When I was in high school English class, many years ago, one of the worst assignments was “outlining an essay.” I remember having to turn in an outline before every essay was written. The outline had to be approved and the essays were graded against that outline. Mr. Dearbaugh, my English teacher who looked a bit like Mr. Hand from Fast Times at Ridgemont High, would always explain that “the outline is the strategy for drafting the essay. The strategy guides the procedures, and the procedures leads to the completion. If you stray from the outline, you stray from your plan and you risk failure.”
Now some of those terms may be interchangeable but for me the idea that a strategy and a procedure are not the same thing has stuck in my head. The strategy is the big picture long term plan to achieve a goal. The procedures are the individual steps in that plan.
With that in mind, lets apply it to the concept of a corporate Cyber Security Strategy.
A strategy is defined as a plan of action or policy designed to achieve a major or overall aim and strategic is defined as relating to the identification of long-term or overall aims and interests and the means of achieving them. So, what is a Cyber Security Strategy? It is a plan to achieve the long-term goal of being cyber secure. (I am not going to get into the debate of what cyber secure means)
Very very few companies actually have a Cyber Security Strategy. They have lots of procedures some have guiding policies, but few have a true strategy.
It is so bad that if you Google Cyber Security Strategies almost every site lists a series of procedures to achieve cyber security. Many point to guidelines, recommendations, and industry standards but again they are not strategies. Zero-trust is not a strategy, its one piece for access control. Security Awareness is not a strategy, its risk mitigation. MITRE ATT&CK, NIST, ISO are not strategies they are guides.
For the sports minded, a strategy in soccer might be overload your offensive or attacker side to wear down the defense until a goal is achieved. Conversely, you could “park the bus” and put most of your team on defense which will minimize the chance of the opposition scoring but it also minimizes your chance of scoring.
In today’s corporate and government world there are 3 Cyber Security Strategies an entity can and do follow:
· Ad Hoc
Before you claim these are all the same, let me explain. And please consider a Risk as something potential that could happen and a Threat as something that is happening.
The Risk strategy requires identification of risk, prioritization of the risks based on impact and likelihood of occurring and then addressing those risks. The addressing can be accepting, remediating/fixing, mitigating/transferring, or avoiding completely. Not all risks have to be fixed but they do have to be known.
The Threat strategy is to focus on the actual and immediate threats as defined by you and outside parties such as the media. A threat is something that is currently impacting you or is believed to be impacting you. This is a bit of a whack-a-mole or knee-jerk approach where you have a team ready to pounce once a threat occurs. The Threat strategy is the here and now. It is usually what happens immediately following an incident because the “remediation” suggestions for the IR team are focused on the threat and not long term.
The Ad Hoc strategy involves trying to set up everything you can because guidelines, suggestions and industry standards say you should. Its tool and gadget heavy seeking to address all risks and threats with little focus on the true nature of the risks and threats.
Of the three, most “experts” talk about the need for the Risk strategy, but most companies actually use an Ad Hoc Strategy.
Ad Hoc strategy is easy. It does not require planning; it requires picking an industry standard and complying with it. Here is the checklist of things we must have so we will do that.
Threat strategy is a little harder because management will see something in the news and expect something to be done. There is limited thought and planning involved though. It is an immediate threat and you must address it, even if it’s extremely low risk for your system.
Risk strategy is the hardest in most people’s minds because it requires the most upfront work. It requires an outline of the plan, acknowledgment by company management, approval by management and testing against that plan. That is just too much work. It requires a level of knowledge and involvement beyond the IT world and requires business unit interaction and discussions.
But let us go back to the definition of strategy or strategic. They relate to achieving a long-term or overall aim, interest, or goal.
If you accept my premise of the three “strategies” entities follow, as well as the goal of a Cyber Security Strategy as being making an entity cyber secure, then you will see that there are not actually 3 Cyber Security “strategies” there is only one: Risk.
Ad Hoc and Threat are not long-term goal oriented. They only achieve a short term or immediate goal, aim or interest.
Risk is the only strategy that is long-term in nature as it involves all elements of an entity/business and seeks a future state of security.
So, if your cyber security team, management, leader, is not focused on identifying risk, prioritizing that risk, and addressing those risks, they do not have a cyber security strategy.
The same goes for the company, the management of the company and the board of directors for that company as well. If they do not know and understand the risks they have no strategy.
Does your company have a Cyber Security Strategy?