• United States




Baby steps: building a cybersecurity strategy

Aug 07, 20185 mins
Data and Information SecurityIT LeadershipIT Strategy

Building a cyber strategy can be overwhelming unless you start with large goals broken down into smaller milestones.

man walking garage
Credit: Thinkstock

I have accomplished many challenging goals within my career. Rising to the second highest rank within my organization, redefining the manner in which our organization employs cyber professionals, and serving four combat tours of duty in the Middle East.

The hardest challenge occurred 16 years ago when I decided to join the United States Army. It required me to change my entire lifestyle. I had to lose about 60 pounds, change the way I exercised (I never exercised), and get off the ‘see food’ diet (I ate whatever I saw). Getting started was and remains the most challenging part of my journey.

Fast forward 16 years, this applies to organizational change regarding cybersecurity strategy. We quickly become overwhelmed by the breadth and depth of the task. We cannot allow the enormity of the mission to overcome us.

Here are seven principles that will allow you to build a sound cybersecurity strategy, gradually.

1. Decisiveness

Decide to protect your organization’s bottom line by building their cybersecurity strategy. Developing a sound plan requires technical competence, but a project champion is equally essential.

The project champion is a reliable, senior, technically competent, leader able to rally subject matters experts throughout the organization. He or she is also able to communicate clearly and effectively with executives.

Technical staff should consist of subject matter experts from the business divisions and cybersecurity professionals. Cybersecurity professionals know how to secure, but your business specific subject matter experts can help prioritize.

2. Aggressiveness

No is not an acceptable answer. Identify the problem and build solutions that support the organization’s bottom line. The organization’s data flow is one of several vital resources. Without data flow, most organizations cannot meet the bottom line.

We must be ruthless and test our responses before an incident occurs. Ruthlessness equates to allowing our cyber professionals to stop our data flow before cybercriminals. Pen-testing, social engineering, and physical compromise should be included in the rules of engagement.

3. Alertness

Start building a baseline of your organization’s network traffic, hardware, and software. The first step in any endeavor is awareness. You do not know what you do not know. Building and analyzing a baseline is key to devising an effective strategy.

The baseline could follow the 5w’s principle: Who, What, When, Where and Why.

Who is accessing our physical facilities, our internal resources, external resources, and online resources?

What methods are they using to communicate with us?

When are the resources above being accessed?  During normal business hours?  After normal business hours? 

Where are they accessing our resources?  Employees accessing resources from home or remote locations might be benign. However, it is impossible to reach such a conclusion if you do not know they are doing it. Someone or something accessing an internal database from a foreign IP could also be an indicator of compromise.

4. Speed

Slow is smooth and smooth is fast. Set many small goals to achieve milestones. The most important thing is getting started, NOW!  General Colin Powell (in his most recent book) said waiting until we have a 100 percent solution is counterproductive.

Psychologically big goals broken down into smaller milestones increase the likelihood of success and lead to overall organizational change.

Think big but start small, baby steps.

5. Coolness

Do not let them see you sweat. People are naturally risk-averse. The question is are they really risk-averse or only mildly risk-averse. No plan survives first contact with the enemy. Defining clear guidelines and procedure will help keep everyone cool, calm, and collected.

Risk aversion is natural because most people want to remain employed. We want the company to be the best in the field, and we do not want to compromise that ability. We should be equally averse to outside threats (or inside threats) compromising operations.

As it turns out, people are not risk averse to your plan to protect the company but to the possible compromise of operations. Expectation management and understanding senior leader intent will help mitigate these concerns.

You must remain cool and understand something will go wrong. However, if you have the proper procedures in place and clear rules of engagement it will be a learning experience and operations will not be impacted.

6. Surprise

The key to sustaining an excellent cyber strategy is an assessment. Assessing requires us to understand how well we exercise our processes and procedures during a cyber incident. The only way to honestly assess the organization is to limit the number of people who know about the test.

The assessment should consist of vulnerability and configurations assessments, as well as, penetration and exploitation testing. The later will gauge how well the former is working. Social engineering, phishing and pretexting) must be part of the rules of engagement. Targets lists should not exclude senior leaders.

7. Ruthlessness

As leaders, our commitment is to the organization. If we want to remain in business, we have to be able to protect organizational interests. We must pursue this without regard to hurt feelings.

The goal of any assessment is not to name and shame. However, if employee actions or business practices are compromising the company, it must stop.

Getting started is the most important goal of any strategy. Accomplishing small goals leads to achieving milestones. Milestones lead to overall organizational change. Think big but begin small, baby steps.


TJ Trent is an expert in organizational compliance and governance for organizations in the cyber universe. His focus is on people, processes, and systems, which provides the foundation for understanding the true place of technology in the cyber world.

TJ works fiercely and passionately to prevent, detect, and eradicate cyber threats. ​During his 13 year career he has witnessed the information technology field burgeon into a powerhouse industry intertwined ​with the fabric of our lives. ​As the lines have blurred between technology and our lives, cyber security and cyber awareness are at the forefront of media attention. The last two years we have been inundated with breach after breach. From healthcare and banking violations to our most sensitive and private photographs. It seems like nothing is safe anymore.​

A super high achiever dedicated to learning and continually improving. TJ has been able to rise to the elite levels of success in his career. With over nine years of leadership experience, TJ has helped many organizations and individuals reach milestones within their careers. As a result, he is also uniquely suited to help you turbo charge your career within the information technology field.

TJ's credentials include a Bachelors of Science-Information Systems Security, Certified Information Systems Security Professional, GIAC Security Essentials (SANS 401), GIAC Certified Enterprise Defender (SANS 501), GIAC Certified Incident Handler (SANS 504), GIAC Certified Intrusion Analyst (SANS 503), GIAC Certified Forensic Examiner (SANS 408), GIAC Certified Critical Controls (SANS 566), and GIAC Certified Network Systems Auditor (AUD 507). TJ will complete his Masters of Business Administration-Technology Management in February 2016.

The opinions expressed in this blog are those of TJ Trent and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.