While drafting and editing the material for this book, we thought we could offer additional value by providing an essay on each topic by all three authors, independently edited, to preserve their unique perspective and voice.
It is a technique that was intended to provide multiple viewpoints that would both explore the topics more thoroughly and provide options for readers to use these different viewpoints to help them solve different problems depending on their needs at the time.
We appreciate your tolerance with our construct, and hope we’ve achieved what we intended. In this final chapter, we’ve decided to stitch together our combined perspective and present an integrated essay on building your strategic plan.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ What components should the CISO use in developing their cybersecurity strategic plan?
♦ How should the CISO align their strategic plan to the organization’s business objectives?
♦ What steps can the CISO use to leverage the cybersecurity strategic plan for future growth?
Strategic Plan – Bonney, Hayslip & Stamper
How Did I Get into This?
There are many ways you may have come into this responsibility. In larger companies, you may have been the subject of a recruiting process or an internal vetting process. You may be replacing someone or inheriting an issue with board visibility. In this case, you’re probably going to have something in place. In the best case you can carry forward most of the existing plan, but you may be faced with a complete overhaul.
If you’re coming into the position at a smaller company, you could still be subject to an internal vetting process, perhaps as the former “network” or “compliance” person. In this case, you’re likely to have at most a bare skeleton of a plan. It might not be much more than a budget or an organization chart, possibly just a list of services the other IT managers are looking forward to getting off their plates.
We are drawing attention to the latter condition because as we mentioned in the preface to Volume 1, cybercrime will continue to move “down the food chain” as more relative economic value is managed via interconnected computer networks. As a result, many smaller to medium-sized organizations have requirements to have specific security practices and capabilities in place given regulatory obligations or increased diligence necessitated by the organization’s customers and other stakeholders. CISOs hired or promoted by these companies will be scrambling to build security programs from scratch.
We’ll cover the building blocks of a sound strategic plan, aligning the plan to the organization’s business objectives, and using the strategic plan as a roadmap for the future of your cybersecurity function. While we walk through developing the plan, we’ll continue to offer both a complete treatment grounded in best practice and reveal our thought process to maintain the instructional approach to ensure this is helpful to CISOs just stepping into the role.
Structure of Your Strategic Plan
The cybersecurity strategic plan needs to be concise and easy to understand and reflect realistic expectations for funding that are in line with what the organization can afford. The plan document is not the place to surface a 300% increase in funding. That is a discussion that should already have taken place between you and the management team and, as appropriate, the board. The document should be organized in a methodical manner that makes it easy for the stakeholders to read and its objectives should be aligned with current business functions and processes. We recommend the following structure:
1. MissionStatement – This is the declaration of the organization’s core purpose that normally doesn’t change over time.
Example: Develop and execute a proactive, company-wide security program based on Organization’s strategic business objectives.
2. Vision Statement – An aspirational description of what the organization would like to achieve or accomplish in the mid-term or long-term future.
Example: Incorporate a continuous security mindset into all aspects of our business functions.
3. Introduction – This is a statement describing the business and the environment in which the security program currently operates. The executive leadership team typically will use this section to communicate broad information about the cybersecurity program and its critical role in the strategic plan for the business and key stakeholders.
4. Governance – This portion of the document will explain how the strategic plan will be implemented, who will audit the process, and what committees or personnel will be part of the overall process of assessing its effectiveness and recommending changes to it over time. This is a long-term plan, and there should be a documented process of how this plan will be managed and audited and who will be responsible for it over time.
5. Strategic Objectives – The strategic objectives define how the cybersecurity organization should invest its time and resources to manage the security risks discovered in the assessment and SWOT data previously described. In laying out the objectives, the CISO is assuming there will be sufficient resources for people, processes, and technology. The objectives typically are arrayed over a one- to a three-year timeline. Understand that timelines can be shortened with additional resources. Each objective will have several initiatives, derived from the analyzed security gap data, which need to be completed to achieve the objective.
♦ Improved Security of System and Network Services
♦ Proactive Risk Management
♦ Business Process Enablement
♦ Security Incident Management
Your objectives will typically mirror the gaps found in your assessment and the improvements or investments you want to make in currently effective processes that you want to continue to mature.
6. Key Initiatives – An initiative will state what objectives it satisfies when completed, it will have a description of the security/risk issues it will alleviate, and it should state the benefits it brings to the business when completed.
The following is an example of an initiative:
Initiative 1 – Security Policy, Standards, and Guidelines Framework
Enables Objectives – Improved security of system and network services, proactive risk management and crisis and security incident management.
Description – Develop, approve, and launch a suite of information security policies, standards, and guidelines based on the ISO/IEC27001 code of best practices for information security. These policies will formally establish the organization’s Cybersecurity Program and set forth employee responsibility for information protection. The policy, standards, and guideline framework will also take into consideration the multitude of Federal, State, and Industry regulations that govern the use of personal, financial, customer, and vendor data managed by the business.
♦ Clear security baselines for all departments
♦ Policy-based foundation to measure results
♦ Consistent application of security controls across the enterprise
Developing Your Plan
We’ve mentioned throughout these two volumes that how you approach any task is going to depend on the needs of the organization. Part of your value to the organization is that you bring your experience and your human network to help the organization assess and adjust to reality, and plan for the future. As with other divisions within your organization, your strategic plan should address your current state cybersecurity practices, near-term objectives to be addressed in the next 12 months, midterm objectives to be addressed in the next 18-24 months, and long-term objectives to be addressed over the next three years.
We’ve also mentioned that cybersecurity is not something you can do in a vacuum. It is very much a contact sport. Resist the temptation to hide away and work on your plan in isolation. Engage with your business partners and involve all of your stakeholders in the process of identifying the priorities for your strategic plan. The role of the CISO is to help the organization reduce the inherent risks of its business model and mitigate the residual risks that cannot be avoided. You exist to serve the business, not the other way around. Determine what the management teams need and what the board needs from your cybersecurity program and develop a strategic plan to deliver that.
Recognize, however, that these stakeholders may not be familiar with the more “formal” language of enterprise risk management (ERM) or other risk-management practices we’ve expounded on in the CISO Desk Reference Guide. The founder’s family or close-knit executive teams often dominate many smaller to medium-sized organizations. They are confronting globalization, new competitors, enhanced regulatory oversight, and several other factors that strain their capabilities to understand what the risk environment is for the organization. Tailor your discovery to your audience. Your job is to help these stakeholders navigate this environment in a manner that is financially prudent for the organization, while also reflecting the security “debt” that you may have inherited.
In each of the previous chapters, we’ve given you a series of assignments that, taken together, should provide the bulk of your discovery. The next step is to determine how to apply this information and come up with a plan that emphasizes your strengths, shores up your weaknesses, and buys you the time you need to implement the program the organization needs. One tool you might consider using is a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis. In figure 1 we show a typical set of definitions for a SWOT analysis that you can use to assess capabilities.