A cyber strategy is a documented approach to handling various aspects of cyberspace. It is mostly developed to address the cybersecurity needs of an entity by focusing on how data, networks, technical systems, and people are protected. An effective cyber strategy is normally on par with the cybersecurity risk exposure of an entity. It covers all possible attack landscapes that can be targeted by malicious parties.
Editor’s note: This is an excerpt from Cybersecurity – Attack and Defense Strategies, Second Edition, a detailed overview of Cloud Security Posture Management (CSPM) and an assessment of the current threat landscape.
Cybersecurity is the focal point of most cyber strategies because cyber threats are continuously becoming more advanced as more sophisticated exploit tools and techniques become available to threat actors. Due to these threats, organizations are advised to develop cyber strategies that ensure the protection of their cyber infrastructure from these various threats.
In this article, we introduce how you can build effective cyber defense strategies. Please note, the steps given are meant to help you formulate your own cyber defense strategy and can be customized according to your need.
Understand the Business
The more you know about your business, the better you can secure it. It’s really important to know the Goals of your organization, Objectives, the People you work with, the Industry, the current Trends, your Business risks, how to Risk appetite and tolerance the risks, as well your Most valuable assets. Everything we do must be a reflection of the business requirements which is approved by the senior leadership, as it has been manded also in ISO 27001.
As Sun Tzu said in the 6th Century BC, “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
A strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. In order to develop a strategy, we must first understand the threats and risks that we will be dealing with.
Understand threats and risks
It’s not too easy to define risk, as in literature, the word “risk” is used in many different ways. According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected.
The word “risk” combines three elements: it starts with a potential event and then combines its probability with its potential severity. Many Risk Management courses are defining risk as: Risk (potential loss) = Threat x Vulnerability x Asset
It’s really important to understand that all risks are not worthwhile to mitigate. If the mitigation is going to be costly then a single occurrence or if it’s not a major risk then the risk can be accepted.
As in everything else, documentation is really important and it’s a key aspect of every Strategy. When it comes to treatment settings, or helping assurance of business continuity, documentation plays a critical role. Documenting the cyber strategy will ensure efficiency, consistency, and peace of mind for anyone who is involved. Documentation helps to establish standardization between processes, and ensures everyone in your organization is working the same way towards the same outcome.
The following illustration shows how a good Cyber strategy documentation should look like:
A good Strategy document should list what the strategy is, and why it’s needed. It has to be clear, and easy to understand. It should highlight any urgency with some mitigations options which should highlight the benefits of the given choices and how its going to address the business issues.
Having the Cyber strategy documents, can help you easier to be aligned with the business strategy as well as with the Business drivers and goals. Once this has been aligned, you can build the technical aspects and the cyber transformation plan to be more Cyber Safe.
About the Authors. Yuri Diogenes is a Senior Program Manager at C+AI Security and a Professor at EC-Council University. Dr. Erdal Ozkaya focuses on securing cyberspace and sharing his real-life skills as a security adviser, speaker, lecturer, and author.