Developing a Cybersecurity Strategy
By understanding several key frameworks and concepts, business leaders will be better able to create and manage their cybersecurity strategy.
Cybersecurity is an essential part of every business. With cyberattacks and the number of legal claims rapidly increasing, there has never been a greater need for company leaders to understand the security of their business. However, for many business leaders, the difficulty with cybersecurity is that they don’t have time to learn and understand the endless number of cybersecurity concepts and tools. It is true that most business leaders won’t ever have time to learn everything there is to know about cybersecurity. However, by learning the major concepts and frameworks in this article, leaders will build enough fluency to have a solid foundation in the areas most important to their job functions. Having a solid foundation will prepare leaders to contribute to the creation of an effective cybersecurity strategy.
While far from exhaustive, the concepts and frameworks detailed in this article are the foundation for any effective cybersecurity strategy. This article should serve as a basic foundation and launching pad for leaders to take the next steps in knowing where to look for more information so they can continue to build a cybersecurity strategy that meets the needs of their individual business.
Developing a Cybersecurity Strategy - Key Concepts & Frameworks
Build and Grow With Security in Mind
Cybersecurity needs to be taken into consideration at the beginning of each new development within a company, from expanding to new geographies and customers to developing new products or services. Keeping cybersecurity a top concern will save time, frustration, and costs later on. For any growing business, security will become a necessity at some point, and retrofitting a business’s operations, products, or networks will be much more difficult if cybersecurity hasn’t been considered from the beginning.
As businesses grow, not only will they become a more attractive target for hackers, but they will also have more potential points of exposure. Any new employee, business location, product, or service can become a vulnerability. In addition to the increased risks of attack, companies will also face increasing pressure from other sources to have proper security in place. For example, most private equity valuations are impacted directly by a firm’s level of cybersecurity. In other words, investors know how important cybersecurity is, and they are willing to pay for it.
Companies need to build a business with a security plan that allows them to stay secure as they grow. Trying to retrofit cybersecurity is much more difficult and costly if a company doesn’t include it from the beginning. This could be compared to a city that is trying to lay new roads. If the rest of the proper infrastructure isn’t in place before the streets get paved, then the city will likely need to tear the roads up later to lay the other utilities such as sewer, gas, water, and electricity. By tearing up the roads, the city has effectively doubled or tripled the cost of paving those streets. Cybersecurity works the same way. With proper planning and execution, companies can reduce overall costs by building security into their operations, rather than trying to fit it into the operations they already have.
Cybersecurity Risk Management
In order to properly build a business with security in mind, or make decisions that will successfully integrate cybersecurity as part of a business strategy, companies should start by performing a risk analysis. To successfully complete a cybersecurity risk analysis, most companies should follow a process that allows them to identify exposures, determine the potential impact of those exposures, and then take the steps to mitigate these risks. The board, executives, and other relevant company leaders should ask questions such as the following as they develop their risk analysis:
- Which assets, resources, and capabilities are at risk? Often, the total of all exposed resources is referred to as the “attack surface.” For most companies, the attack surface includes a number of their most important assets. These assets include proprietary information, processes, and protected data. A company’s software, network, or hardware can also be points of exposure that are vulnerable to cyberattacks. Another area that has become a point of vulnerability for many companies is through their suppliers.
- What are the specific weaknesses that put these assets at risk? Each asset will have specific attributes that potentially make it vulnerable to cybersecurity risks. A cybersecurity threat could arise from a vulnerability in the company’s network, from an untrained employee or from a lack of proper controls. Identifying these weaknesses is a necessary prerequisite to fixing them. Identifying potential future weaknesses can also allow companies to be proactive about building security as they grow.
- What is the potential impact of each exposure? After identifying the points of weakness within a company, the next important step is to determine the impact of that weakness if it were to be exploited. This will require a company to consider the potential legal costs, loss of revenue, downtime, loss of reputation with customers, and other potential costs.
- Which risks should we prioritize? After identifying the potential impact, companies should be equipped to prioritize which problems they want to handle first. No company can handle every threat. But by prioritizing the handling of the largest threats, companies will be able to reduce their level of risk efficiently. Other factors may also make a risk a higher priority, such as a particularly egregious exposure, or the likelihood of an attack. Figure 1 demonstrates one way of approaching this step using a risk analysis matrix. Those risks that are both likely and highly impactful are those that need to be prioritized.
- What are the next steps needed to implement these priorities? After prioritizing the various threats, leaders should make specific plans that detail how and when they will implement measures to better secure their business.
- How effective have our past efforts been, and how can we continue to improve? Once efforts have been made to establish a list of risks and prioritized actions, companies should continue to perform risk analyses on a regular basis.
Each of these questions is important to identifying risks and prioritizing the actions that need to be taken. Once a company is aware of its risks, there are often many simple steps that can be taken to decrease the attack surface. This may include not storing proprietary information in accessible locations, physically securing devices and networks, or implementing the necessary processes and software to increase security. Many of the simple actions that companies can take are detailed in our article “Cybersecurity Basics for Businesses.”
Cybersecurity Opportunities
Many companies build a cybersecurity strategy based solely on risks or compliance needs. Leaders see that the company needs certain certifications to be legally compliant or to conform with industry standards. While this may be a functional starting point, many firms should add the perspective that security also opens new opportunities. Having a risk- and opportunity-driven approach to security will allow security to become a piece of what makes the business successful rather than a distraction from higher priorities.
Most companies can use cybersecurity as a lens that allows them to identify new opportunities to cut costs. For example, companies might be able to cut overall costs by working with the IT department to consolidate technology licenses.2 Having an efficient, effective, and proactive cybersecurity strategy as part of the business plan can also decrease costs by allowing companies to prevent problems before they happen. In this way, companies will not have to constantly invest time and resources into putting out fires they could have prevented in the first place.
Additionally, many companies also have an opportunity to use better-than-average cybersecurity as a differentiator in the marketplace. Many prominent companies have done so and have seen great results. One of the most prominent examples of this is Apple, which touts its products’ security measures as the best in the industry. Service providers can also use security as a differentiator. For example, Gemini, a cryptocurrency trading platform, has been able to attract customers by making security one of its “four pillars.”3
B2B companies can also shorten their sales cycle by having proper cybersecurity documentation ready for a client’s security team to go over. On the other side of this, however, is the reality that every company purchasing services or inputs needs to check whether their suppliers are secure. Many successful hacks over the past several years have been due to the firm’s suppliers. Thus, it is crucial to keep cybersecurity in mind when making purchasing decisions. Overall, by going beyond a responsive approach to cybersecurity, most companies will find that good cybersecurity opens a host of new opportunities. By taking advantage of these opportunities, companies can make cybersecurity an integral part of their overall business strategy, which will serve to make security stronger and the business better.
Determining IT Security Priorities
Another important framework for business leaders to understand is what is referred to as the “CIA Triad.” In cybersecurity, this acronym does not refer to the Central Intelligence Agency, but rather to a framework that establishes a way of approaching the attributes of IT security. The letters of the acronym stand for the following—
- Confidentiality – protecting private data and the transfer of that data
- Integrity – protecting against the deletion or modification of data by unauthorized persons
- Availability – having systems that are up and functioning properly to give access to data whenever it is needed
Each of these attributes of an IT security system is important for every organization. However, most organizations don’t have the time or resources to be completely effective in all three areas all the time. The closer a company moves to perfection in each of these areas, the more expensive it becomes to improve. In economic terms, improvement in each of these areas will be accompanied by increasing marginal costs. This means that to properly support operations, most organizations must prioritize the areas in which they choose to invest.
For example, to increase and ensure near-perfect availability, a company will need to invest in this attribute of their system across the board. This means having the correct hardware and software. Having the correct hardware may mean going as far as investing in backup generators to keep your system up and running during a power outage. Most hospitals have systems like this in place. Having the correct software means using service providers that contractually agree to 99.99% uptime for their system, which will be much more expensive than an average provider. Because of the costs of each area, most companies will need to prioritize the areas that matter most in their business.
People, Processes, Technology
After a company knows its cybersecurity risks, priorities, and opportunities, it needs to develop a cybersecurity strategy and a plan of action. The plan should involve hiring, implementing, and purchasing the right people, processes, and technology.4
People
In order for a cybersecurity strategy to be implemented, someone needs to be accountable for progress, and someone needs to enact the strategy. In many companies, this may be the CEO or another member of the management team. However, in many instances, these leaders have other aspects of their job that demand more attention. Often when the responsibility becomes substantial enough, a company will need to hire a chief security officer (CSO) or chief information security officer (CISO). Most companies will then also need to have security personnel in various departments such as IT, research and development, human resources, accounting and finance, and others. Including cybersecurity personnel in various departments will keep cybersecurity on the forefront for different teams and allow proper implementation of a cybersecurity strategy.
In addition to formal and dedicated employees, every individual in an organization needs to be trained in how to prevent cybersecurity attacks. Employees are often considered the greatest weakness in cybersecurity strategies. Often employees are targeted by hackers using what are referred to as social engineering techniques such as phishing. These attempts can be incredibly advanced and convincing. This is why it is imperative for employers to effectively train their employees to avoid these traps.
Processes
Another key aspect of cybersecurity is having the correct processes in place. These processes should keep things such as software, hardware, and employee training up to date and functional. For more information on some of the basic processes a company can establish to increase security, see our article titled “Cybersecurity - Basic Hygiene for Businesses.”
The cybersecurity field changes so rapidly that it isn’t enough to establish permanent processes; rather, a company also needs to establish a pattern of process improvement. This means regularly evaluating, improving, and modifying the processes the firm has in place. This will allow firms to both maintain and increase security.
Technology
The final major area of implementation to consider is technology, which refers to the hardware and software a company has in place as part of their cybersecurity strategy. The technological needs of each business will be unique. They may include network security devices and software, personal device software and controls, and other security measures. An important aspect of security is also to make sure that the software providers a company is using support adequate and compliant cybersecurity measures. Providers don’t simply need to provide relevant software, they need to do so securely. In many cases, successful cybersecurity hacks have happened because of a supplier that didn’t implement proper cybersecurity measures. By keeping security in mind when selecting the hardware and software a company uses, leaders can avoid needing to invest in separate security measures later on.
Official Frameworks & Security Control Standards
As a company is developing its basic cybersecurity strategy, it also needs to understand the specific laws and frameworks to which it will be held accountable. Different industries will have differing levels of security that are required depending on the nature of their business. These regulations may be codified in law or simply enforced by industry dynamics. For example, some privacy laws are specific to healthcare-related businesses or educational institutions. For more information on these and other laws, see our article about cybersecurity laws and regulations.
Other institutions may be required to follow or choose to follow professional cybersecurity frameworks that have been established by external organizations. These frameworks provide a wealth of information about specific controls companies can establish and specific actions they can take to become certified as secure companies. In the cases where these certifications are required, companies need to be ready to prove their compliance.
Cybersecurity frameworks offer a host of potential benefits. First, they give firms a way to create a comprehensive cybersecurity strategy without having to invest in creating their own frameworks. This lowers the overall time needed to create an effective and comprehensive strategy. In addition, many of these frameworks offer certifications that will serve as proof to customers and suppliers that a company is safe to do business with. Thus, many companies choose to follow one or more of these frameworks, even if they aren’t legally required to.
The list of potential frameworks is long; however, most companies should be familiar with some of the most common frameworks that are talked about and used in the cybersecurity space. These include the ISO 27001, NIST, and SOC 2 cybersecurity frameworks.
ISO 27001
The International Organization for Standardization, also known as ISO, is a non-governmental organization that creates international standards for businesses. Currently, the ISO’s set of standards regarding information security is referred to as ISO 27001. According to the ISO website, this set of standards “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.”5 A company’s information security management system (ISMS) refers to the processes, policies, and systems put in place by the company to manage its data.6
An ISO 27001 certification will force a business to become secure in many ways that have direct benefits. However, the benefits of an ISO certification can go beyond the immediate benefits of increased security such as thwarted attacks and avoided lawsuits. A certification can also improve relationships with customers and suppliers who see the value you place on securing their information. An ISO certification will also help a company establish patterns of continual improvement which will set the business up for long-term success.
Currently, an ISO 27001 certification is the only international cybersecurity certification that is widely recognized by cybersecurity professionals. A company can become ISO certified, but how quickly it becomes certified depends on which previous measures they’ve taken. The certification process can be lengthy, taking anywhere from several months to a couple of years. During this time, the ISO auditors will examine the various processes, policies, and systems within the company as well as monitor the ways in which the company is continually improving. Normally a company will continue to be audited annually by a certification body. More information about the standard, including its full description, is available on the ISO website.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST), which is part of the United States Department of Commerce, is responsible for creating standards in a variety of areas, including cybersecurity. The NIST framework is a voluntary framework created to help reduce cyber-related risks to critical infrastructure in the United States. The NIST does not provide official certifications like the ISO does. However, the NIST does have validations for products and modules that have been properly and independently tested. The NIST offers a variety of resources that are tailored to businesses of every size. These resources are available on the NIST website.
SOC 2
SOC 2, which stands for system organization controls, is a certification framework developed by the American Institute of Certified Public Accountants (AICPA). This framework is designed to help increase security, particularly when companies are using cloud services. This means that this framework will be relevant for companies in a variety of industries. The framework is meant to help provide better security surrounding both internal company data as well as the data of customers. SOC 2 also includes an auditing process that creates two internal reports which provide details about the existing controls in the organization. These reports are intended to be used by the management team to make them aware of performance and potential improvements. Most SaaS companies, or companies that use cloud services, need to seek SOC 2 certification in order to conduct business efficiently.
Like ISO 27001, companies can seek SOC 2 certification. In order to be compliant, a company needs to ensure proper information security with regards to the five principles of trust that exist for data that is stored or processed in the cloud. These principles are security, availability, processing integrity, confidentiality, and privacy. More information about this framework is available on the AICPA website.
Other Cybersecurity Business Certifications
There are a variety of other frameworks and certifications that a company might need to be aware of depending on size, industry, business relationships, and a number of other factors. For example, ITIL or IT service management (ITSM) frameworks help with managing IT dependencies and integrations while keeping security a part of the process. Following this framework can help companies implement the standards of ISO 27001.
In any firm, leaders will need to do research to discover the frameworks and certifications that will be best for them to follow. By successfully using the available frameworks to establish cybersecurity, companies will be able to more effectively and efficiently establish cybersecurity measures. In addition, organizations will have the opportunity to become certified, thus opening future opportunities.
Conclusion
Many business leaders are intimidated by cybersecurity, which is understandable. Cybersecurity is a world of its own, and not even an entire career could cover its full breadth and depth. However, by understanding where to start, and by establishing effective plans and processes based on solid frameworks and relevant certifications, business leaders can make significant headway towards building a cyber-secure business. In addition, a company will be better able to take advantage of a host of potential opportunities. By establishing effective cybersecurity, leaders have the ability to secure their future as well as open new opportunities for growth and progress.
Resources Consulted
- IT Governance: “Cybersecurity Risk Assessment.” Accessed 16 Mar 2021.
- Tunggal, Abi Tyas. UpGuard: “How to Perform an IT Cyber Security Risk Assessment: Step-by-Step Guide.” 1 Dec 2020.
- Fasulo Phoebe. SecurityScorecard: “How to Perform A Cybersecurity Risk Analysis.” 31 Jul 2019.
- Forcepoint: “What is the CIA Triad?” Accessed 16 Mar 2021.
- Dawson, Scott. The Core Solution: “The Benefits of Implementing ISO 27001.” 18 Oct 2019.
- Y Scouts: “How to Hire a Chief Information Security Officer.” Accessed 16 Mar 2021.
- Gray, Patrick. Lake Forest Group: “What to look for when hiring a Chief Security Officer (CSO).” 2 Jan 2021.
- Strake Cyber Risk Solutions: “Cybersecurity Risk Assessment.” Accessed 16 Mar 2021
- License consolidation is taking several licenses and combining them into a single license file.
- Gemini: “About.” Accessed March 16, 2021.
- ITILnews.com: “ITIL Back to basics (People, Process and Technology).” Accessed 16 Mar 2021.
- ISO: “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.” Accessed 16 Mar 2021.
- IT Governance: “ISO 27001, the International Information Security Standard.” Accessed 16 Mar 2021.