Today, technology changes at a rate most businesses can’t keep pace with, and it’s this lag that introduces risk into organizations’ business operations. To manage risk, many security leaders must implement controls across this ever-increasing, turbulent network landscape. These same security executives also apply best-practice approaches to diverse risk portfolios using traditional concepts such as defense-in-depth and layered security technologies. I believe traditional methods need to be changed since they were initially envisioned for centralized, managed networks that CISOs first started our careers with years ago.
Now networks typically don’t have fully defined perimeters; they’re designed for the mobile worker and geo-dispersed teams with numerous third-party connections to vendors and trusted partners. It’s these new network infrastructures that exist in the cloud, shared data centers and on mobile devices that force CISOs to revisit their cybersecurity plans. In essence, these plans are cybersecurity roadmaps that establish pathways an organization can follow to improve its overall risk management approach. These cybersecurity plans should describe how the security program will protect and share information, counter new and evolving threats, and support the integration of cybersecurity as a best practice for everyday business operations.
A cybersecurity plan should note the “current state” of security practices and describe near-term objectives to be addressed in the next 12 months, midterm goals in the next 18-24 months and long-term objectives over the next 36 months. This plan is usually developed by the CISO and is designed to be a living document. The vision, goals, and objectives of this plan should be reviewed at least annually by an Executive Cybersecurity Review Committee.
Where security practices meet business objectives
To begin, the CISO first needs to understand the current security state of the company. This effort will require a continuous review of assets such as hardware, software, network configurations, policies, security controls, prior audit results, etc. The goal is to gather information on what is the current technology and application portfolio, current business plans, and then gain an understanding of the critical data types required by business stakeholders.
As this data is assessed, the CISO should then meet with business unit stakeholders to establish the value of this collected information. It is critical to have business unit leaders assist in this endeavor to provide an accurate understanding of each asset (data, system, application) value based on the time, effort, and resources it would take to replace it if it became unavailable due to a cyber-incident. This updated list of resources, with their prioritized value to the company, provides the CISO with a current view of what is required for the business to operate and the impact on that operation if breached.
Now with a more refined look at the business’s security and risk requirements needs, it’s time to perform a risk assessment (ISO, NIST, COBIT) to establish a current exposure baseline. To plan this evaluation, the CISO will begin by using a risk management framework to assess all collected security information and identify any areas of vulnerability or potential exposure and relating this data to ongoing business activities. Once the CISO has completed this assessment, they can begin to develop their strategic plan. This living document will be used to move the organization from its current security state to a future security state where assessed security gaps are being addressed, and new services deployed.
Declaration of the organization’s core purpose (generally doesn’t change over time).
- Example of what I have used before, “Develop and execute a proactive, company-wide security program based on the Company’s strategic business objectives.”
An aspirational description of what an organization would like to achieve.
- Example of what I have seen used, “Incorporate a continuous security mindset into all aspects of our business functions.”
Statement about the business and the environment the security program currently operates in. I have seen the executive leadership team use this section to state its support of the security program and why it is critical for the business.
Part of the strategic plan is where the CISO explains how it will be managed, who will audit its processes and how changes will be implemented over time. Remember, this is a long-term plan so ensure you have these procedures documented.
Strategic objectives of a cybersecurity plan
The core of a CISO’s strategic plan which will contain the objectives identified during the most recent risk assessment that needs to be remediated. This section will include the latest assessment results and should have an ongoing project plan listing the various projects that are in the queue; each one should be tracked to a specific immature security control objective.
Out of this whole document, strategic objectives is the part that will be continuously updated as projects are completed, and the organization is reassessed to establish its new risk baseline. In the past, I have organized the projects and initiatives into a three-year timeline. Understand this schedule can be shortened if funds are made available; plus, the list of multiple projects can be reorganized to meet current business needs or new threats. Each objective will have several actions/projects, derived from the assessment security gap data, which need to be completed.
Here is an example of a cybersecurity objective:
Security objective – Data loss prevention
Key initiative – Security Policy, Standards, and Guidelines framework *** (These are the gaps that were found in the risk assessment.
Enables objectives – Data loss prevention, improved security of system and network services, proactive data management and governance.
Description – Develop, approve, and launch a suite of information security policies, standards, and guidelines based on ISO/IEC27001.
Key benefits – These benefits need to be aligned with the business.
Clear security baselines for all departments
Policy-based foundation to measure results
Consistent application of security controls across the enterprise
Project – listed technology, service, etc. that will meet the objective.
Depending on your organization’s maturity, you may have several projects listed under a specific objective. I advise CISO’s to build the plan and manage the list of projects on an ongoing basis, providing a valuable report of business value to the executive team.