Baby steps: building a cybersecurity strategy

I have accomplished many challenging goals within my career. Rising to the second highest rank within my organization, redefining the manner in which our organization employs cyber professionals, and serving four combat tours of duty in the Middle East.

The hardest challenge occurred 16 years ago when I decided to join the United States Army. It required me to change my entire lifestyle. I had to lose about 60 pounds, change the way I exercised (I never exercised), and get off the ‘see food’ diet (I ate whatever I saw). Getting started was and remains the most challenging part of my journey.

Fast forward 16 years, this applies to organizational change regarding cybersecurity strategy. We quickly become overwhelmed by the breadth and depth of the task. We cannot allow the enormity of the mission to overcome us.

Here are seven principles that will allow you to build a sound cybersecurity strategy, gradually.

1. Decisiveness

Decide to protect your organization’s bottom line by building their cybersecurity strategy. Developing a sound plan requires technical competence, but a project champion is equally essential.

The project champion is a reliable, senior, technically competent, leader able to rally subject matters experts throughout the organization. He or she is also able to communicate clearly and effectively with executives.

Technical staff should consist of subject matter experts from the business divisions and cybersecurity professionals. Cybersecurity professionals know how to secure, but your business specific subject matter experts can help prioritize.

2. Aggressiveness

No is not an acceptable answer. Identify the problem and build solutions that support the organization’s bottom line. The organization’s data flow is one of several vital resources. Without data flow, most organizations cannot meet the bottom line.

We must be ruthless and test our responses before an incident occurs. Ruthlessness equates to allowing our cyber professionals to stop our data flow before cybercriminals. Pen-testing, social engineering, and physical compromise should be included in the rules of engagement.

3. Alertness

Start building a baseline of your organization’s network traffic, hardware, and software. The first step in any endeavor is awareness. You do not know what you do not know. Building and analyzing a baseline is key to devising an effective strategy.

The baseline could follow the 5w’s principle: Who, What, When, Where and Why.

Who is accessing our physical facilities, our internal resources, external resources, and online resources?

What methods are they using to communicate with us?

When are the resources above being accessed?  During normal business hours?  After normal business hours? 

Where are they accessing our resources?  Employees accessing resources from home or remote locations might be benign. However, it is impossible to reach such a conclusion if you do not know they are doing it. Someone or something accessing an internal database from a foreign IP could also be an indicator of compromise.

4. Speed

Slow is smooth and smooth is fast. Set many small goals to achieve milestones. The most important thing is getting started, NOW!  General Colin Powell (in his most recent book) said waiting until we have a 100 percent solution is counterproductive.

Psychologically big goals broken down into smaller milestones increase the likelihood of success and lead to overall organizational change.

Think big but start small, baby steps.

5. Coolness

Do not let them see you sweat. People are naturally risk-averse. The question is are they really risk-averse or only mildly risk-averse. No plan survives first contact with the enemy. Defining clear guidelines and procedure will help keep everyone cool, calm, and collected.

Risk aversion is natural because most people want to remain employed. We want the company to be the best in the field, and we do not want to compromise that ability. We should be equally averse to outside threats (or inside threats) compromising operations.

As it turns out, people are not risk averse to your plan to protect the company but to the possible compromise of operations. Expectation management and understanding senior leader intent will help mitigate these concerns.

You must remain cool and understand something will go wrong. However, if you have the proper procedures in place and clear rules of engagement it will be a learning experience and operations will not be impacted.

6. Surprise

The key to sustaining an excellent cyber strategy is an assessment. Assessing requires us to understand how well we exercise our processes and procedures during a cyber incident. The only way to honestly assess the organization is to limit the number of people who know about the test.

The assessment should consist of vulnerability and configurations assessments, as well as, penetration and exploitation testing. The later will gauge how well the former is working. Social engineering, phishing and pretexting) must be part of the rules of engagement. Targets lists should not exclude senior leaders.

7. Ruthlessness

As leaders, our commitment is to the organization. If we want to remain in business, we have to be able to protect organizational interests. We must pursue this without regard to hurt feelings.

The goal of any assessment is not to name and shame. However, if employee actions or business practices are compromising the company, it must stop.

Getting started is the most important goal of any strategy. Accomplishing small goals leads to achieving milestones. Milestones lead to overall organizational change. Think big but begin small, baby steps.