Operationalizing, or implementing, cybersecurity is an ongoing effort that continually evolves and grows. Just like organizations can’t achieve safety; they cannot achieve cybersecurity. Therefore, having a well-defined organizational cybersecurity strategy is essential in keeping organizational security goals in mind. Board members are becoming increasingly aware of the requirements to implement cybersecurity strategies and the perils faced by those organizations that continue to leave cybersecurity as an information technology (IT) problem. These motivations are assisting board members in being more active in defining the organization cybersecurity strategy. Therefore, board members are becoming increasingly aware of the importance in implementing a cybersecurity strategy.
Defining a cybersecurity strategy
An organizational cybersecurity strategy is the organization’s plan for mitigating security risks to an acceptable level. Understanding the business purpose and mission goals of the organization is the first step in defining a cybersecurity strategy. Board members, and business leaders, within the organization define their expectations for the services within the business by establishing operating targets and budgets. If aligned correctly, this information provides insight into critical business functions within the organization and can assist in identifying the criticality of the resources supporting those functions. For example, if an organization declares it is releasing a new product this quarter and all focus is being placed on completing the project, the resources supporting the new product development becomes critical. There are many frameworks available, such as ISCAC’s COBIT 5[1], that assist organizations in defining and establishing business priorities for the organization.
Translating a cybersecurity strategy into a risk management plan
Once an organization understand their business objectives and align resources to those objectives, the organization can develop a security risk management plan. Security risks are not simply a count of the number of vulnerabilities detected by a vulnerability scanner. Security risks are areas within the organization that could be damaging to business operations if the threat acts.. There are many risk assessment processes available to assist organizations in defining cybersecurity risks for their organization. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)[2] and FAIR[3] are quantitative risk assessment processes that enable organizations to identify and quantify the risk to their business. NIST 800-30, Guide for Conducting Risk Assessments[4], helps organization understand how likely a security risk is to occur and the impact or harm it will have on the organization if it does occur. Organizations can leverage any of these processes, or a combination of each, to define security risk thresholds and expectations of the organizations business operations. These security thresholds and expectations become the guidance required to define a risk management plan. Organizations can use the risk management plan to create a security risk register for their organization.