Cyber threats come in all shapes and sizes and they employ varying tactics to create havoc for organisations and their stakeholders.
Malware, phishing, DDOS and man in the middle attacks are just some of the methods hackers use and each plays on different weaknesses to infiltrate an organisation be it (commonly) via human error or network or app vulnerabilities.
Knowing where to start can be confusing given the many competing priorities. The challenge is even harder if you don’t have full time security specialists on the team. Whatever your size or sophistication, you’ll need a cyber security strategy to ensure you are managing your risks. But its critical that your strategy meets the needs and objectives of your business. Security needs to be an enabler not a ‘business prevention’ function.
A recent survey Cyber Governance Health Check 2018, which we summarised in a previous blog, revealed that although 96% of the FTSE 350 companies questioned have a cyber security strategy in place, one third of those companies admitted that their strategy was not aligned to their business objectives.
Although 96% of the FTSE 350 companies surveyed have a cyber security strategy in place, one third of those companies admitted that their strategy was not aligned to their business objectives.
Aligning your cyber security strategy to organisational objectives is fundamental to its success (as well as to the success of your business), but what does it actually mean?
Start with business objectives then assess the risks
Let’s use some scenarios to answer the question.
We’ll create a fictional business for the scenarios, and we’ll call it SpendCo. Our new business sells direct to consumers so is a B2C sales organisation. Following a successful year last year, SpendCo has strategic objectives for each of Marketing, Sales and IT Systems in the coming year. Each objective leads to the implementation of systems and movement of data across the organisation.
Objective 1: Marketing: A key marketing objective is to increase sales leads by 10% by implementing an inbound marketing strategy. This requires the roll out of a new CRM and marketing automation tool which enables targeted email campaigns and customer tracking through each stage of the sales funnel.
Objective 2: Sales: The sales team want to speed up order processing. They request the dev team to develop an app which enables them to place orders whilst they are with customers. The app needs to be integrated with the new CRM and marketing automation tool described in Objective 1.
Objective 3: IT Systems: To support growth, the IT department needs to increase computing power and storage capacity. They also need greater flexibility to ‘stand-up’ development environments in which to create new services and tools. To support this, they contract a Cloud Service Provider (CSP) and migrate all key systems to the cloud.
At this point SpendCo’s marketing, sales and IT stakeholders work with their information security manager (we’ll call him Bob) to ensure he knows what their objectives are and how they will be achieved. Using this information and with continued input from stakeholders, Bob then assesses the security risks for each objective and plans to achieve them. Using the results of this work, Bob then takes steps to manage these risks on a prioritised basis.
This might require technical controls but might just as well require organisational measures such as updated policies, new procedures or standards or improved user awareness training. Maybe even improved physical security or personnel security. For at least one of them it’s definitely going to require good supplier security management. If the risks remain high after controls have been implemented, your executives should sign off on tolerating these risks before you proceed and steps should be taken to address them in your incident response plan.
Carrying out a risk assessment for each objective, we might identify multiple scenarios including the following:
Objective 1 – Security Risk: Customer data which is inputted into the CRM originates from an unencrypted excel document which is left on the company server. A SpendCo sales employee takes a copy of the customer data with him when he joins a competitor and uses it to prospect them for business at his new employer.
Objective 2 – Security Risk: The app developers do not follow a secure development lifecycle methodology. The attack surface and potential threats are not identified, and code isn’t reviewed against the OWASP Top 10. Once live, a malicious attack gets through and customer payment information is exfiltrated.
Objective 3 – Security Risk:The CSP outsources parts of its infrastructure to a third party who has access to the CSP’s systems. Whilst the third party claims to take security seriously, its security posture and practices are actually immature and a malicious attack results in SpendCo’s data being affected by ransomware.
As your business changes so should your cyber security strategy
At one time, change was unusual and ‘transformation’ programmes took place maybe every 5 to 10 years, when something wasn’t working. Organisations didn’t like change – it was risky and expensive. Today, business change is constant. Organisations change or transform for reasons of competitive advantage and many businesses chase the ‘disrupt or be disrupted’ adage. The objectives listed above are therefore entirely feasible in a single year.
A security strategy focused on former tools, services, applications and working practices is as much use as a chocolate fireguard.
Change can bring competitive advantage, but it also brings risk. Likewise, a security strategy focused on former tools, services, applications and working practices is as much use as a chocolate fireguard. If your business intends to move critical systems and services to the cloud for example, there is no point in having a security strategy built on traditional on-premise systems with a hard boundary and ‘soft centre’.
This means your security objectives, your controls, your risk management approach and your metrics do not make you more secure. Sadly, we see this too often. The business has plans and is doing something new whilst the security strategy is focused on approaches that made sense to the business 2 years ago. Likewise, recovering from an incident takes longer and is more painful because the incident response plan is out of date for the same reasons.
All of this comes down to a lack of alignment and poor communication. Ensure that systems owners, data owners, budget holders and other key decision makers think about security within their plans. Get Bob involved early. Not so he can can say ‘no’ but so he can build his security strategy in a way that aligns with the objectives of the business. Doing so also helps ensure security and data protection by design (rather than trying to retro-fit it later).
If Bob knows your plans he can assess the risks, ensure that security risks are managed and your organisation is more likely to achieve its objectives. If you try to bolt-on security later it’s more likely that the result will be ‘we can’t do this, the risk is too high’. Address security from the ground up and risk mitigation can be addressed right from the start.
Let’s take Objective 3. In this case, Bob will manage this type of risk through supplier due diligence and potentially a 2nd party audit, during which he’ll ask about the CSP’s third party suppliers and request assurance about their practices. He’ll also ask SpendCo’s lawyers to include security obligations and maybe indemnities in the contract. Bob will also ensure that back-ups are in place and tested to help recovery from a disaster. Each of these steps is a way in which Bob is aligning his cyber security strategy with SpendCo’s business objectives.
Risk assessments are your friend
Now, it’s unlikely that you’ll be able to secure everything and reduce security risks as much as you like. The attack surface grows year on year and new threats emerge as quickly as vulnerabilities are discovered.
To help you determine where to prioritise your time and money in securing your assets you need to carry out a risk assessment. This involves looking at the impact and likelihood of a threat exploiting a vulnerability resulting in a security incident (of the types listed above).
When working on your impact assessment, don’t just think about the direct costs of recovering from an attack. Also think about operational impact (lost productivity), lost revenue arising from systems downtime or lost customers, contractual or regulatory liabilities, reputational damage to your brand and individuals’ well-being.
It can be tempting to take a qualitative approach and go with a ‘finger in the air’ high, medium and low but try and find the time to take a quantitative approach and apply actual impact levels if possible. This will make the exercise more realistic and will have greater impact with stakeholders. Below is an example of impact levels that we created for a client.
Also, be realistic with your likelihood assessment. Don’t wear ‘rose tinted spectacles’. Be realistic about how likely the risk is – both inherently and after applying the controls you have in place.
Align your security strategy (objectives, metrics and controls) with your business strategy and focus your time and investment in the risks that would cause the most damage to your business by reference to their likelihood and their impact. Do so and you’ll have a security strategy that makes sense for your business and a stronger security posture to help prevent and recover from cyber incidents.
We can help
If you need help with developing a cyber security strategy, aligning your plans to business objectives or carrying out risk and impact assessments we can help. Please contact us for a chat.ENQUIRE NOW