In mid-September, we had almost 30 security leaders gather on a Virtual CISO Round Table to discuss best practices on how to create a presentable security strategy and roadmap. During a guided discussion, we initially tackled what a security strategy is and why you should take the time to create one. To protect privacy, no attendee names are disclosed in this summary.
Definition of Security Strategy:
One leader suggested that a security strategy is based on the risk tolerance of a company and helps them establish a predictable range of risks for current and future cyber events. In addition, it helps align security priorities to address those risks.
All of these inputs are required to develop a holistic, multi-year strategic security plan:
- Information Technology Strategy
- Business Strategy
- Legal and Regulatory Requirements
- Gaps defined by 3rd Parties and Auditors
- Stakeholder & Executive input
- Corporate Defined Risk Tolerance
- Governance Guidelines
- Contractual obligations (i.e. Insurance, clients, vendors)
NOTE: It was suggested that a security strategy’s foundation should not be based on an individual’s best practices. Instead, it should have a foundation based on an industry-accepted standard like NIST, CMMC, HIPAA, etc.
Much of a security strategy is determined by the risk tolerance of a company, therefore, we dove deeper into defining what that means and how to create it.
Definition of Risk Tolerance:
Risk Tolerance is how much risk the business is willing to take on versus how much are they willing to spend (or inconvenience the business) to mitigate those risks.
“Boards and executives are in the business of taking risks otherwise they wouldn’t be successful in business.”
Another definition offered up: It is a set of digital risk management goals that meet the risk-to-asset tolerance for the owners and stakeholders of the entity; that can be measured for outcome against the overall goals of the entity.
Establishing a Risk Tolerance:
Here are some suggestions for establishing a risk tolerance.
- Leverage your firm’s existing Operational Risk Management (ORM) mitigations and overlay them over the digital risks identified by your discovered assets;
- Take the difference and show a Venn diagram with critical items sorted by likelihood of occurrence.
- Get consensus that those are the top digital risks and identify the ones that can have the highest payback.
- Get buy-in from the executive team & stakeholders.
- Once they are in agreement, then have them help sell it to the board
Another suggestion would be to build a Bow-Tie Relationship between risks and impact to help model and identify risk tolerance.
Either way, it is always difficult to get everyone on the same page to agree on what the risk appetite is for a firm.
One leader suggested that if your executive team can not agree on those risks, and you are not covered by D&O insurance, and there is not a RACI Responsibility Matrix limiting your liability, then you should resign and look for a new position.
Building a Security Strategy
It was discussed that a security strategy that goes beyond 12 to 18 months may get derailed quickly based on new threats and cyber events, but it was also discussed that the advantage of having a longer strategy allows you to keep your eyes down the road in spite of short-term events. A strategy should be broken down into multiple stages.
- Long-term (3 to 5 years) focuses more on the Technology Road map. Long-term strategy examples would be goals for completing a network segmentation, implementing a zero trust model, eliminating shadow IT, or meeting a certain program maturity level.
- Mid-term (1 year to 3 years) focuses more on projects such as fully adopting new security technologies, documenting and refining processes, and closing gaps to become compliant with a standard such as NIST.
- Short-term (3 months – 1 year) focuses more on business goals such as improving current metrics like time to identify threats, phishing success rates, or incident response rates.
While the executive board is most often more interested in the short-term strategy, as they often adjust their own business strategies each quarter, a long-term view can be leveraged for focus and investment to ensure steady program improvements.
If the Long-Term and Mid-Term strategic plans are done right, they are continually updated (each quarter or on an as-needed basis) so they become living documents that guide the program.
Communicating your Strategy:
Every leader agreed that having a strategy was important, but getting executive support and buy-in was dependent on how well the vision and strategy were communicated to the executive team and board.
Although the CISO may get 30 min to present to a board, the board was likely there hours prior to your presentation and will be there hours after your presentation. Therefore, while you may think your segment is the most important, keep in mind that they are tackling many other priorities as well.
To help align executives with security needs, one leader set up a Cyber Board that consisted of the head of all the business units (1/3 of which rotated off each year). To help them grasp risk tolerance, he would describe scenarios and conduct tabletop exercises to put them in the middle of cyber events. When they saw their peers get hurt by an event, their risk tolerance went down. This was a great way to align goals and get their understanding prior to executive board meetings.
“You are not going to make the Board or the CEO a cyber person, but what they already are, is a risk person, so you need to meet them in the lexicon where they are and speak their language.”
In addition, when a major cyber event hit the news – and their program prevented it, he would lay out how their previous investments (i.e., systems, vendors, processes, etc.) enabled them to block those threats. This built confidence in the program and justified additional spending when requested.
One leader suggested to practice writing SEC reporting to help you provide clear and concise reporting to the board.
Another suggestion was to use industry-accepted standards such as Gartner recommendations like: What Cybersecurity Metrics Should I Report to My Board?
However, several leaders cautioned against using too much data.
“People don’t do well with data, people do well with stories.”
One leader described how he would focus on “telling a story” to the board instead of hitting them with metrics and numbers. They responded better when they heard how people and businesses were impacted and how they would be impacted if investments in the right areas were not made.
“People listen to and remember stories better than they do statistics.”
It was suggested to use narrative as much as possible. Paint a verbal picture for people and don’t give a lecture. Draw them in with a relatable storyline.
Establish a Baseline:
The general consensus was that every firm should be conducting 3rd party cyber assessments such as a NIST CSF assessment or similar (ie. CMMC, HIPAA, HITRUST, etc.). These will provide an objective assessment of the maturity of a security program and will provide a gap analysis to help you understand where your program may not be living up to the best practices recommended by NIST or the other standards.
Translating business risks to risk heat maps can resonate very well.
“Third party assessments are valued much higher than an internal assessment.”
The assessment will often generate a gap analysis against a framework such as NIST CSF, HIPAA, CMMC, CISA’s Zero Trust Model, or Security Capability Maturity Model (SCMM) and generally provide a security maturity level for your program.
That way you don’t have to talk about details around network segmentation or building out a SIEM. Aligning to a proven model or maturity level helps to ‘dumb’ down the conversation.
Developing a Roadmap:
The assessment provides a foundation for a roadmap for improvement and investment. Based on your firm’s acceptable level of risk tolerance, then it can be determining where your program needs to be on the maturity scale.
One leader said that by aligning to a standard, “It helps executives see that we’re not being stupid with your money, we’re being cost-effective in our approach.”
Your assessment may also provide a baseline benchmark for your specific industry which can provide insight into a minimum level of maturity that needs to be achieved.
However, striving for the minimum is similar to working towards becoming compliant to a standard. Compliance is often the minimum of what needs to be done and does not ensure your company is secure. Sometimes it’s hard to tell the story of how compliance and cybersecurity are different, but one leader summed it up very well:
“Compliance is the floor and we don’t eat off the floor. So, we should probably aim for a little higher than that.”
It became clear that establishing and following a security strategy can provide the right level of exposure and support for a security program while also providing a better vision and long-term direction for continual improvement. While there was no cookie-cutter method to create a security strategy, there are some common fundamental steps to get there:
- Conduct a 3rd party assessment against a known standard
- Evaluate your gaps at your current maturity level
- Work with the Executive team to determine your firm’s risk tolerance
- Define the desired maturity level to mitigate those risks
- Develop a strategy and roadmap to get there.
Fortify Experts does offer a rapid, low-cost NIST CFS & HIPAA assessment which can provide a baseline and scored maturity, plus a prioritized workflow in as little as one week.
As always, we appreciate the participation of each of these security leaders and hope other security leaders will benefit from these valuable sessions.
Join us for our next CISO Forum will be on October 21st at 1:00 pm CDT on Best Practices around Evaluating and Responding to 3rd Party Assessments
About Tim Howard
Tim Howard is the founder 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments.
In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IronMan Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward