Strategy (Definition): A high-level plan to achieve one or more goals under conditions of uncertainty.
It seems like never in the history of man would conditions of uncertainty more relevant than in the day and age of cyber-risk. It seems like each day, there is some new cyber event or data breach being reported.
If you find yourself tasked with the responsibility to protect your organization, you might consider working with your business leaders to adopt a cybersecurity strategy.
A strategy is a document that can really help guide your organization thorough the unknown, by helping to keep you focused on planned outcomes. It is also a great document to share with your organizations stakeholders. Stakeholders may include your customers, partners, insurance company or any other party with a stake in your cybersecurity.
One organization that really did a great job of developing a strategy for cybersecurity is the State of Illinois. You can read about their cybersecurity strategy here.
You might think that an activity like developing a strategy is only appropriate for a government or large organization, but this is not true. Any organization can benefit from a strategy. A strategy helps communicate the basics like what do you value, and how have you organized to meet the challenge of a cyber-event.
I believe that a cybersecurity strategy is the first component to a well developed cybersecurity program.
Cybersecurity needs to be managed as part of a life cycle, you are never finished, and the first component of that life cycle is taking stock in what you value. Developing those values can help you chart through the murkiness of a cyber-incident when things get rough.
Another great thing about a good cyber-strategy is that is is perfectly aligned with the NIST Cybersecurity Framework. Anyone who has ever looked at the NIST framework will know it asks you to create a “Framework profile”. NIST defines the framework profile as “alignment of the functions, categories, and sub-categories, with business requirements, risk tolerance and resources of the organization.” that sure sounds a lot like a strategy to me.
If Cyber is your thing, take time to look at what the state of Illinois has done, it is the perfect example of a well thought out strategy.