What is a cyber defence strategy?
let’s take it back to basics and look at what strategy is. A strategy is a plan and route to achieve a set of goals in the long or short term. I like to use an analogy of grocery shopping: Let’s say the mission is to create the best cheese and pickle sandwich you can possibly make while meeting the specific sandwich requirements; on budget, healthy-ish option and anything you don’t spend you can put to other things. You’ve got £4… Easy right? We can look at this as 3 different options;
Option 1: No strategy but a loose understanding of the task
Option 2: Ill-defined strategy
Option 3: Clear strategy
Option 1 You could go to a grocery shop and walk around the aisles looking for deals on the products you think you need for this sandwich, in doing so, you may get side-tracked by other deals. Maybe you go while you are hungry and buy way more things than you need. You get to the bread aisle, get 2 different types of bread, then on to the cheese aisle and throw 3 different kinds of cheese into your basket. You come in over budget, you’ve duplicated products, bought some that are not going to serve any value, may even go to waste, forgot to get pickle, and at the end of it you’ve got to decide or debate how the sandwich should be made out of all of the extra ingredients you have.
Option 2 You arrive at the supermarket fully intending to buy the ingredients you know go into the sandwich, only you consider the internal resource impact of making your own sandwich so decide to go for an outsourced Pre-packed option. You reach the sandwich aisle and note the sandwich on your target list is £2.90, for an extra £1.00 you can get a bag of crisps and a can of bottled water or fizzy pop. So yes, it might go against your other requirements (healthy option) but at least it’s less effort for you right? You’ve come in slightly under budget and can even buy a Freddo for £0.10. You have no customizability, it’s going to last 1 meal, it’s unhealthy because they’ve slapped margarine on the sugar-filled bread and you’ve ended up with a bottle of water you could have gotten free from a tap. “I liken shopping hungry to buying security products when scared. “
Option 3 You make it easier for yourself by having a clear plan. You plot the time you visit the shop, you want to make sure you go at a quiet time so as to not get stuck in a queue eyeing up those chocolate bars, you create a list and stick to it. You eat before going, if you go when you’re hungry, you’re only going to add in a ton more items, not on your list. you know exactly what you are buying and you’ve decided you can achieve the best sandwich possible with an uncut loaf, some home brand salted butter, splurge on the extra strong cheddar and make do with a home brand pickle. It might have come in exactly on budget, leaving no room for extras. But the purchase just enabled you to a) make sandwiches for more days, or more for more people. b) You have the ability to customise, where previously you may have had to work with someone else’s template. You come out with everything you need and still have remaining resources.
I can tell what you are thinking “wtf has sandwiches got to do with cyber security?” – well nothing quite frankly, but they have everything to do with strategy. If you want to do a good job of cyber security, then you need to think strategically. Having a loose ambiguous task of ‘improving cyber security’ is going to leave you open to distractions, and “vendors are all too eager to offer a solution to a problem you didn’t even know you had”. You’ll end up with multiple tools and services with duplicate functionality or unnecessary “benefits”. “A benefit is only beneficial if it benefits you, not simply something that should sway you based on a limited-time offer”. I’d argue shopping around for cyber security tools and providers when you’ve been scared into it (ie, post cyber attack or data breach), is like shopping for groceries on an empty stomach, you’ll make decisions based on impulse and emotion rather than a clinical analysis of your actual needs.
Let’s look back at Option 1 you are getting a lot of what you want, but very little of what you actually need. You can easily get lost in shopping around, and looking at those offer adverts is basically taking advice on what to buy from a vendor. A clear strategy, or even a preliminary understanding of what your success criteria is, will drastically decrease the possibility of overspending and over-acquiring. Let’s revisit Option 2; maybe outsourcing is the best option for you, but it has got to be based on more than a desire to keep your hands clean. Is the provider going to meet your success criteria? If they are offering deals, do these deals hold any relevance to you? If you go with a pre-packed service offering, are you going to have to make do with their preferences (margarine) or will you have any autonomy to customise to get the service you need? Finally, let’s consider Option 3; you’ve identified what your success criteria are, you understand the final vision and you’re aiming for a longer term solution that comes in on budget. You’ve identified areas of your plan that warrant a splurge over what you are happy to restrict the budget on. As Benjamin Franklin puts it “Failing to plan is planning to fail”.
To summarise my overall point; having no cyber security strategy leaves you more open to making mistakes, being taken advantage of, and overspending. It’s important to note that any cyber security strategy should be entirely business aligned for the business today and in the future. A strategy that cannot be effectively adopted by the business of which it is there to protect is a useless one.
