There appear to forever be a constant whingeing by a certain functional leadership within the senior management of organisations. There’s at least two such post on linkedin every week from senior professionals and leaders in the Cyber Security field. This is not to say that these complaints are unwarranted or unjustified – we’ll talk about that another time, but first, like I said in my presentation at the Whitehall conference in August 2015, (see the presentation here) we need to get our MOJO back first. But seriously, what does it mean?

Whilst I have worked with some very brilliant and articulate leaders in our industry over my two and half decade in the industry, some issues appear to constantly appear, topmost is the seeming lack of transparency of a correlated vision and strategy which aligns to the organisations for which we work. This is the key to engagement with the “board and business”. I must also quickly add that I have been fortunate to work with some colleagues who had this down to a Tee.

This engagement with board and business is not a political tool as it is so often used, our teams must also be engaged and brought into it to ensure we all pull along in the same direction allowing everyone to know their responsibility and contribution to the whole.

Whilst I don’t want to sound like preaching to the converted or teaching people how to suck eggs, I reckon it is always useful to be reminded of why we do what we do and see how we can improve our relationship with the rest of the business and organisation.

From time to time, it is important that security leaders review our approach and strategy to defending our organisation both from outside and from within. Our Strategy must be a living and dynamic document/artefact, which should be reviewed at least quarterly preferably with other members of our team.

So where to start? The mindmap below shows some of the key areas and aspects of a cyber security strategy. Strategy is a top down approach as it is a governance and oversight responsibility.

As the saying goes, a picture says a thousand words, the mindmap help illustrate, articulate and highlight the key drivers, risks and control areas important for the business; you may use it to.

1. Identify the organisation’s pain and stress points. It is not an audit tool but may be used by auditors to make their findings more aligned to the risk exposure of the organisation and avoid the ding-dong with CISOs over remediation priorities. It helps the conversations between the auditor and the CISO as to why some controls/risk are less important than others and why the CISO would downgrade them or spend scarce resources in other areas.

The pain and stress points should be about the organisations business objectives which are often measured in KPIs. None compliance to any standard may be dealt with as a business risk in an open and transparent fashion with the business stakeholders.

2. The Information, data and key business systems that support business objectives are the key elements of Cyber security assets to protect and preserve. These information will relate to what business type/sector (manufacturing, aviation, logistics, banking etc). It helps identify the nature of information and data the organises processes or uses and their importance. For example, the information security risk profile of an Airport is different from that of an Airline. An Airport is a logistics similar to train station or bus garage business, the purpose of which is to be a temporary holding place for passengers in transit between two locations. It holds very little data on the passengers other than Volumetrics for planning of facilities, Conveniences and others services travellers may need. The “station” does not even have to provide any of the facilities by itself, it can outsource and lease out the space to others to provide the services. The station however must ensure that passengers, travellers and visitors to its station are physically safe and secure while on the premises. If it’s and international border “station” such as the Airport it must ensure facilities are available for border control and provide a “transitory” security checks to the Airlines before passengers are handed over to them. The Airline on its part is responsible for security while passengers are in the air.

In this example, both the stations and the transport operators have no requirement to hold passengers personal information at least while we are not in a Gestapo state, but of course anything can happen under COVID -19. However since 9/11, airlines may be obliged to hold certain information of passengers for a limited period of time depending on jurisdiction

3. Still on the Information, Data and information systems, it is important to know, the critical and sensitive business data & info, where they stored or processed within and outside of the business etc, their value and relative importance to the organisation’s goals. What is it worth in pounds and pence? Can the business live without it? What’s the opportunity cost?

This point is all about value and provides a basis for how much should be expended on controls. It may also provide the basis for how much risk the organisation is willing to take i.e. how much or level of control are we aiming for? What security maturity level is sufficient for our organisation? What do we do with risks that we cannot control? Certainly we cannot control or eliminate every risks even after we have applied our controls besides there’s a limit to the effectiveness of controls.

Of big importance is the question; what level of security capability maturity mapped to a risk level are you aiming for ? Would you know when you arrive there? What does it look like?

4. We should not be talking about implementing controls until we have considered all of the above, however as most environments are brown fields where controls have already been deployed this is why most newly appointed security leaders start with the controls and security improvement programmes and why they struggle. The discussion should start at the Infosec Risk Strategy Considerations on the mindmap! A newly appointed CISO should spend the first 90 days between steps 2 and 3 (Infosec Risk Strategy Considerations and Controls) on the mindmap. Of course this does not exclude addressing platform burning low hanging fruits!

You need to understand who might be interested in your organisations information or data as an adversary, what are their resources and capability.

5. There are very many drivers for Information security in an organisation and hopefully our risk considerations would have covered them. They serve as the principles on which our controls are based. Cyber security policies are the first expression of those principles in how we want to control them. The biggest challenge in most environments is “should our policies be holistic and cover all of our principles against our risk” or “should our policies only stipulate the controls we already have in place”. The argument is often that if we take the first approach we would immediately be non compliant to our own policies which most CISOs finds puts them on the back foot against auditors, potential customers and the board. My approach which I must say have not won me a lot of friends is the holistic policy covering all risk areas. This should then be supported by a gap analysis of where we are against the policy thereby providing a basis for continuous improvement. It is transparent and shows you know where your risks are, and that you have a plan in place to address them.
6. Key Risk Indicators have a bidirectional input, however I tend to favour the top-down direction, because it talks to the business objectives and linked to the organisation’s key Performance indicators (KPI). The lower level indicators are often technical consideration which should have been adequately covered if the high level indicators are robust enough. Low level KRI may also be used to validate the high level indicators.

Essentially KRI should form the basis of metrics to be reported back to the business, anything else is superfluous! Metrics may be subsumed or called out within the context of KRI. This information should be available or extracted from security controls and GRC tools at the click of a button 24/7/365.

So what are the KRI for your organisation, are they aligned to the business objectives, are you reporting on them, can you call then up in real time?

After all is said and done, there are some factors such as organisation’s culture that affects every aspect of the implementation and success of the discussion above. The CISO have little or no control over organisation’s culture and will do well to assess whether it supports him/her in delivering what the organisation has asked for, or what they need. Is he/she prepared to give them what they have asked for or what they need. The organisation may actually not know what they need and may just want him/her to be a tick in the box. If it doesn’t, I will consider my position or else be prepared for a very rough ride.