Building a Proactive and Adaptive Cybersecurity Strategy: Insights for Enterprise Success

July 5, 2024

Developing a solid cybersecurity strategy is the key to protecting your organization's brand, reputation, sensitive data and intellectual assets. Being proactive and adaptive with cybersecurity matters. Here is why:

 

  • Cybercrime exists because criminal actors make money by performing it: Breaches dominate headlines, highlighting the constant risk of compromise. Evolving threats (business email, phishing, data in the cloud, compromised credentials, etc.) require coordinated approaches to stay ahead
  • Compliance demonstrates commitment and enables communication: Check box compliance is a relic of the past. New regulations and customer expectations necessitate robust security measures. Customers, insurance and business partners require solid security. No one wants to do business with a non-compliant entity. Having achieved compliance provides assurances across all entities to the capability and commitment of the organization to secure, safe, trustworthy transactions
  • Business impact: We’re talking about your business’s bottom line. Cyberattacks disrupt operations, erode trust and damage reputations. According to IBM, the cost of a data breach rose 15 percent in just 3 years, with the average global cost at $4.45 million

 

 

What is a Cybersecurity Strategy?

A cybersecurity strategy is an agreement across the executive team to the priorities and concerns which guides an organization to proactively defend themselves against cyberattacks. It provides the vision and guardrails to assist the teams across the organization with implementing the processes, technologies and policies needed to safeguard critical data, systems and infrastructure, all aligned with the organization's specific goals and risk tolerance.

 

Based on cybersecurity principles and allocating resources to align with the business's cybersecurity program and goals, the strategy will be a blueprint for building resilience in the face of ever-evolving cyber threats. It prepares your organization to prevent attacks and to detect, respond to and recover from them effectively.

 

 

Why Proactive Cybersecurity Matters

There can be a disconnect between what technical teams consider "proactive" cybersecurity and what aligns with business goals. No matter how good your security is, eventually portions of your systems will be compromised. Therefore, it is prudent to prepare your team for when that happens.

 

Technical proactiveness often focuses on foundational elements like vulnerability scanning, threat hunting and intrusion detection. These measures involve securing infrastructure entry and exit points (egress and ingress) using technologies like firewalls, cloud access security brokers and Secure Access Service Edge (SASE). This technical approach provides valuable insights.

 

However, a business-aligned proactive strategy starts with understanding the organization's objectives. In a reactive model, the business might independently implement tools like Microsoft 365's Co-pilot, and then involve security teams later.

 

True proactiveness is a partnership. The business collaborates with security and asks, "How can we work together to implement these tools quickly and effectively?" This trust-based approach is the essence of proactive cybersecurity. It demonstrates that security understands agility and that speed is important while respecting that unsafe, insecure IT is risky and unwarranted.

 

 

Cybersecurity: A C-Suite Imperative

Cybersecurity is no longer an IT issue. The potential financial and reputational damage from attacks elevates it to a critical boardroom discussion.

 

Align on Priorities

The first step is understanding what you are trying to protect. Prioritize your approach based on the value of the assets, data and revenue streams, then tailor defenses including response and recovery plans to mitigate potential breaches and safeguard customer trust, financial stability and brand reputation.

 

Cybersecurity as an Enabler, Not a Cost

Historically viewed as a cost center, cybersecurity can be a driver of business objectives. A proactive approach fosters innovation and growth, not just protection.

 

 

Conducting a Cybersecurity Risk Assessment

Start with a risk assessment to understand and prioritize the efforts to build your cybersecurity strategy. The assessment allows you to understand the current state of your organization's cybersecurity, identify potential threats and understand current mitigating controls.

 

Building a security strategy varies depending on where your organization is within the security journey. Here are the stages:

 

  • Ad-hoc program: This stage is characterized by a reactive approach to security. Measures are implemented on a case-by-case basis without a clear overall strategy
  • Infrastructure-based: The focus here is on securing the technical infrastructure, such as firewalls and intrusion detection systems. While important, this stage does not fully consider the business context of security risks
  • Compliance-based: Security measures are primarily driven by the need to meet external regulations like GDPR or HIPAA. While compliance is essential, this stage may not fully address all the business-specific security threats
  • Threat-based: This stage involves actively identifying and mitigating potential cyber threats. However, it might not fully consider the varying risks across different parts of the business
  • Risk-based/data-centric: This stage prioritizes security efforts based on a thorough risk assessment, focusing on protecting critical data assets
  • Business-aligned: This is the ideal stage. Security is fully integrated into business operations, aligned with overall business goals and considers the impact of security measures on different business units

 

 

5 Steps to Cybersecurity Strategy Success

No matter where you are within your journey, aligning to your business and understanding your regulatory and technology allow you to integrate security into all aspects of your organization. Here are 5 critical steps for building a proactive cybersecurity strategy:

 

1. Business Profiling

 

  • Analyze business, industry and competitor threats
  • Define risk tolerance levels based on executive input
  • Assess current technology
  • Understand relevant compliance regulations

 

2. Vision and Mission Definition

 

  • Conduct workshops with executives to define the desired future state of your cybersecurity program
  • Identify aspirations, concerns and historical experiences that shape your security vision and mission
  • Benchmark your program against industry peers in security capabilities, headcount and budget

 

3. Strategy and Roadmap Development

 

  • Craft a cybersecurity strategy aligned with business priorities and your defined program vision and mission
  • Develop an actionable 3- to 5-year roadmap to achieve your desired security posture

 

4. Implementation with Optiv Accelerators

 

  • Leverage Optiv's proven accelerators, industry-tested at Fortune 50 and 100 companies, to jumpstart your strategy and deliver quick results
  • Benefit from tools like:

    • Risk appetite framework: Understand your risk profile based on risk control and mitigation capabilities
    • Threat profiles: Gain industry-specific insights into potential threats and threat actors targeting your organization
    • Industry benchmarks: Compare your cybersecurity program (budget, headcount, capabilities, governance) against industry peers

 

5. A Business-Centric, Threat-Aware Program

 

By focusing on your business objectives and desired outcomes, Optiv helps you build a proactive cybersecurity program. This program prepares you to handle any situation and accomplish your goals effectively.

 

A Tactical Approach to Future Trends

“No plan survives contact with the enemy.” (Helmuth von Moltke, 1871)

 

To continue to be proactive and adaptive, a strategy needs to consider and manage the people aspects of cybersecurity. The machines will do as they are instructed and continue to do so. Key aspects to include tactically are governance, policies, regular third-party reviews and metrics.

 

Policies to establish guardrails, guidelines and standard, but most importantly to capture the intent of leadership. Only the rules which are published can be followed.

 

Governance to promote regular checkpoints and adjustments. A trusted team of leaders needs to be established across the organization to adapt to change as it happens and resolve conflict which is natural and expected. Rapid reaction is the next best thing to proactive anticipation. However, to do so requires instrumentation, measurement and then a decision-making structure.

 

Internal audits, external audits and third-party assessments are invaluable forms of measurement. Having an unbiased team outside of the security team review, validate and comment on the current state provides confidence the strategy is working as designed or enables coaching, guiding and course correction.

 

 

Emerging Threats to Cybersecurity Strategy

A key concern is the convergence of different attack vectors. For instance, the recent attacks on hospitals and benefits centers highlight the vulnerability of the healthcare industry and medical technology to ransomware. Additionally, the growing use of Internet of Things (IoT) devices in manufacturing and medical settings creates a larger attack surface for threat actors to exploit.

 

Our goal is to help organizations minimize these risks. As the attack surface expands, we work with them to identify and prioritize potential threats and develop effective mitigation strategies.

 

Moving from Cybersecurity Strategy to Tactical Implementation

As we forge ahead on how to execute your cybersecurity strategy, it is paramount to consider the pitfalls that could hinder its effectiveness. Understanding and consciously avoiding these common obstacles can significantly ramp up your cybersecurity posture. The sections below are many of the tactics which need to be considered.

 

Understanding and Avoiding Common Cyber Threats

New cyber threats emerge daily. It is easy to fall for these threats if unaware of them. Be proactive in staying informed about common cyber threats like phishing, malware and ransomware. Use threat intelligence sources and services that provide up-to-date information about emerging threats and threat actors. This knowledge empowers you to take preemptive measures to thwart these threats before they even reach your network.

 

Maintaining Strong Password Policies

Passwords are like keys to your digital house; you wouldn't want to give them away quickly. Weak and reused passwords are one of the primary ways cybercriminals gain unauthorized access to systems. Enforce strong password policies across your organization. Encourage using complex and unique passwords and consider implementing multi-factor authentication for additional security.

 

Regularly Updating Software and Systems

Outdated software is a treasure trove for cybercriminals. It's like unlocking your home's doors; intruders can walk right in. Regularly update all software, operating systems and applications to fix security vulnerabilities. Turn on automatic updates when possible and install security patches promptly.

 

 

How can CISOs and security leaders build resiliency in the next 30 days?

Automation and dynamic decision making enable rapid autonomous detection and response by security controls and replication of changes or configurations. That same rapid resilience strategy creates risks that the network, cloud or software will rapidly replicate mistakes, malicious programs or create outages. The primary way to manage these risks is compartmentalization. Collaboration between security teams and business leaders to build isolated safe zones, immutable storage or containerized minimum viable capability is paramount.

 

Cybersecurity Awareness

Having security policies is just the beginning of an ongoing process to educate your employees about them. Cybersecurity training and awareness are paramount to both achieving compliance goals. Still, as the culture evolves, it also serves as an essential means of communication to educate people.

 

Everyone in your organization has a role to play in mitigating security issues. Therefore, all employees must understand the security policies and their responsibilities. This includes explaining why the policies are in place and the importance of adhering to them. Regular training sessions will help keep everyone updated and aware of their roles in maintaining a secure environment.

 

Validation Management

Audits and assessments are an important part of validating management intent (expressed by policies). Regular security audits help verify that your policies are followed and effectively safeguard your organization's assets. They will also identify any areas where the organization may have overlooked a loophole or gap in efficacy of security.

 

These assessments should be both internal and external, simulating different scenarios to test the effectiveness of your tactical security. If an audit identifies areas falling behind, you can immediately address them. These assessments should include exercises like tabletops and incident response practice or scrimmaging.

 

The first step involves understanding the business's goals for AI integration. This means actively engaging with leadership to determine when, where and how AI will be implemented across the organization.

 

Regular meetings with key stakeholders, including CISOs (and the growing number of BISOs), are crucial for establishing a robust governance framework for AI. These meetings should address risk management practices, data privacy considerations, ethical implications and regulatory compliance surrounding AI use.

 

Effective communication is also essential. CISO-led meetings with business leaders should become a regular practice. These meetings offer a platform to discuss the security risks related to integrating AI, potential strategies for mitigation and ongoing updates on the threat.

 

By fostering collaboration and clear communication, organizations can navigate the opportunities and challenges of AI integration while maintaining a strong cybersecurity posture.

 

 

Developing Comprehensive Cybersecurity Policies

As an organization moves away from just implementing security tools and into compliance, the first step is to develop comprehensive security policies that outline what your organization expects regarding cybersecurity practices. This includes defining rules for network access, detailing the network architecture and setting the security environment.

 

You also need to break down your central security policy into specific policies to make it easier for employees to understand and follow. These policies could revolve around data security, password management and handling of sensitive information, among others.

 

The aim of your security policies should be to protect your organization. They should clearly state what management expects and then standards can be built to describe specific technical or products which are required or recommended to achieve your cybersecurity objectives. Moreover, as your organization grows and evolves, so must your security policies. Therefore, periodically reassess your policies and make necessary updates to keep them relevant and effective.

 

Creating and enforcing comprehensive cybersecurity policies is crucial to building a cybersecurity strategy. These policies not only set out your security expectations but also educate your employees about their role in maintaining a secure environment. Regular audits verify the effectiveness and currency of these policies, aiding in maintaining a strong and resilient cybersecurity posture.

 

 

Evolving Cybersecurity Strategy

Everyone has some security these days, even if it’s only rudimentary firewalls and antivirus. Evolving from infrastructure to risk based involves multiple steps. At Optiv, we're seeing a surge in inquiries about integrating AI into business models. This integration brings exciting opportunities, but also new security risks.

 

To understand these risks Optiv is helping customers by breaking them down into logical and/or technical models. This allows us to collaborate with the business on building a robust security strategy.

 

Deploying Necessary Cybersecurity Tools and Capabilities

Tactical security involves implementing cybersecurity tools and capabilities. These may include firewalls, antivirus software, intrusion detection systems, etc. It's not just about having the right tools; it's about using them to effectively meet the compliance and regulatory needs of the organization.

 

Continuously Monitoring and Evaluating the Strategy

Monitoring and evaluating your strategy evolves over time. During the infrastructure phase, it is generally about the tools and log. Measurement is tool-specific and about the effectiveness of the tools themselves.

 

Moving into the compliance stage means validating the program against any number of regulatory frameworks and is measured by an internal or independent third-party assessment. As the program evolves and the strategy becomes threat based, the technical teams focus on known threats and use tools like Mitre ATT&CK and prioritize vulnerability management. This is only a partial picture. To get to a risk-based strategy, those technology threats need to be aligned to business risks and then prioritized via a risk register.

 

Maturing the risk register to a point where it is aligned with enterprise risks and cyber risks can be stack ranked against other business risks, provides the foundation for a business-aligned strategy. However now the hard work of evolving the strategy turns into governance.

 

Protecting Business Data at All Costs

Your business data is a valuable asset. The loss or theft of this data can have crippling effects on your business. Invest in robust security measures to protect your data at all costs. This includes encrypting data at rest and in transit, implementing access control measures and backing up data regularly.

 

In conclusion, cybersecurity strategy implementation is not a walk in the park, but it's not an insurmountable challenge either. You're already a step ahead by understanding the common pitfalls and taking proactive measures to avoid them. Cybersecurity is not a one-and-done task but a continuous process that requires vigilance and commitment.

 

 

Evolve Your Cybersecurity Strategy with Optiv

Knowing how to build a cybersecurity strategy is about more than just crafting a solid plan. It's also about embracing the fact that this strategy must evolve continuously. By focusing on your organizational objectives and what you’re looking to get out of your cybersecurity program, we can give you actionable advice, so you’re more prepared – no matter what happens. In challenging times, reflect on how you are set up to succeed rather than what could have been done in the past.

 

A robust cyber strategy, aligned with your organization's objectives and integrated across business areas, enables it to achieve its goals and protect itself from constant cyber threats. For more guidance on building a cybersecurity strategy or to explore our range of cybersecurity services, contact us today.

Brian Golumbeck
Director, Strategy and Risk Management | Optiv
Brian Golumbeck is a Practice Director within Optiv Risk Management and Transformation Advisory Services Practice. He has a history of leading challenging projects and building dynamic high impact teams. Mr. Golumbeck’s 25+ years working in Information Technology, include 20+ years as an information security professional. Brian is a Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Controls (CRISC), Certified Information Security Manager (CISM), Certificate of Cloud Security Knowledge (CCSK), EXIN/ITSMf ITIL Foundations, and Lean Six Sigma – Greenbelt.