Aligning Security Strategy and Business Strategy
Updated: Jun 24, 2020
Cyber threats come in all shapes and sizes and they employ varying tactics to create havoc for organizations and their stakeholders.
Malware, phishing, DDOS and man in the middle attacks are just some of the methods hackers use and each plays on different weaknesses to infiltrate an organization be it (commonly) via human error or network or app vulnerabilities.
Knowing where to start can be confusing given the many competing priorities. The challenge is even harder if you don’t have full-time security specialists on the team. Whatever your size or sophistication, you’ll need a cybersecurity strategy to ensure you are managing your risks. But it is critical that your strategy meets the needs and objectives of your business. Security needs to be an enabler not a ‘business prevention’ function.
Aligning your cybersecurity strategy to organizational objectives is fundamental to its success (as well as to the success of your business), but what does it actually mean? Start with business objectives then assess the risks Let’s use some scenarios to answer the question.
We’ll create a fictional business for the scenarios, and we’ll call it ABC Corp. Our new business sells direct to consumers so is a B2C sales organization. Following a successful year last year, ABC Corp has strategic objectives for each of Marketing, Sales and IT Systems in the coming year. Each objective leads to the implementation of systems and the movement of data across the organization.
Objective 1: Marketing: A key marketing objective is to increase sales leads by 10% by implementing an inbound marketing strategy. This requires the roll out of a new CRM and marketing automation tool which enables targeted email campaigns and customer tracking through each stage of the sales funnel.
Objective 2: Sales: The sales team want to speed up order processing. They request the dev team to develop an app that enables them to place orders whilst they are with customers. The app needs to be integrated with the new CRM and marketing automation tool described in Objective 1.
Objective 3: IT Systems: To support growth, the IT department needs to increase computing power and storage capacity. They also need greater flexibility to ‘stand-up’ development environments in which to create new services and tools. To support this, they contract a Cloud Service Provider (CSP) and migrate all key systems to the cloud.
At this point ABC Corp's marketing, sales and IT stakeholders work with their information security manager (we’ll call him Bob) to ensure he knows what their objectives are and how they will be achieved. Using this information and with continued input from stakeholders, Bob then assesses the security risks for each objective and plans to achieve them. Using the results of this work, Bob then takes steps to manage these risks on a prioritized basis.
This might require technical controls but might just as well require organizational measures such as updated policies, new procedures or standards or improved user awareness training. Maybe even improved physical security or personnel security. For at least one of them, it’s definitely going to require good supplier security management. If the risks remain high after controls have been implemented, your executives should sign off on tolerating these risks before you proceed and steps should be taken to address them in your incident response plan.
Carrying out a risk assessment for each objective, we might identify multiple scenarios including the following:
Objective 1 – Security Risk: Customer data which is inputted into the CRM originates from an unencrypted excel document which is left on the company server. An ABC Corp sales employee takes a copy of the customer data with him when he joins a competitor and uses it to prospect them for business at his new employer.
Objective 2 – Security Risk: The app developers do not follow a secure development lifecycle methodology. The attack surface and potential threats are not identified, and code isn’t reviewed against the OWASP Top 10. Once live, a malicious attack gets through and customer payment information is exfiltrated.
Objective 3 – Security Risk: The CSP outsources parts of its infrastructure to a third party who has access to the CSP’s systems. Whilst the third party claims to take security seriously, its security posture and practices are actually immature and a malicious attack results in ABC Corp's data being affected by ransomware.
As your business changes so should your cybersecurity strategy
At one time, change was unusual and ‘transformation’ programs took place maybe every 5 to 10 years, when something wasn’t working. Organizations didn’t like change – it was risky and expensive. Today, business change is constant. Organizations change or transform for reasons of competitive advantage and many businesses chase the ‘disrupt or be disrupted’ adage. The objectives listed above are therefore entirely feasible in a single year.
Change can bring competitive advantage, but it also brings risk. Likewise, a security strategy focused on former tools, services, applications, and working practices is as much use as a chocolate fireguard. If your business intends to move critical systems and services to the cloud for example, there is no point in having a security strategy built on traditional on-premise systems with a hard boundary and ‘soft center’. This means your security objectives, your controls, your risk management approach and your metrics do not make you more secure. Sadly, we see this too often. The business has plans and is doing something new whilst the security strategy is focused on approaches that made sense to the business 2 years ago. Likewise, recovering from an incident takes longer and is more painful because the incident response plan is out of date for the same reasons.
All of this comes down to a lack of alignment and poor communication. Ensure that systems owners, data owners, budget holders, and other key decision-makers think about security within their plans. Get Bob involved early. Not so he can say ‘no’ but so he can build his security strategy in a way that aligns with the objectives of the business. Doing so also helps ensure security and data protection by design (rather than trying to retro-fit it later).
If Bob knows your plans he can assess the risks, ensure that security risks are managed and your organization is more likely to achieve its objectives. If you try to bolt-on security later it’s more likely that the result will be ‘we can’t do this, the risk is too high’. Address security from the ground up and risk mitigation can be addressed right from the start. Let’s take Objective 3. In this case, Bob will manage this type of risk through supplier due diligence and potentially a 2nd party audit, during which he’ll ask about the CSP’s third party suppliers and request assurance about their practices. He’ll also ask ABC Corp's lawyers to include security obligations and maybe indemnities in the contract. Bob will also ensure that back-ups are in place and tested to help recovery from a disaster. Each of these steps is a way in which Bob is aligning his cybersecurity strategy with ABC Corp’s business objectives.
Risk assessments are your friend
Now, it’s unlikely that you’ll be able to secure everything and reduce security risks as much as you like. The attack surface grows year on year and new threats emerge as quickly as vulnerabilities are discovered.
To help you determine where to prioritize your time and money in securing your assets you need to carry out a risk assessment. This involves looking at the impact and likelihood of a threat exploiting a vulnerability resulting in a security incident (of the types listed above). When working on your impact assessment, don’t just think about the direct costs of recovering from an attack. Also think about operational impact (lost productivity), lost revenue arising from systems downtime or lost customers, contractual or regulatory liabilities, reputational damage to your brand and individuals’ well-being.
It can be tempting to take a qualitative approach and go with a ‘finger in the air’ high, medium and low but try and find the time to take a quantitative approach and apply actual impact levels if possible. This will make the exercise more realistic and will have greater impact on stakeholders. Below is an example of impact levels that we created for a client.
Also, be realistic with your likelihood assessment. Don’t wear ‘rose-tinted spectacles’. Be realistic about how likely the risk is – both inherently and after applying the controls you have in place.
Align your security strategy (objectives, metrics and controls) with your business strategy and focus your time and investment in the risks that would cause the most damage to your business by reference to their likelihood and their impact. Do so and you’ll have a security strategy that makes sense for your business and a stronger security posture to help prevent and recover from cyber incidents.