• United States




How to create effective cyber strategy

Sep 21, 20155 mins
Business ContinuityCybercrimeData Breach

In 60% of reported cases attackers compromise an organization within minutes.

Chess game move knight rook pawn
Credit: Thinkstock

The task of crafting or revising cyber strategy is one that keeps many consultants and chief security officers up at night. The process might be intense, but the underlying fundamentals are straightforward.

1. Know yourself, know your business, know the battlefield

When I joined my unit in July of 2002 the President had declared major combat operations (in Iraq) over. Soon it became apparent that meant we were no longer fighting a uniformed enemy. The Iraqi Army may have surrendered, but now we were fighting an insurgency. The tactics, techniques, and procedures we used to fight a uniformed force were no longer applicable. To succeed we had to assess our unit’s capabilities (know yourself) in light of our mission (know your business), and understand the face of the new enemy (know the battlefield).

Cookie cutter strategies do not work. Each business is a different entity with a unique culture, mission, and even enemies. Security procedures used at Rack Space might not function at Bank of America or vice versa. Security strategies are a unique reflection of the risks, regulatory compliance requirements, business processes, and organizational culture within your firm.

2. Secure your human resources

The people we trust the most (our employees) often present the greatest danger. They already have the authorization and access an attacker needs to gain their first foothold. In 2015, SANS Institute reported over 50 percent of surveyed professionals believed negligent insiders posed the greatest threat. In 70 percent of cases, the initial compromise is only a staging point. The first compromise allows the attacker to get closer to their actual target, a secondary victim.

The Target breach provides us with an excellent example of this strategy. Hackers exploited Target’s HVAC vendor using a form of social engineering known as phishing. The Citadel malware allowed the criminals to steal credentials to Target’s web-based vendor services. Now the attackers were on the inside and virtually undetectable. Why were they undetectable? They were using the credentials of an authorized user and all due to the negligent actions of a business partner who fell prey to social engineering.

The 2015 Verizon Data Breach Investigations Report estimates 23% of recipients open a phishing email and 11% click to open attachments. 50 percent do so within one hour of receiving the email. Considering, most cybercrime syndicates are run similar to legitimate businesses this is very revealing. They coordinate their actions based on ROI (return on investment) and target their victims based on risk and potential impact. Social engineering schemes (especially phishing) are low cost and require very low success rates to gain access to your network infrastructure.

Lance Spitzner (Training Director, SANS Securing the Human) says, “one of the most effective ways you can minimize the phishing threat is through awareness and training.” Spitzner estimates that you can reduce the success rate (the number of people that fall victim to such emails) to less than 5%. In the process, you create a stable of human sensors to supplant your technology. Ellen Powers, of the MITRE Corporation, estimates their human sensors detect approximately 10% of advanced phishing attacks.

3. Assume you’re already compromised

Passive technologies and processes provide limited situational awareness. Certification and accreditation are focused on making sure new technologies (or upgrades to existing technologies) are properly configured and tested. Likewise continuous diagnostics and mitigation (CDM) focuses on “fixing known cyber flaws”. Technicians then perform mitigation based on their organization’s unique risk profile.

Neither of those processes actively hunt for attackers already embedded with your infrastructure. They will not find someone who uses authorized credentials to access your network. Also, consider less than 25% of organizations detected compromise within days or less. Contrastingly 60% of the time an attacker compromised a victim in less than an hour.

Unless you have definitive proof, you’re not compromised you should operate under the assumption of compromise.

4. A sound cyber strategy is intertwined with business strategy

In a recent blog post, I outlined the importance of understanding your business and effective communication. As cyber leaders and technicians, we have to learn to communicate according to the bottom line. The bottom line translates into understanding how a particular strategy supports the core business processes of the organization. In the military, we used to speak of combat multipliers. Those actions that would support the unit’s core mission such as troop health readiness, vehicle maintenance, wills, and powers of attorney.

You must be able to demonstrate how your proposed strategy directly supports the organization’s overall strategy. Until then your priorities and the priorities of the C-suite will never be the same.

There is no easy way to create a sound cyber strategy. It requires a detailed analysis of your entire firm. And it also requires a team effort. Stakeholders from every facet of the business should be working alongside your information security personnel. It should be a reflection of the unique culture, risk profile, and core business strategy with your firm. Cookie cutter solutions don’t work!


TJ Trent is an expert in organizational compliance and governance for organizations in the cyber universe. His focus is on people, processes, and systems, which provides the foundation for understanding the true place of technology in the cyber world.

TJ works fiercely and passionately to prevent, detect, and eradicate cyber threats. ​During his 13 year career he has witnessed the information technology field burgeon into a powerhouse industry intertwined ​with the fabric of our lives. ​As the lines have blurred between technology and our lives, cyber security and cyber awareness are at the forefront of media attention. The last two years we have been inundated with breach after breach. From healthcare and banking violations to our most sensitive and private photographs. It seems like nothing is safe anymore.​

A super high achiever dedicated to learning and continually improving. TJ has been able to rise to the elite levels of success in his career. With over nine years of leadership experience, TJ has helped many organizations and individuals reach milestones within their careers. As a result, he is also uniquely suited to help you turbo charge your career within the information technology field.

TJ's credentials include a Bachelors of Science-Information Systems Security, Certified Information Systems Security Professional, GIAC Security Essentials (SANS 401), GIAC Certified Enterprise Defender (SANS 501), GIAC Certified Incident Handler (SANS 504), GIAC Certified Intrusion Analyst (SANS 503), GIAC Certified Forensic Examiner (SANS 408), GIAC Certified Critical Controls (SANS 566), and GIAC Certified Network Systems Auditor (AUD 507). TJ will complete his Masters of Business Administration-Technology Management in February 2016.

The opinions expressed in this blog are those of TJ Trent and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.