Skip content

How to build a strategic cyber security plan

What is a cybersecurity plan?

A cybersecurity plan is an organisation’s written guide to follow and improve its overall risk management and defences against the ongoing threat of cybercrime - and some might say the most significant threat they face. 

“Cybercrime is the greatest threat to every company in the world.”

Ginni Rommety, the CEO and President of IBM stated the criticality of cybercrime to all businesses at the IBM Security Summit in New York City in 2015. (Forbes)

What strategies should a cybersecurity plan include?

  • Defence and integrity of information
  • Effective distribution of information
  • Identification and management of new and evolving threats
  • Encourage best practice adoption of cybersecurity across the organisation

Creating a live security document

A cybersecurity strategy is a live document that has been developed and owned by the most senior information security professional in the organisation, such as the Chief Information Security Officer (CISO). 

Cybersecurity is of board-level importance

The plan should be presented, recognised and embraced by the firm’s Board of Directors. Furthermore, it is vital that the entire company see the firm’s directors adhering and actively carrying out the plan's objectives to legitimise the program of security and accelerate its wider adoption across the business.    

Cybersecurity goals reviewed regularly

Review the cybersecurity goals and contents described in the document annually or bi-annually to ensure that they remain relevant to the firm’s internal and external situation.

Plus three-year cybersecurity plan

The plan should review the current state of security practices within the firm and provide clear and concise goals to improve its security posture over a three to five-year timeframe. The objectives should cover goals for the short-term (12 months), mid-term (18 months) and long-term (36 months plus).   

Creating your Cybersecurity Strategy

Before you start writing ensure that you evaluate your current state of security:

  • At the beginning of the process, it is vital to comprehend the security state of the business
  • Start by reviewing your IT assets which should include hardware, software, network configurations, policies, security controls and preceding audit outcomes
  • It is also important to review current business plans and programs
  • Ensure you speak to the key business stakeholders to gain an understanding of the critical data types
  • After evaluating the information, the project owner should then meet with department heads to assess the value of the collected information
  • The goal is to create a list of the organisation’s critical resources listed by the value they contribute to the company. Together with the resources, effort and time required should they not be available during or after a cyber attack on the organisation. An exercise of this kind will help provide an accurate understanding of the firm’s minimum business operating requirements and the real impact of a cyber incident
  • Next, a risk assessment is carried out to reveal the firm’s current exposure level. The CISO should adopt their chosen risk management framework (such as ISO, NIST, CESG, ISACA, plus others). The assessment will review the security information obtained and identify security weaknesses surrounding business activities
  • The findings of the risk assessment will form the basis of the strategic cybersecurity plan by helping to develop the cybersecurity maturity level of the organisation

Five Key Elements of Your Strategic Cybersecurity Plan

Now it is time to start writing your plan. Here is a proposed layout and details of the critical information to include:

1. Mission statement: A statement of the document/program's main aim. 

Example: Develop and implement a proactive cybersecurity program for the entire organisation to adopt that focuses on the Company’s strategic business goals.

2. Vision statement: A motivational explanation of what the company aims to accomplish in the future. 

Example: Drive a security-first mindset into all elements of our business operations.

3. Introduction: An overview of the company and its current state of security.

Top tip: Use this section of the document to highlight and champion the proposed security program.

4. Governance: An explanation of how the program will be managed and maintained as well as the auditing process. In the Governance section of the document, readers can also find a guide to the implementation of the program and its adoption into the business. 

Top tip: Use a combination of short-term (12 months), mid-term (18 months) and long-term (36 months plus) implementation goals to ensure that the business is not overwhelmed by the changes which could lead to a lack of adoption and hinder the success of the program. 

5. Strategic objectives: The core of a strategic plan with a list of live projects and details of the most recent risk assessments with steps to remediate listed through strategic objectives. 

Example: ‘A cybersecurity strategic objective for minimising data loss’

  • Objective: Prevent data loss
  • Proposal: Implement security policy, standards and guidelines through frameworks
  • Supporting objectives: Implement DLP tools and processes
  • Description: Create and adopt ISO/IEC27001 policies, rules, and guidelines
  • Key benefits:
    • Security baselines for each business division
    • Measurable results
    • Company-wide adoption of security controls
  • Projects: Listed by technology or service

Top tip: Keep the board of directors updated with the project list and ongoing best practice security adoption across the business.

Types of Cybersecurity

Here is an account of the foremost important types of cybersecurity:  

Application security - Application security involves the protection of an application through vulnerability management.

Critical infrastructure - Critical infrastructure represents the assets that are vital for the effective running of society and the economy.

Cloud security - Cloud security describes the policies, technologies, and controls used to safeguard data, applications, and the connected infrastructure of cloud computing.

Internet of things (IoT) security - Internet of Things (IoT) security is concerned with protecting data over a network through wirelessly connected devices.    

Network security - Network security encompasses the authorisation from the network administrator to gain access to data in a network. 

Security awareness training - Security awareness training helps organisations to manage their human cybersecurity risk by empowering employees with security knowledge.

Cybersecurity Roles

Implementing a strong cybersecurity strategy can only be achieved with a robust security team in place. With the threat of cybercrime increasing, the demand for cybersecurity personnel is at an all-time high; it has never been more critical to recruit wisely.

  • Security leaders such as CISOs now have a seat on the board of directors in most larger organisations
  • Cybersecurity roles have developed into more specific positions. Gone are the days of generalist security analysts
  • In today’s security team penetration testers focus on either application security, network security, or phishing to test security awareness
  • Incident response is a role that could span around the clock – 24 hours a day, seven days a week

Here are the core roles of today’s security teams:

Security Analyst

Cybersecurity analysts assess, plan, and introduce security measures to help protect an organisation from breaches and attacks on its computer networks and systems.

Security Architect

A security architect is a senior position with a strong understanding of both technical and business knowledge. Responsible for managing the computer and network security infrastructure.

Security Engineer

Security engineers deliver a front-line role for protecting a company's assets from security threats.

CISO

A Chief Information Security Officer (CISO) or Chief Security Officer (CSO) is a C-level executive who runs the operations of a company’s IT security division. Responsible for ensuring that the IT security program protects the business's information assets and technology.

Speak with one of our experts today! Get in touch...