One of the most critical tasks within the IT department is to establish a cybersecurity strategy and have policies that mitigate the risks of cyber attacks in order to protect the information assets of the overall organization. To begin defining a security strategy, cybersecurity needs to be one of the main priorities within the IT department, and there must be a commitment from senior leadership to invest resources in implementing the security plan. The cyber security plan needs to be aligned with the objectives of the organization, and it is a piece of the overall IT security and Risk management strategy.
The plan needs to record the current state and describe the near term objectives as well as the long-term goals. Also needs to contain how governance will be managed and changes will be implemented within a timeline. So the first step to accurately define the IT security strategy is to assess all the resources that are available at the organization such as network infrastructure, hardware, software. Stakeholders need to be involved in providing an understanding of each asset and having a prioritization based on the business value. It is fundamental to determine what are the minimum levels of protection that will be required in order to protect the assets from malicious attacks and what are the impacts, effort, and resources needed in case the asset becomes unavailable because of a cyber attack.
A risk management framework like NIST or ISO can be used to establish the current exposure to threats and to identifying areas of vulnerabilities of the organization’s data. The implementation of the plan will allow the organization to move from the current state to a more mature state regarding security where gaps are addressed, and new policies, standards, and services are deployed.
Also, from a personal perspective, I take the same approach when it comes to home security. Verify which are the main assets based on business value to define the current state, then understand which are the risk associated with them and plan the mitigation of those risks. One example: we have the risk of having hurricanes during the summer and fall seasons, so we installed a few years ago anti-hurricane windows in our apartment to mitigate the risk of damage caused by winds.
Samuels, M (2017) Enterprise IT security planning: Five ways to build a better strategy. Available at: https://www.zdnet.com/article/enterprise-it-security-planning-five-ways-to-build-a-better-strategy (Last Accessed: November, 2018)
Gorman, S, Kulkarni, R, Schintler, L, Stough, R (2003) Least Effort Strategies for Cybersecurity. School of Public Policy, George Mason University, Fairfax, Virginia, USA.
Hayslip, G (2018) Building a cybersecurity strategic plan. Available at: https://www.csoonline.com/article/3257230/data-protection/building-a-cybersecurity-strategic-plan.html (Last Accessed: November 2018)