Strategic Cybersecurity Thinking

Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.