Writing a strategic plan is hard work. Writing a good one is very humbling. It's just words on a page, you might tell yourself, but this is the direction-setting document your organization will use to inform its work over the coming months to possibly years.
Cybersecurity has become a hot topic for organizations of all sizes and industries as the risks evolve. Not to mention, the White House just released the U.S. National Cybersecurity Strategy. Developing an effective strategic plan for cybersecurity is essential to protect our organizations, manage risks effectively, and enable the organizations we work with to achieve their mission safely. In this article, I will explore the process of building a strategic plan, which will be especially helpful for new cybersecurity leaders who have never done this.
I'm also going to try something new. I will argue against some of my ideas and offer some counter-points or alternative ways of thinking. A prime example is whether having a standalone cybersecurity strategy is a good idea for an organization.
Assessing the Current State
How do you know where to go if you do not yet know where you are?
Before you begin developing your strategic plan, it is vital to understand where you are today. If you've been working in cybersecurity for some time now, you'll have learned many ways to do this. For example, you could engage in a controls assessment, a penetration test, an assessment against a higher-level framework like NIST CSF, etc. But, again, the idea is to understand where you are right now.
Start by gathering data and information about your organization's operations, budget, key risks, significant projects, market drivers (or mission), cultural sentiment, and other relevant factors. You can get detailed here, but don't go overboard. This information can be obtained through interviews with key stakeholders, reviewing documentation, analyzing relevant competitors or similarly sized organizations, or conducting internal assessments.
Once you have gathered the necessary information, combine it into something consumable. I'm a big fan of the SWOT analysis tool and Wardley Maps. You may have to work to keep yourself from over-focusing on technology in this process. Instead, identify areas where your organization excels and areas to improve, such as crucial partnerships, culture, technology, dependencies, etc. This analysis can help you identify areas of focus and prioritize resources and efforts to address the most critical issues.
Regarding cybersecurity strategy, a risk assessment is also a critical component of the assessment process. A risk assessment helps identify potential vulnerabilities and threats and provides a framework for prioritizing resources and efforts to address these risks. Conduct your risk assessment in parallel with the SWOT analysis (or another framework if you prefer) to ensure you're actively considering risk in the work ahead of you.
Vision and Mission
You're working on the cybersecurity strategy for a reason. Somebody trusts you to be doing this work (imposter syndrome, anyone?). At this stage, you get to lay out your vision, that long-term goal of where you want your cybersecurity program to be. Ideally, people walk away after reading this and feel excited about where things are going.
Your mission should be a statement that outlines the purpose of your cybersecurity program and how it will achieve its goals. Again, your SWOT analysis will be beneficial here, considering the strengths and opportunities already available to you, such as:
- A strong engineering culture that defaults to a cloud-first posture.
- Processes are documented consistently and effectively across the board.
- A sales and marketing team that proactively engages security with possible needs coming up in their pipeline.
To Stand Alone or Not?
One of the main benefits of having a standalone cybersecurity plan is clarity and accountability. These qualities positively correlate to how risk can be effectively managed and prioritized. In addition, a dedicated plan signals a proactive stance on cybersecurity, not one that is reacting to the threats and market dynamics as they occur. Finally, a standalone plan can also support resource allocation towards the security function as it is, in essence, a communications tool.
However, a standalone cybersecurity plan can also have potential drawbacks. It may lead to a siloed approach to security when we should be integrating intentionally with "the business." Can we effectively manage risks when they are classified as separate from broader business risks? A standalone cybersecurity plan also risks being written or developed in a silo; it is a cybersecurity strategy. This individualistic approach can harm culture and outcomes when the voice of others in the organization is not represented in the process. Finally, a standalone plan may need to be aligned with the broader business objectives and priorities, leading to the misalignment of resources and priorities.
Check out our quick reaction video to this article below.
Setting Goals and Objectives
With your vision and mission in place, you can begin setting specific goals and objectives for your cybersecurity program. These goals should align with your vision and mission and be SMART – specific, measurable, achievable, relevant, and time-bound. The objectives and key results (OKR) framework is also beneficial. Developing security OKRs and goal-casting is something we'll cover in another article. For now, though, having an associated metric, that measurable thing, attached to each goal you set is vital. This article from the Coda team on "metricizing" OKRs is beneficial in thinking about the metrics that might make sense. As Peter Drucker once said, "what gets measured gets managed."
Blending Strategies and Tactics
Once you have set your goals and objectives, you can develop strategies and tactics to achieve them. Although your strategic objectives are higher-level, you should begin to lay out what you need to do to meet these goals. The strategic plan is not the place for detailed project plans. However, zooming in and emphasizing the "how" you will do the "what" is critical in communication.
For example, suppose you have a goal to reduce the number of successful cyber attacks in your organization through social engineering vectors. Your tactics include creating security awareness training materials, scheduling engagement sessions, and tracking employee progress.
Implementation and Execution
With your strategic plan in place, it is time to implement and execute it. Execution involves putting your tactics into action, monitoring progress, and making adjustments as necessary. It is essential to have a system in place for tracking progress and measuring the effectiveness of your cybersecurity program. Tracking can take many forms, such as regular reporting to management, ongoing risk assessments, and incident response drills.
What Makes an Effective Plan?
Overall, an effective strategic plan is critical for organizations to manage risks, achieve their goals, and stay competitive in a rapidly changing business environment. By following these principles, organizations can develop a comprehensive and effective strategic plan that meets their needs and goals and adapts to changes.
- Clear and concise: An effective strategic plan should be clear and concise, clearly defining the organization's goals and objectives. Anyone who reads it can understand the why, what, and how.
- Align with organizational goals: An effective strategic plan should be aligned with the organization's broader goals and objectives, considering the organization's strengths and weaknesses and the external environment. How can you be a business enabler if you don't know where the business is going?
- Flexibility: An effective strategic plan should allow for adjustments, and changes as circumstances change or new opportunities arise. Strategy is not a point-in-time activity. Plan to have your plans change as things around you change.
- Bold, yet realistic and achievable: An effective strategic plan should push the envelope yet strike a balance, being realistic and achievable. It should take into account the organization's resources and capabilities.
- Measurable: An effective strategic plan should include specific and measurable goals and objectives, allowing progress to be tracked and evaluated.
- Communication: An effective strategic plan should be communicated clearly and regularly to all relevant stakeholders, ensuring organizational buy-in and alignment. Prepare to share this with many people in many different ways. Just because you wrote and published it does not mean it will be widely read and understood.
- Execution: An effective strategic plan should be executed effectively, with clear accountability and responsibilities assigned and adequate resources allocated to achieve the defined goals and objectives. Identifying the "who" will move the needle on the plan can be very effective.
- Continuous improvement and engagement: An effective strategic plan should be subject to constant review and improvement, allowing for adjustments as needed and ensuring that the organization remains responsive to changes in the internal and external environment.
Overcoming Implementation Challenges
Developing a strategic plan is one thing, but effectively implementing and executing the program is another challenge. Organizations may face various implementation challenges, such as resource constraints, lack of buy-in from stakeholders, and competing priorities. Navigating this challenge is one of the core focus areas of the Soft Side of Cyber mission.
To overcome these challenges, cybersecurity leaders should:
- Identify and allocate resources: Knowing what you're working with is critical, including a budget, key relationships, team members, and more. Identify and then shift to focusing on what matters.
- Ensure buy-in from stakeholders: Involve all relevant stakeholders in the planning and execution of the cybersecurity program, including senior leadership, IT staff, and employees.
- Prioritize cybersecurity risks: Engage other functional leaders and start discussing their key risks alongside cybersecurity risks, encouraging that holistic perspective.
- Find your most significant constraints: Identifying the bottlenecks within the organization, whether it's people or processes, is vital. Constantly solving and improving these constraints is like taking the value flywheel for a spin. It builds momentum that, over time, stacks up.
Developing an effective strategic plan for cybersecurity is essential for managing risks and protecting against cyber threats. The debate over whether a standalone cybersecurity plan or an integrated approach is the best approach will continue. Still, the key is to find the right balance between the two methods. Developing an effective strategic plan requires a deep understanding of the organization's cybersecurity risks and the broader business strategy. By following the components outlined in this article and overcoming implementation challenges, organizations can develop a comprehensive and effective cybersecurity strategic plan that meets their needs and goals.