Designing a cyber security model has evolved considerably in the last 15 years. The name may not always be the same - master plan, action plan, roadmap - but, in essence it is always a question of setting a series of projects that will allow an organisation to achieve a 3 to 4 year security target that is supported by top management.
15 years of “security models” means 15 years of conversations started on the basis of accelerating threats, tightening regulations, supporting transformations. Today, the reasons for establishing a cyber strategy are still generally the same. However, the method itself, of designing the cyber security models has considerably evolved.
Evolution of the cyber strategy
10-15 years ago, life was easier: a security model could be designed in a few meetings with the CISO and their team, based on their “expert opinion”. To provide some logic, consultants would rely on an illustrative model such as a fortress or an airport, which served as the basis for setting up the foundations and explaining their choices. Cyber attacks still seemed distant, cyber was less dispersed than today and security models were more or less the same. With hindsight, these cyber strategies had, above all, a big real role in raising awareness and training top management, who were gradually becoming involved in the decisions and discussions.
In 2021, the context has changed considerably. Relying solely on “the expert opinion” no longer suffices: companies are now investing hundreds of millions of pounds a year in cybersecurity, and executive committees are demanding proof of the effectiveness of the deployed strategy. This raises questions about the relevance of a single strategy for a large company. For example, it is clear that the priorities are different for a retail bank focused on the leakage of customer data and an investment bank fearing the unavailability of certain trading channels. The current crisis is certainly likely to reinforce this trend: strategies must be adapted much more to the distinct business entity.
A pragmatic and agile strategy, aligned with business priorities
The first months of work are always dedicated to the method that will provide rigour and credibility amongst management and regulators. More specifically, it is a question of defining the company’s Cyber Framework and a method enabling each entity to define its Target Profile (i.e. the target that is to be achieved on the Framework).
Large organisations no longer have questions about the Framework as NIST has established itself as the market leader. The 5 functions (identify, protect, detect, respond, recover) are very clear and extremely popular amongst management teams. The chosen frameworks (ISO, CIS etc) no longer matter as long as they are based on a market standard. It should be noted that most companies do not hesitate to define controls to make them more pragmatic: EDR, SOAR, AD security, anti-fraud; the Framework simply acts as a library of potential controls on which the company will base its strategy.
Defining the Framework’s target
In large companies, the Group often imposes a first level of security for all, reflecting the need for the fundamentals: SOC, bastion, patching, etc. Most systemic attacks still exploit these weaknesses, and the risk of inter-entity propagation must be managed across the board. This common target is quite similar from one company to another and is generally established based on benchmarks provided by the consulting market. Each entity is then led to define its own target, depending on its own needs. The key is often to get out of the cyber department and work jointly with the Risk Department.
The must-haves of the moment: AD and IAM security
The figures resulting from the cyber strategies of major French companies are staggering: 10-20M euros invested on average per year in the industrial sector, and up to 100-150M euros/year for Financial Services. Each strategy is different but recent feedback shows that budgets are more or less evenly balanced between 4 types of projects:
1. Security foundations (patching, awareness, director security, etc.)
2. Protection of sensitive environments (LPM, AD security, data protection, etc.)
3. Zero-trust convergence (inventories, IAM, risk-based authentication, compliance, etc.)
4. Cyber resilience (detection, crisis management, reconstruction, business continuity, etc.)
A few years ago, the SOC was emerging as the top priority topic. Today, they are very much in competition with Active Directory security and IAM.
Final Thoughts
Cyber strategy is an essential tool for setting the direction, federating actions, and involving management. Establishing a multi-year security model is a great opportunity to get teams onboard around a common goal. Some security departments have grown from a few dozen people to several hundred or even thousands in the space of a few years, and many employees are currently searching for meaning in their role (read our article about how organisations can reorganise their security function).
Take advantage of this “moment”, the creation of the strategy, to foster aspiration, enthusiasm, and real team spirit in the function. It is the ideal moment to multiply working groups, involve as many employees as possible, adopt a transparent approach, have top management challenge the teams; in short, turn the design of your strategy construction into an event for the entire function.