A cybersecurity strategy grounded in your unique business ecosystem will quickly reveal what must be protected. Enterprise IT still matters; it moves, analyzes, and stores so much of your business-critical data. However, a cybersecurity strategy must now go further. Your industry should shape the fine-tuning of the scope here, but we can boil the components of your ecosystem ‘map’ down into several key features:
- Enterprise IT: the back-end technology infrastructure that facilitates company- wide communications; processes, stores corporate, and transfers data; and enables workforce mobility
- Supply chain: the flow of materials and components (hardware and software) through inbound channels to the enterprise, where they are then operationalized or used in the development of products and services
- Product/service development: the research, design, testing, and manufacturing environments for your products and services
- Customer experience: the operational realms where customers use and interact with your products or services
- External influencers: all external entities that affect how you guide your business to include regulators, law enforcement, media, competitors, and customers.
A cybersecurity strategy at this scale requires enterprise-wide collaboration. It will take the whole organization to manage cyber risk, so it is imperative to cast a wide net and include representatives from across business units in strategy formulation dis-cussions. It requires a multidisciplinary team effort to develop a security strategy that reflects the scale and complexity of the business challenge.
Elements of cyber strategy at scale
Building a cybersecurity strategy can seem overwhelming, but it doesn’t have to be. Start with a vision, understand the risk, identify controls, and build organizational capacity. Every element builds on each other.
Set a vision: It all starts with a creative vision. It’s critical to paint a high-level landscape of the future that portrays how cybersecurity is intertwined with the most critical parts of your business. Think about the how value is created within your company. Is it a cutting-edge product? Is it by delivering world-class customer service? Craft a short story on how cyber protects and enables that.
Sharpen your priorities: You have limited resources, just like every other company. You can’t protect everything, so you better be certain you’re focusing on the most critical business assets. The first step is to figure out what your company determines to be its ‘crown jewels.’ Once you’ve defined what truly matters, it’s time you evaluate how exposed-or at-risk-these assets are. That will give you a basis for right-sizing your security program around these assets.
Build the right team: Once you define what matters and how much security makes sense, think about the people. What does your direct and extended workforce have to look like to be uniquely successfully at your company? These days, you can’t get by with your security program being filled with technologist majority. Time to weave in an accompanying set of skill sets that will help you propel you to success, to include organizational change management, crisis management, third- party risk management, and strategic communications.
Enhance your controls: This is largely about scope. With your company’s quickly expanding ‘map’ you’ll need to adopt new methods for treating risk. For example, if you deliver a ‘connected’ product to consumers, you’ll have to ensure strong embedded device security, as well as protections over the airwaves. Without this, your brand could be at stake. Fortunately there’s a great deal of momentum in the world today, with new methodologies, technologies, and skill sets continuously being developed to meet the challenge of today’s expanding cyberattack surface.
Monitor the threat: Unfortunately, cybersecurity isn’t only about reducing risk behind your firewalls. It must also include maintaining awareness of the threat landscape-external and internal. Because the threat is always changing and always determined, you have to take on that same adaptive mindset. Whether that’s employing strong monitoring and detection capabilities, consuming threat intelligence feeds, or participating in an industry-level information sharing forum, there many avenues that you should strongly consider using.
Plan for contingencies: No one can ever be 100% secure, so it’s vital to have a strong incident response capability in place to manage the ensuing events when something happens, because something undesirable will most certainly happen. Incident response is more than just having the right technology capabilities in place, such as forensics and malware analysis. In fact, real success in cyber incident response usually comes down to the people aspect. How plugged in are you with your company’s legal, privacy, communications, and customer sales units? They are all critical to success; and with this expanded scope of players, you can imagine how a cyber matter can quickly rise to become a top-line business matter.
Transform the culture: The best organizations out there today do this well. Because people are the core of your business, it comes down to them ‘buying’ to cybersecurity as something that they care about. From your dedicated cyber workforce, to business unit leaders, to those that manage your company’s supply chain, you’ll need all hands on deck, each doing their part in advocating for and implementing cybersecurity measures. A security organization can make this easier by finding ways to make cyber relevant for each part of the business by sharing innovations that excite and enable the business.
Go deeper with Booz Allen Hamilton in Navigating the Digital Age and learn more about what it takes to make your organization secure. Get the book here.