Cyber threats come in all shapes and sizes and they employ varying tactics to create havoc for organisations and their stakeholders.
Malware, phishing, DDOS and man-in-the-middle attacks are just some of the methods hackers use and each plays on different weaknesses to infiltrate an organisation be it (commonly) via human error or network or app vulnerabilities.
Knowing where to start can be confusing given the many competing priorities. The challenge is even harder if you don’t have full-time security specialists on the team. Whatever your size or sophistication, you’ll need a cyber security strategy to ensure you are managing your risks. But it’s critical that your strategy meets the needs and objectives of your business. Security needs to be an enabler not a ‘business prevention’ function.
A survey in 2018 Cyber Governance Health Check 2018, which we summarised in a previous blog, revealed that although 96% of the FTSE 350 companies questioned have a cyber security strategy in place, one third of those companies admitted that their strategy was not aligned to their business objectives.
Although 96% of the FTSE 350 companies surveyed have a cyber security strategy in place, one third of those companies admitted that their strategy was not aligned to their business objectives.
Aligning your cyber security strategy to organisational objectives is fundamental to its success (as well as to the success of your business), but what does it actually mean?
Start with business objectives then assess the risks
Let’s use some scenarios to answer the question.
We’ll create a fictional business for the scenarios, and we’ll call it SpendCo. Our new business sells direct to consumers so is a B2C sales organisation. Following a successful year last year, SpendCo has strategic objectives for each of Marketing, Sales and IT Systems in the coming year. Each objective leads to the implementation of systems and the movement of data across the organisation.
Objective 1: Marketing: A key marketing objective is to increase sales leads by 10% by implementing an inbound marketing strategy. This requires the rollout of a new CRM and marketing automation tool which enables targeted email campaigns and customer tracking through each stage of the sales funnel.
Objective 2: Sales: The sales team wants to speed up order processing. They request the dev team to develop an app that enables them to place orders whilst they are with customers. The app needs to be integrated with the new CRM and marketing automation tool described in Objective 1.
Objective 3: IT Systems: To support growth, the IT department needs to increase computing power and storage capacity. They also need greater flexibility to ‘stand-up’ development environments in which to create new services and tools. To support this, they contract a Cloud Service Provider (CSP) and migrate all key systems to the cloud.
At this point, SpendCo’s marketing, sales, and IT stakeholders work with their information security manager (we’ll call him Bob) to ensure he knows what their objectives are and how they will be achieved. Using this information and with continued input from stakeholders, Bob then assesses the security risks for each objective and plans to achieve them. Using the results of this work, Bob then takes steps to manage these risks on a prioritised basis.
This might require technical controls but might just as well require organisational measures such as updated policies, new procedures or standards, or improved user awareness training. Maybe even improved physical security or personnel security. For at least one of them, it’s definitely going to require good supplier security management. If the risks remain high after controls have been implemented, your executives should sign off on tolerating these risks before you proceed and steps should be taken to address them in your incident response plan.
Carrying out a risk assessment for each objective, we might identify multiple scenarios including the following:
Objective 1 – Security Risk: Customer data that is inputted into the CRM originates from an unencrypted excel document that is left on the company server. A SpendCo sales employee takes a copy of the customer data with him when he joins a competitor and uses it to prospect them for business at his new employer.
Objective 2 – Security Risk: The app developers do not follow a secure development lifecycle methodology. The attack surface and potential threats are not identified, and code isn’t reviewed against the OWASP Top 10. Once live, a malicious attack gets through and customer payment information is exfiltrated.
Objective 3 – Security Risk: The CSP outsources parts of its infrastructure to a third party who has access to the CSP’s systems. Whilst the third party claims to take security seriously, its security posture and practices are actually immature and a malicious attack results in SpendCo’s data being affected by ransomware.
As your business changes so should your cyber security strategy
At one time, change was unusual and ‘transformation’ programmes took place maybe every 5 to 10 years when something wasn’t working. Organisations didn’t like change – it was risky and expensive. Today, business change is constant. Organisations change or transform for reasons of competitive advantage and many businesses chase the ‘disrupt or be disrupted’ adage. The objectives listed above are therefore entirely feasible in a single year.
A security strategy focused on former tools, services, applications and working practices is as much use as a chocolate fireguard.
Change can bring a competitive advantage, but it also brings risk. Likewise, a security strategy focused on former tools, services, applications and working practices is as much use as a chocolate fireguard. If your business intends to move critical systems and services to the cloud for example, there is no point in having a security strategy built on traditional on-premise systems with a hard boundary and ‘soft centre’.
This means your security objectives, your controls, your risk management approach and your metrics do not make you more secure. Sadly, we see this too often. The business has plans and is doing something new whilst the security strategy is focused on approaches that made sense to the business 2 years ago. Likewise, recovering from an incident takes longer and is more painful because the incident response plan is out of date for the same reasons.
All of this comes down to a lack of alignment and poor communication. Ensure that systems owners, data owners, budget holders and other key decision-makers think about security within their plans. Get Bob involved early. Not so he can say ‘no’ but so he can build his security strategy in a way that aligns with the objectives of the business. Doing so also helps ensure security and data protection by design (rather than trying to retrofit it later).
If Bob knows your plans he can assess the risks, ensure that security risks are managed and your organisation is more likely to achieve its objectives. If you try to bolt-on security later it’s more likely that the result will be ‘we can’t do this, the risk is too high’. Address security from the ground up and risk mitigation can be addressed right from the start.
Let’s take Objective 3. In this case, Bob will manage this type of risk through supplier due diligence and potentially a 2nd party audit, during which he’ll ask about the CSP’s third-party suppliers and request assurance about their practices. He’ll also ask SpendCo’s lawyers to include security obligations and maybe indemnities in the contract. Bob will also ensure that backups are in place and tested to help recovery from a disaster. Each of these steps is a way in which Bob is aligning his cyber security strategy with SpendCo’s business objectives.
Risk assessments are your friend
Now, it’s unlikely that you’ll be able to secure everything and reduce security risks as much as you like. The attack surface grows year on year and new threats emerge as quickly as vulnerabilities are discovered. We highlight some key takeaways from the CYBERUK2021 conference here.
To help you determine where to prioritise your time and money in securing your assets you need to carry out a risk assessment. This involves looking at the impact and likelihood of a threat exploiting a vulnerability resulting in a security incident (of the types listed above).
When working on your impact assessment, don’t just think about the direct costs of recovering from an attack. Also think about operational impact (lost productivity), lost revenue arising from systems downtime or lost customers, contractual or regulatory liabilities, reputational damage to your brand and individuals’ well-being.
It can be tempting to take a qualitative approach and go with a finger in the air high, medium and low but try and find the time to take a quantitative approach and apply actual impact levels if possible. This will make the exercise more realistic and will have a greater impact on stakeholders. Below is an example of impact levels that we created for a client.
|Impact Score||Impact||Operational||Financial||Legal & Regulatory||Reputational||Wellbeing|
|1||Very low||Partial downtime of a single project||Loss of less than £25,000||Warning from regulatory body||Minor negative publicity||Inconvenience to several people|
|2||Low||Total downtime of a single project||Loss between £25,000 and £250,000||Penalties up to £10,000||Local negative publicity||Injury or harm to one person|
|3||Medium||Partial downtime of multiple projects||Loss between £250,000 and £1 million||Penalties between £10,000 and £50,000||National negative publicity||Injury or harm to several people|
|4||High||Total downtime of multiple projects||Loss between £1 million and £25 million||Penalties between £50,000 and £500,000||EU-wide negative publicity||Loss of single life|
|5||Very high||Total downtime of all projects||Loss exceeds £25 million||Penalties exceed £500,000||Worldwide negative publicity||Multiple loss of life|
Also, be realistic with your likelihood assessment. Don’t wear ‘rose-tinted spectacles. Be realistic about how likely the risk is – both inherently and after applying the controls you have in place.
Align your security strategy (objectives, metrics, and controls) with your business strategy and focus your time and investment on the risks that would cause the most damage to your business by reference to their likelihood and their impact. Do so and you’ll have a security strategy that makes sense for your business and a stronger security posture to help prevent and recover from cyber incidents.
We can help
If you need help with developing a cyber security strategy, aligning your plans to business objectives or carrying out risk and impact assessments we can help. Please contact us for a chat.ENQUIRE NOW
Quick Enquiry Form