Best Practices for an Effective Cybersecurity Strategy
We’ve gathered the most frequently asked questions to help organizations develop an effective cybersecurity strategy that reflects best practices, is aligned with their overall business objectives, delivers measurable ROI and protects their critical data assets against breaches and intrusions.
Why is it important to have a cybersecurity strategy?
Trying to protect your organization from data breaches and security incidents without a cybersecurity strategy is like building a house without a building plan… quite a risky undertaking, to say the least! According to PwC’s “Global State of Information Security Survey 2018”, almost half of all organizations lack an overall information security strategy.
Especially in today’s digitalized environment, businesses can no longer afford to tackle their security challenge with a randomized array of tools and technologies but must follow a clearly-defined cybersecurity strategy. A good cybersecurity strategy can help organizations:
- address their vulnerabilities,
- protect their critical assets against intrusions,
- spend their cybersecurity dollars where it makes the greatest impact, and
- strengthen their cybersecurity maturity over time.
How to develop a cybersecurity strategy
To develop an effective cybersecurity strategy, make sure to address several key questions first that will help structure and prioritize your efforts.
Businesses need to thoroughly reflect about:
- Which assets are important for my organization to protect and why?
- How can my cybersecurity strategy support my overall business objectives?
- Which security initiatives can I outsource and which ones can I take care of myself?
Once you’ve defined your requirements, objectives and capabilities, it’s time to evaluate your current cybersecurity posture and think about what you can do to strengthen it over time.
What shift in cybersecurity is currently happening?
“Establishing a top-down strategy to manage cyber and privacy risks across the enterprise is essential.” (The Global State of Information Security® Survey 2018, PwC)
Now more than ever, businesses are realizing that cybersecurity has become a business issue rather than an IT issue and needs to be aligned with overall business goals. With cybersecurity transitioning from the server room to the boardroom, more and more C-level executives and board members are acknowledging that a healthy cybersecurity posture is essential to ensure continued success and are willing to allocate more funds to cybersecurity projects in general.
Research firm Gartner estimates that global spending on security solutions will increase from $86.4 billion in 2017 to over $93 million in 2018, representing an 8% increase year over year. Often times, cybersecurity budget decisions are made at the highest levels of the organization, so security professionals need to be prepared to be able to pitch their cybersecurity strategy to the C-suite and to the BOD.
What are the best practices for an effective cybersecurity strategy?
While every organization is unique and has different needs in terms of cybersecurity, the most effective strategies are those that are aligned with the overall business strategy.
Cybersecurity strategies that don’t take the business context and objectives into account run the risk of wasting your organization’s budget, time and resources.
- If your organization is subject to compliance standards such as PCI DSS or GDPR but doesn’t implement necessary compliance practices, you may risk hefty fines.
- If your organization is handling large amounts of critical data but doesn’t protect this data adequately, you risk losing your clients, harming your reputation and losing revenues.
- If your organization is operating in the OT space, a cyberattack on industrial control systems can disrupt operations and lead to huge financial losses.
Make sure to identify which data, products or processes are crucial for your business and align your cybersecurity strategy to fit your specific business context.
How to prepare a cybersecurity budget
When it comes to your cybersecurity budget, make sure to list all one-time and recurring expenses that you need to incur every year as well as over a longer period (say 3 years and 5 years) in order to strengthen your cybersecurity maturity effectively. Make sure to include a buffer for unforeseen expenses, such as legal fees, incident response and disaster recovery activities.
An effective cybersecurity budget should also address these 5 major considerations:
- Know what you are trying to protect and why
- Define your risk appetite
- Align your security spend with potential losses
- Beware of promising security technologies
- Measure the effectiveness of your security strategy
A cybersecurity strategy planning tool can help gather all security requirements in one place and help gather projects and related expenses for your annual cybersecurity budget.
How can I convince my boss to adopt my cybersecurity strategy?
Regardless of who approves the cybersecurity budget in your organization, chances are that you will need to pitch your cybersecurity strategy to your executive management team or to the BOD.
To get the buy-in you need to implement your cybersecurity strategy, make sure to:
- get to know your stakeholders,
- bring a concrete example of how your cybersecurity strategy can make a real impact and bring demonstratable ROI,
- drop the technical lingo and
- align your cybersecurity strategy proposal with the overall business strategy.
If your boss comprehends how your cybersecurity strategy can benefit the business and supports overall priorities at the same time, you will be well on the way to bringing your point across.
Do I have to outsource my cybersecurity projects or do it myself?
It depends. The in-house vs. outsourcing debate has been a heated one for quite some time now, and heavily depends on your specific business context, size and requirements. For example, there are key considerations to take into account before engaging with a Managed Security Service Provider (MSSP), whereas others may not need to get external help.
- Smaller to medium-sized organizations don’t typically have the required funds, time or in-house security expertise to tackle their own security projects without external help. An external security service provider can help offload some the strain and provide a more cost-effective and objective way of dealing with security requirements.
- Larger enterprises tend to have enough funds and in-house security expertise to build their own security practices somewhat effectively. Regardless of their size, however, larger organizations are often the biggest target for cyberthreats due to the large amount of valuable data, and need to be careful not to overestimate their capabilities and fall prey to cyberattacks despite internal protection mechanisms.
Which security controls should I implement to protect my organization?
Choosing a security control really depends on your specific business context and regulatory requirements. Your business may be subject to different compliance frameworks such as PCI DSS, GDPR or HIPAA, and may, therefore, need to adopt a specific set of security controls to meet your compliance requirements.
What’s important is to apply a security control framework that addresses your regulatory requirements all while strengthening your overall security maturity level and helping you meet your business objectives. A security control framework such as the 20 Critical Security Controls by the Center of Internet Security can help provide guidance across a variety of cybersecurity requirements and objectives.
How can I measure if my cybersecurity strategy is effective?
While more and more organizations are implementing a cybersecurity strategy, too few actually know if their strategy is effective and helps the business.
Measuring your cybersecurity maturity is key to strengthen your defenses and to allocate your budget to cybersecurity projects that will make a real impact.
A great starting point to evaluate your current cybersecurity strategy and maturity is a cybersecurity posture assessment, which will assess your current situation and identify which strategies are most important vs. those that you can live without.
If you already have your environment monitored on a 24/7 basis, either with a SIEM solution or with a Managed Security Service Provider, ask about how you can include a real-time cybersecurity analytics function into your monitoring platform. Ideally, you should have access to a tool that provides you with real-time visibility of your organization’s overall security posture at one glance.
Do you need help to develop your own cybersecurity strategy? We’ve created a cybersecurity strategy planning tool to provide you with guidance on what needs to be considered to implement an effective cybersecurity strategy that is aligned with your business context and objectives.