Addressing Cyber Security Strategically

These leaders also need to understand the complexities associated with cyber security, which include the fact that all risks cannot be remediated. This is due to the fact that new vulnerabilities are being discovered daily, factored with human error and the need to have a public presence. Cyber security is then having the ability to reduce the likelihood of something happening, by implementing controls and mitigating known vulnerabilities.

A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for an organization. The Cyber Security leader must be cognizant of how the risks and issues are communicated to the Board of Directors so as to not create unnecessary panic. This is accomplished by defining what Cyber Security is, through a vision statement that is easily understood. A vision statement might be that “the organization will identify, manage, and mitigate the risk of Cyber threats.” The next question is of course, how, which is derived through the statement itself. An organization must be able to identify cybersecurity threats and vulnerabilities, determine what to do about them, and take action to remediate the possibility of breach or reduce the impact of one. This logic will result in the establishment of a Cyber Security Monitoring capability to address the identification gap, creation of a Risk Management program to quantify the root cause of incidents realized and a Security Architecture capacity to implement processes and technologies to mitigate the root causes identified.

Addressing cybersecurity from this perspective ensures that Board members and senior organizational leadership understand that there is a need to identify, quantify, and remediate threats. With this understanding, there is buy-in and support to establishing programs to support these efforts. With the programs established, board members and senior executives will understand the need to support the resources and needs of them, in order to realize their benefits. These programs, however, need to include measurements, so that senior leaders can quantify success and failure. This is where cyber security leaders have to be willing to institute processes, which may put them in a compromising state. For example, if you report on the number of threats that have compromised the network, senior leadership will expect that their risks have been fully remediated. However, in cyber security, once the threat has been identified, the incident has likely already occurred. As a result cyber security leaders need to convey an understanding of what really needs to be done to address the root cause of an incident, namely through investment in technology, processes, and education that support the strategy.

Furthermore, demonstrating that there is a problem through measurements will result in investments into the portfolio of programs. These investments need to be measured and should always demonstrate support for the goals and objectives defined in the strategic plan. This ensures accountability for the cyber security organization as well as demonstrating the current state of risk posture that an organization maintains. The goal, in the end, is to reduce the likelihood that something will occur through the execution of strategic initiatives. Therefore, cyber security is really a risk management issue, whereby problems and issues are addressed by reducing the risk of their occurrence. With Senior Management recognizing that cyber security is a managed risk vs. one that cannot be completely eliminated, and the cyber security leader understanding that they must be accountable for what is to be accomplished, then the return on investments in the portfolio will be realized through a reduced risk profile.

Founded in 1871 in Phoenix, Arizona, Maricopa County offers employment, justice, health and wellness, and public safety services.