Executives increasingly realise that just one serious security incident or data breach could derail the growth and profitability of their organisation, causing irreparable brand damage, customer loss, significant costs to remediate and the potential incursion of fines and legal fees.
The continued barrage of headline-generating cyber attacks underlines the criticality, and stress, of the CISO role. According to a 2022 survey by Heidrick and Struggles, 59% of CISOs globally state stress as the most significant personal risk related to the role, while a further 48% are concerned about burnout.
The CISO is responsible for ensuring an organisation is cyber resilient and must manage a complex ecosystem of overlapping regulatory requirements and rapidly adaptive threat actors. A robust cyber strategy aligned with the business strategy is the bedrock of sustained cyber resilience.
One way CISOs can reduce job stress and accelerate their cyber resilience postures in the face of increasing threats and dwindling budgets is to create high-impact cyber resilience strategies. Getting this right is critical to cyber resilience and has three powerful strategic advantages: it carefully balances security and consumer experience, eliminates needless security expenditure, and fosters clarity of focus.
The Old Approach — Risk-Based Cyber Resilience Strategy
Until recently, organisations adopted a risk-based approach to managing cyber risk. The idea of the old approach is straightforward: to reduce the firm’s exposure to excessive cyber risks by investing in controls to move unacceptable cyber risks to within appetite.
In our experience, the old approach is limited by three key factors:
- Treating risk mitigation activities in isolation leads to unnecessary waste and posits cyber security as a necessary evil whose aim is to dampen digital user experience.
- It complicates the cyber transformation program by not carefully considering critical dependencies and how cyber security can act as an enabler, not an inhibitor, of digital transformation.
- It does not address critical questions: Can we do it? Do we have the required skills to drive complex change, and if not, how can we leverage business partnerships? Left unanswered, these questions will come back to haunt the CISO at astonishing speed.
Risk-based cyber strategy fails to translate cyber resilience as a powerful business enabler that can anchor customer trust, drive business growth, and improve share price performance. Consequently, CISOs who stick with this approach struggle to enlist stakeholder support and buy in. The 2022 ISACA State of Cybersecurity Report confirms the majority of CISOs fail to secure adequate funding and only 42% of CISOs report their cyber security programs are appropriately funded.
Active Cyber Risk — A New Approach
The idea is to carefully build cyber risk management into your cyber resilience program. But not all risks are created equal. During the formative stages of your cyber transformation journey, you must disproportionately allocate your limited resources towards mitigating critical risks — those which, if left untended, would materially impact the organisation’s bottom line and license to operate. A proven way to achieve this is by utilising the classic Active Cyber Risk Profile which prioritises cyber risks by assessing the likelihood and potential impact of residual risk, given the current mitigation controls. Once the top 6–10 risks have been identified, the next stage is clearly articulating their risk drivers, business impacts as well as specific initiatives to bring each risk to within appetite.
How To Develop a High-Impact Cyber Resilience Strategy
High-impact cyber resilience strategies are not just about reducing cyber risk. To deliver value, there are some questions you must consider:
- What drives value in your business? What are the most important revenue lines and what key systems underpin those business operations?
- What is the desired state in 6, 12 and 24 months. What is the fastest and most cost-effective way to reach that desired state?
- Who are the most important stakeholders? Has the CISO built their perspectives into the cyber resilience strategy to create a shared sense of purpose and tone at the top?
- What key risks could impede the realisation of board-approved strategic goals? Have we built robust mitigations to reduce the likelihood and impact of these risk scenarios?
- How can you communicate the value you’re planning to deliver?
- How do you make sure that you deliver the value promised?
We recommend an agile approach. Take a rough assessment of where you stand, determine where you want to be, quickly determine the best way to reach it, and then start the process.
Measure, measure, measure
Resist the temptation to rush into execution mode and conduct a deep-dive assessment of your current state instead. Assess the strength of existing capabilities to protect against adversaries and determine the areas of highest risk exposures. This includes thoroughly reviewing board papers, risk assessments, governance reports, incident registers, IT roadmaps, business strategies, business value chains, audit reports, etc., without being drawn into endless low-level reviews.
An honest assessment of your capabilities provides a strong foundation for your strategy and a benchmark to assess maturity as you ramp up your capabilities.
Measuring also requires in-depth workshops with key stakeholders, IT teams, suppliers, and vendors. Only when you fully comprehend the problem as well as the existing capabilities can your strategy achieve the maximum impact.
Ask these key questions to begin assessing your current state:
- Does the organisation maintain an up-to-date and tight inventory of its high-value digital assets (crown jewels)?
- Has the organisation been a victim of a sustained cyber intrusion? Was the cyber resilience strategy adapted to cater for key learnings that arose from previous attacks?
- What are the top five to ten cyber risks on the active risk profile? Does reliable data underpin these ratings, or is the cyber risk profile based on highly subjective views?
For more questions to consider in your assessment, see the CISO Playbook: Cyber Resilience Strategy.
When measuring where you stand, go beyond the high-level risk assessments, and engage a suitably qualified third party to assess technical controls around some of your areas of highest risk. For example, probing your crown jewels for ransomware defence readiness can inform your strategy of key gaps, helping allocate resources where they matter most.
Get To Know Your Stakeholders
The main objective of a high-impact cyber resilience strategy is to advance the mission of the organisation and service its stakeholders.
The CISO must gain steadfast support and buy-in from critical stakeholders, lest the program fails before take-off. Success does not happen in isolation — cyber security is a team sport. To guarantee success, the CISO must do the hardest bit — slow down, shut up, and listen.
Proactive engagement at the formative stages includes developing a strong rapport with the c-suite and understanding their concerns and expectations. Infuse their perspectives into the cyber resilience strategy, agree on how to measure success, and report back consistently and honestly.
Don’t Forget The Basics
Rather than focusing on the latest bleeding-edge technology, set your sights on your organisation’s foundation. Overlooking the basics can cause strategic implications. Some practical ways to improve the basics while advancing your strategic initiatives include:
- Ensure all remote access is protected by MFA, including SAAS-based business-critical applications.
- Conduct a password-cracking exercise and reduce the extent of guessable passwords.
- Remediate all internet-facing critical vulnerabilities and implement a disciplined monthly patching and vulnerability management regime.
- Purchase a cyber security incident retainer with a cyber incident response and forensics firm to gain prioritised access to expertise in the event of a crisis.
- Minimise the attack surface by removing all services needlessly exposed to the internet, especially high-risk applications like active directory.
- Ensure all your crown jewels have daily offline backups, and the recoverability of this data, within business-approved recovery time objectives, is regularly tested.
- Facilitate a board and executive cyber crisis simulation tabletop exercise to align expectations, clarify critical responsibilities, determine external communication protocols and uncover key gaps before a real disaster strikes. As we say at CLI, you must know that you’re ready when the inevitable happens.
Getting essentials in place will give you peace of mind that you have reasonably reduced your exposure to preventable cyber intrusions while advancing longer-term projects.
Focus On What Really Matters
Strategy design is about making bold decisions and sticking with them to deliver deep and lasting change. Attempting to mitigate all cyber threats across digital assets is misguided. It leaves high-value assets unprotected, creates noise, and fatigues cyber resilience teams. The CISO must ruthlessly prioritise initiatives based on their effectiveness in reducing business risk, ability to improve business value and the cost to implement and maintain that control. Strategy is about choices — what you will do, what you won’t do, and what you must do first.
To do this, the CISO must gather the nerve to steer away from conventional, one-size-fits-all cyber security investment models and prioritise the protection of your crown jewels — the most critical information assets, which, if compromised, could severely undermine the organisation’s bottom line, competitive advantage, reputation, or even threaten its survival. Crown jewels include but are not limited to inventions, board deliberations, trade secrets, proprietary formulas and processes, prototypes and blueprints, technical designs, advanced research, confidential documents, manufacturing plans, software code, corporate and pricing strategies, and patented designs. The protection of these high-value digital assets must take precedence over other ancillary systems.
Consider Key Dependencies
The CISO and their team must explore synergies that can bundle projects up, delivering value in the quickest way and minimising business disruption. For example, it only makes sense to implement an effective data classification and tagging solution before exploring data loss prevention (DLP) solutions. Similarly, conducting a penetration test on an application that’s due for a major upgrade is a waste of money and only frustrates IT teams. To do this effectively, consider cyber resilience through the lens of the business value chain — building new strategic partnerships, securing new products, and enhancing customer trust to name a few.
When cyber strategies are built in isolation and from a compliance mindset, cyber security becomes an impediment to business agility and results in needless customer friction. Understanding the business and digital transformation roadmap before spending money is imperative for success. One CISO we know saved their organisation money, deferring an expensive and high-risk project of encrypting a core banking platform after learning the platform was scheduled for migration into Amazon Web Services during the next six months. This move eliminated the need to evaluate multiple third-party encryption tools, as the confidential data would be encrypted using native AWS tools.
Factor In Regulatory Requirements
No matter how much discretion you exercise, there will always be some mandatory regulatory projects and external obligations you must deliver, especially if your industry is heavily regulated, such as aviation or financial services, where compliance underpins your license to operate. Ensure mandatory cyber resilience initiatives prioritised in short-to-medium-term road maps have adequate resourcing, clearly map out dependencies and are delivered in a timely manner.
Define Your Target State
Like most things, unless you know what you’re aiming for, you’re probably never going to get there. Defining your target state boosts credibility with key stakeholders, creating a shared sense of purpose and reason to push through inevitable obstacles your team will face.
With dozens of industry frameworks out there, you must stay disciplined and determine what level of maturity you want to achieve in the next 12–36 months. The aspirational maturity level should be commensurate to your risk appetite, industry and, most importantly, the resources at your disposal to drive a transformation program. Furthermore, using industry standards as a benchmark makes your choices defendable in front of the board and regulators. Aim high, but don’t exaggerate what you can achieve, given known constraints. Overpromising will come back to bite fast.
In our daily interactions with cyber leaders, we observe a consistent theme of frustration due to naïve views of cyber resilience within their organisation. The traditional risk-driven approach to cyber risk misses the golden opportunity to position cyber resilience as a growth advantage and powerful business enabler.
We recommend CISOs look beyond cyber risk and consider cyber resilience in the entirety of the business value chain, enlisting the buy-in from senior stakeholders early, ruthlessly prioritising initiatives, and never forgetting the basics. Only that way can the CISO earn the respect of decision-makers and accelerate cyber resilience at a fraction of the budget.