In December, changes were made to Australian Directors Standards, requiring clear stepping stones that demonstrate an ongoing uplift in cyber security. Many organisations are now updating or creating their Cyber strategy.
Here are ten items to include within your Cyber strategy.
What is the Cyber strategy success criteria?
There are many industry perspectives on this; the simplicity and breadth of the New York Department of Financial Services (NYDFS) is a great way to baseline the questions an executive group should be able to answer after reading the strategy. See the six primary areas in this blog inspired by NYDFS.
Cyber vision and link to company values
The cyber vision should embody both reputational and financial security elements. Further, by linking an organisation's values with a cyber context, people can relate to the strategy's intent.
Cyber security goals and outcomes
There are generally four to six goals or objectives; use the language that works best at your organisation. There is likely to be several outcomes under each goal. In some goals, there can be a subheading for outcomes and detailed outcomes within the subheading. The details are best worked through in several workshops.
The threat actors and method of attack
The bad guys are now attacking smaller big businesses, as they are potentially less secure. Attackers can range from nation-states and organised crime syndicates to disgruntled employees. Attack methods are constantly evolving; these need to be monitored and assessed based on probability.
If unavailable, what systems, data, or infrastructure will cause your business to stop? A company can run without many things for some time; identifying and agreeing on what is business-critical will involve representatives across the organisation. Read more about assessing critical systems here.
What are an attacker's possible entry points? Weak employee diligence? The network? Third-party applications? The options are varied and must be understood and assessed.
Governance is simply the structures and activities an organisation has in place. Do you have a Cyber Steering Committee? If you don't, you probably need to consider one; it will be expected of Directors to meet the new standard. What data is available, what data should be available, and how is this reported? How competent and compliant are your staff and workforce at completing and adhering to training? Governance has a broad range of activities from leadership, roles, culture, policies and processes and a response plan for when your organisation is hacked. Note 'when' rather than 'if'.
There are ten types of protective technologies; they should overlap as gaps create vulnerabilities making an organisation susceptible to an attack. A current and target cyber technology architecture should be developed, tracking uplifts as they occur. Read about the ten types of technology here.
Given the broader geopolitical environment, the threat vector will likely increase, and legislation will follow. Listing all legislation in an appendix is a valuable reference; detailing the primary legislation in the body of the strategy emphasises the importance and is a superb way to sensor check your Cyber strategy.
These should be listed, consider timeframes for implementation and risk implications. The Security Awareness Maturity Model is a great reference to help crystalise what may be required.
As per my video accompanying this blog, I have been working exclusively with a client to document and implement their Cyber strategy over the last three months based on some international best and practical standards. If you are interested in learning more about this activity, please make contact.