Strategic this, strategic that
People band strategy around like it’s some sort of mythical beast that requires no knowledge of the subject involved but is done by wizards and executives (it’s just done by people, but I digress) so I thought I’d talk about strategy development.
Now forewarning you might come out of this post thinking… there must be something else… something you are missing as Dan’s not showing any secret magic…. Often what is commonly lacking when looking at strategic execution is effective communication, consensus, and marathon like commitment to deliver on said goals and objectives. Why? Because that part is really, really, hard, if it wasn’t we’d all be sipping Bollinger in the Bahamas.
Know the business
If your first thoughts are to run to Sun Tzu or grab an ISO27001 document then you should probably pause, grab a tea, and take a breath. In my experience cyber security is:
- Not a war
- Does not require anything to do with the military
- The answers are not simply in a book or standard document
People often think that a framework, guide, or standard will give them the answers. Sure, they are often useful tools to help, hell the domain of cyber is broad as hell and there’s so much to do and often so little time, so job aides and not re-inventing the wheel is a good thing, that doesn’t however just mean that with documents you will be in a good position.
One thing people should be realistic with is that strategy is not a document, its not fixed in stone and it is never “done” (unless your business is only going to exist for a specific period then disappear) – this is a general blog so I’m going to assume we aren’t talking about that scenario. Perspective is also important, enterprise strategy vs departmental vs individual, for the purposes of the blog I’m looking at an enterprise and departmental view.
There are books on this, so I’ll try and be brief, when we look at a Cyber Security Posture the first thing, we do is research the business.
- What does the business do?
- Where does it operate?
- What is its mission, vision, goals, and objectives?
- How does it play in its market?
- What is the direction of travel for the business?
Essentially, we need to understand from a varying degree of breadth and depth the business. Hardly a shocking revelation but one I think that is key.
Competing Priorities, Constraints and a world that changes overnight
It’s important to understand that for most organisations CYBER is not the business. Technology is leveraged to enable business outcomes and to support the business in its ventures, risks are by nature part of an enterprise.
There are a massive range of complexities in businesses and there are many viewpoints and views. This is true of businesses of all shapes and sizes.
We also must be realistic, cyber security is fast paced, sure at it’s core its technology and security management but in today’s world it’s so much more. People talk about cyber like it’s a silo, and well that simply isn’t a realistic view of the world and how things work in practise.
But the key things here are:
- There are many perspectives
- There are competing priorities
- There are constraints
- The Cyber landscape if very fast paced
It’s not all risk management
I think there is also a myth where people say:
- Cyber Security is simply risk management
- Or Cyber Security is simply a cost
- And well the other one is where people say things like Cyber Security is simple (it’s bloody not!)
I try and look at business and technology and look at it from a whole position. Yes it’s awesome to go and play with the tools, to exploit new vulnerabilities, to break into networks (and subsequently harden them) but when we think about cyber security and business strategy it’s so much more than that. Technology is an enabling force to allow a business to:
- Operate efficiently
- Enable Mobility
- Enable scalability
- Reduce risk (it’s C I and A)
- Protect the brand and its customers
- Enable innovation
- Protect valuable assets
When we look at cyber security capabilities in most organisations, they are a blend of people, processes, and technology not from a cyber department but as a business.
- Current market landscapes and high levels of technical debt also mean that applying a textbook approach in many organisations is a touch unrealistic, partially because:
- New departments and capabilities need budget
- Cyber security capability takes people to be effective
- Cyber security if deployed at an operational perspective of monitor only creates a significant challenge
If we just focus on simply risk reduction and an organisation has a very high-risk appetite and very high-risk tolerance that also will massively influence change and investment appetites.
Many organisation business risk management processes are not very detailed, a lot of people in life also operate on a personal experience perspective (hell I know I do) so you can end up with this being a common business position.
- The market costs/margins are well established
- Security isn’t built into the entire supply chain cost model; this often creates significant challenges about changing cost profiles (how often do organisation with low security maturity need to spend less (in my experience this is never the case))
- The risk appetite is higher for other people who don’t live in cyber land
- People can’t assess risk if they don’t understand it, this leaves them making decisions based on a poor risk view
- Cyber security is specifically addressing security of digital systems and data, most people do not understand how computers and networks work at a basic level let alone how a buffer overflow works
This means that when formulating a strategy it must align with the business, sure it may need to push boundaries and sure if requires change, but it must be in a shape, form and manner which means it will get off the post and endure. 100% security doesn’t exist and a strategy that aims for perfection will ultimately fail. The key things here to me are:
- Understand the business
- Understand the enterprise technology (cyber) landscape
- Understand the current state capabilities
- Understand the gaps
- Develop a strategy that works to enable change and support he business in its activities
- Be realistic with what can be achieved
- Recognise that it’s a marathon not a sprint
- Understand that a strategy without a plan is a dream
- A strategy without tactical initiatives will likely fail to reduce business risk but also will likely struggle with execution.
Strategic execution requires operational activities daily. In business this is all about change and direction of travel.
Security Change Realities
Ok so you are the new CISO or new CIO (yes, most CIOs have an organisational responsibility and accountability for the security of technology systems, shocker isn’t it!) yet again much like security is commonly not “the business” for most organisations, we also have some realities that we need to understand.
- Visibility increases work in progress/backlogs
- Monitoring takes resources (time and money)
- Changing the way people interact with systems (regardless of the risk reduction or business benefit) means changing individuals’ workflows
- Not every risk needs to be mitigated
- Not every vulnerability will be exploited
- Security as a monitoring function only will have communication and change execution challenges
- There are many human parts to the security challenge
- Training and awareness are not simply making everyone watch a CBT
- If you only focus on high level areas, you will likely be building your security strategy on a foundation of sand
- The IT and helpdesk are key components of the organisational security capability
- The devil is in the details (you might not need to show all the details to everyone, you need to keep people engaged)
Many of the issues I see in organisations commonly follow similar patterns. Many of the conversations I see/hear about security leave me puzzled. I think marketing and the word strategy have made a unicorn that people think other people are doing when in reality, I often struggle to get hold of a security strategy, IT strategy or business strategy document that arms me well enough to understand things.
If you treat cyber security as a silo, if you ignore the operational realities, the architecture of a business, the politics and all the other areas then you will likely fail to execute successfully.
Conversely if you don’t ensure effort is spent to understand the weeds, you could well up spending a bucket load of money and still being pwn3d by a low skilled threat actor.
For me I’m less about Sun Tzu and more Henry Mintzberg, most people defending computer systems are in the business of business, not in the business of warfare.
Strong foundations enable great things, a good cyber security strategy should both protect you in the near term as well as enable the business in the future. A goal and objective must have a plan to enable them. Strategy is hard because to me it’s largely about understanding detail, positioning this with people (communication), ensuring you have a plan, ensuring you understand different perspectives and working out a ploy for enabling change, reducing risk and enabling the business, all with the reality that you have constraints!
Hopefully this gives you some insight into “strategic” thinking, strategy is only useful if it’s something being done, not being left for someone else to do.