CISOs and security leaders are often called upon to develop a security strategy. It’s an important step to understand what your current state is, in what direction you’re going and the roadmap to get there. It’s also an opportunity to demonstrate how cyber security activities and programs align to business objectives.
There is more to the CISO role than just setting the direction, however. It’s also about execution. As a security leader, it’s key to take ownership of the strategy and deliver on its promise. It’s useful, therefore, to be able to track progress against your objectives and demonstrate to the executive leadership team and the Board the impact the security team is making in enabling the business.
Successful security program execution can result in targeted uplift across key strategic cyber capabilities. Below is an example based on the NIST Cybersecurity Framework but any other control framework can do. The key is to demonstrate what your focus areas were and what improvements you delivered.
Comparing initial state 12 months ago with the current state is a powerful way to show progress. You can also use this as an opportunity to recap some of the key security projects delivered in the past year.
But why does this capability uplift matter? It matters because it helps the company reduce cyber risks across the business. Considerable cyber capability uplift minimises the overall likelihood and impact of potential security incidents.
The figure below is another visual way to compare the ‘before’ and ‘after’ states and highlight your contribution to the material cyber risk reduction as a result of targeted control implementation.
Quantify this, where possible. For example, the takeaway could be that you decreased total risks by 20% through effective risk management processes over the past year. You may also acknowledge that there might be a higher proportion of low risks due to the reduction of residual risk from higher rated risks.
A reminder that the aim is not to eliminate all risks – this is not practical – but rather be proportionate and targeted in your risk mitigation activities focusing on highest risks in a cost effective way.
While celebrating successes, remember that the job of security is not done. What other programs do you plan to run next? What capabilities will you uplift? What risks will you mitigate? Continue to build on developed foundations to further mature cyber capability proportionate to the threat level, compliance obligations and customer expectations.
Outline the desired maturity level and plan to get there in line with threat profile and risk appetite. Note there may not be plans to go beyond the target level at this point in time, nor is there a need to uplift every single capability. Some of these initiatives will not be cost effective from a risk management perspective.
Successful strategy execution will instill stakeholder confidence in your ability to continuously navigate the evolving regulatory and threat landscapes, improve security processes and enable business success.
Cyber Security Leadership 
2 Comments