Cybercriminals have evolved from being isolated, loosely organized and amateur in nature, to become sophisticated, innovative and highly organized threat actors. This requires organizations to keep up to date with a rapidly evolving cyber threat landscape, recognize and continue to adopt new cybersecurity controls to defend their critical assets.
Organizations have tended to always misunderstand cybersecurity strategy as a point-in-time activity to perform risk management. I have seen organizations create their cybersecurity strategy and operating it over multiple years. In reality, cybersecurity strategy has to be dynamic, regularly updated with a security posture t is that is always in transition (i.e., improving). An organization’s cybersecurity strategy should never be fixed, even though the strategic goals may remain constant over an extended period.
To create and adapt to a living and dynamic cybersecurity strategy, in view of a rapidly evolving cyber threat landscape, here are my recommendations:
• Develop an agile and dynamic approach to cybersecurity. This approach should enable the organization to adjust their cybersecurity strategy according to the latest threats, attack surface, and risks. This should also be combined with an “outside-in” perspective, where the external threat landscape is continually monitored and evaluated against an organization’s cybersecurity processes, technology, and people. All potential risks to the business should be assessed, evaluated and mitigated by periodic evaluation of the cybersecurity strategy.
• Create a vision, mission and business objective against an evolving adversary; a business-centric approach should be adopted, that has an impact on organization’s security posture and its capability to defend itself against external and internal threats on a continuous basis.
• To address the risks of evolving and new external threats, it is unrealistic and economically unfeasible to materially change the security infrastructure every time there is a new class of threats. However, having an “agile” and “transitional” cybersecurity strategy that can be re-evaluated for its efficacy and a continual review of cybersecurity controls (which is tactical in nature) on a quarterly basis is possible and helpful.
• Adopt the “Security First Approach.” Evaluate all business initiatives and changes to current business objectives with a cybersecurity lens, from the outset. With this approach, all new and changing business processes and applications will have a better chance of being secure and reduce the “retrofit” cost of implementing security protocols ex-post facto.
If your cybersecurity strategy incorporates the above considerations, I believe it will be fit for its intended purpose of maintaining and optimizing an enterprises’ security posture while balancing the practical reality of limited resources and time.
Each organization should assess what their needs are, how it intends to conduct its business activities and what changes they bring to their current risk posture.
Cybersecurity is not an add-on to information technology. It is a fundamental pillar and part of the foundation of a business that must be considered with all other core functions to maximize a business’ ability to meet its strategic goals.
Company executives need to ensure that the security architecture being developed reflects the needs of the business, the people executing the cybersecurity strategy are certified professionals with a mindset of balancing business goals and risk. They also need to ensure that technology products and third-party cybersecurity services being employed are aligned with the strategy.
An Agile, Dynamic and Transitional Cybersecurity Strategy is the need of the hour!
If "the only thing constant is change," why would you want to have a static cybersecurity strategy?