important to realise that there is no single definition of what really good looks like. Similarly, there is no single product or set of products that represent the right mix for everyone (although we advocate for Microsoft as a specialist Microsoft Security provider ourselves).

In general, you will need to consider the following questions:

• Can you standardise on a vendor?
• Which Security Information and Event Management (SIEM) solution will you go for?
• What inputs are important for you to determine your posture and then act if required?
• What can’t you compromise on in this new world?
• What do you now expect from people, process and technology?
• Do you plan to do this all yourself or with help?

Once you understand your position, you can then extend those expectations to the people who are interacting with your services.

What does the process of getting to really good look like?

Excellent question! The good news is that it doesn’t have to be a laborious process. In fact, most organisations can complete it in around two weeks, following these guidelines:

• Have the right people involved in the process. This is a project best undertaken at the executive level, rather than functional level. You want the end-state vision to be aligned with where the organisation is headed.
• Start with a blank page and keep the end-state aspirational. Complete this exercise as if you had no other technology investments to consider, and nothing holding you back. What would your cyber security outcomes look like in a perfect world? From there, what products and services would you need to support it? Who are the people running it and how?
• Once you’ve defined “really good”, refine it until it’s manageable. We’re all about translating things for the real world. Where are the constraints in your current environment, and of those, what can’t be changed? This is as close to artistry as it gets in the cyber security world – tweaking the environment to bridge the gap between “today” and “desired end state” in manageable stages.
• Include an external perspective in the mapping process. Whether it’s a trusted partner or an industry expert, it helps to have someone independent in the room who has seen what “good” looks like in similar organisations, as well as minimising organisational bias. It’s also incredibly helpful if the partner has gone through the process before and can guide you through it.

If you’re interested to find out more about developing a really good cyber security strategy for your organisation, or if you’d like help to do it,