Developing a cybersecurity strategy

The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes Chapter 25: Developing a cybersecurity strategy: Thrive in an evolving threat environment by Bill Stewart, Executive Vice President; Sedar LaBarre, Vice President; Matt Doan, Senior Associate; and Denis Cosgrove, Senior Associate of Booz Allen Hamilton. Please refer to the original article for any direct quotations.


Technology is not optional; it’s a core business enabler that must be protected. The C-suite and board are learning from high-profile cybersecurity attacks that cybersecurity is no longer just an IT concern but a business risk of the highest order. Everything is connected now and, as technology evolves, it is time to rethink; the Internet of Things requires cybersecurity strategies that take a broader view of risk. An organization-wide approach to cybersecurity is needed.

The value of getting cybersecurity right

An effective strategy must place cybersecurity in the context of the business, and should be guided by two related considerations:

  • How does cybersecurity enable the business?
  • How does cyber risk affect the business?

From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience.

It takes an enterprise

Enterprise IT – the company’s back-end technology infrastructure – still matters, but a cybersecurity strategy should go further and also cover:

  • Supply chain
  • Product/service development
  • Customer experience
  • External influencers

A cybersecurity strategy on this scale requires a multidisciplinary team from across the organization to develop a security strategy that reflects the business challenge.

Elements of cyber strategy at scale

  1. Set a vision: Describe how cybersecurity protects and enables value in your company.
  2. Sharpen your priorities: Your resources are finite, so focus on critical business assets.
  3. Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications.
  4. Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you’ll need to adopt new methods for treating risk.
  5. Monitor the threat: Cybersecurity requires an adaptive mindset. Maintain awareness of the threat landscape.
  6. Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue.
  7. Transform the culture: People are the core of the business, so cybersecurity is everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.

Bringing the strategy to life

An effective cybersecurity strategy will make visible changes to how the organization operates. Build momentum by delivering quick wins while investing in long-term capability development. Use your risk framework to assess how well your organization is performing. Rely on existing standards and frameworks to assess the organization’s cybersecurity. Set a maturity target. Establish a solid foothold of cyber hygiene, putting people at the center of all your cybersecurity decisions.

What getting it right looks like

A strong cybersecurity strategy looks different depending on the industry and individual business, but all successful strategies share some key features:

  • It’s driven from the top. A strong cyber strategy is part of the organization’s core message, set by senior executives.
  • It’s at the beginning of every new story. It’s always easier to implement cybersecurity earlier rather than later in the lifecycle.
  • Cyber is communicated in simple business language. Cybersecurity is a business enabler; everyone should understand how and why this is the case. Don’t ‘speak geek’.
  • You’ve established a predictive edge. Using multiple threat intelligence sources, you will be able to anticipate the adversary’s next move.
  • The puzzle pieces come together. When each component in your information security management system – people, processes, and technology – comes together and works in harmony, you’ll see the payoff from your cybersecurity investment.
  • You play a role in the community. Threat intelligence and best practice are shared two ways. More importantly, you integrate into the fabric of a very important and very valuable community.
  • ‘Change agents’ are swarming. Advocates help spread the cybersecurity vision across the enterprise.
  • Security is now embedded across your ecosystem. You’ve embedded security in areas beyond enterprise IT.
  • Your enterprise embraces it. Cybersecurity is integrated as part of your cultural DNA and is factored into all business decisions. Your organization lives with the principles of good cybersecurity without even thinking about it.


Best-practice cyber risk management

The international standard ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cyber security is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.

Certification to the Standard demonstrates to investors, stakeholders, customers, and staff that information security best practice is being followed.

You can find more free information about ISO 27001 here >>