so a correct strategy must be carried out

There are many factors and premises that an organization must consider to define its cybersecurity strategy. In a changing technological environment, companies must identify and protect their strategic assets through specific security systems that guarantee business continuity.

On this, ISACA has disclosed how a correct cybersecurity strategy should be carried out, since the protection of systems, networks, applications and data is, today, as important for an organization as increasing the number of clients, increasing billing or launch new products.

“The simple fact that an organization asks itself this question is already a sign of maturity, but also of the importance that the top management of a company gives to cybersecurity”, explains Víctor Parrado, CISO, GlobalSuite Solutions.

Awareness in the company

As in any strategy, the involvement of the company’s management in cybersecurity is a key element, and hence the importance of the role of the CISO, who is integrated into the high levels of the company to know first-hand the strategic objectives of the business and protect them adequately.

The cybersecurity strategy depends on these strategic objectives, but also on the resources and capabilities that the organization has, as well as internal and external factors that we will call context. When it comes to taking the strategy to the operational layer of an organization, adapting to our reality is essential to be successful.

A good starting point for defining the security strategy is to answer the following question: what is critical for the organization? What are the assets that we cannot do without?

Essential questions that should not be trusted, in any case, to a single vision: that is why it is important to ask this question to several leaders or areas within the company, since it is quite common for an important business process to depend on an asset that only knows one area.

As stated by Víctor Parrado, “it would be a mistake to start directly implementing controls without first knowing what could happen to us and what we have. With this exercise we can identify the strengths and weaknesses in cybersecurity, as well as what the shortcomings are and what needs to be done to act on them. It will also give us an overview of the different layers and how we should protect our most valuable data.”

Cybersecurity Strategy

At this point, we would be forming a strategy known as defense in depth. Originally from the military world, its objective is to slow down the enemy’s advance through different methods and controls (layers), instead of relying on a method of protection. Thus, the attacker needs more time and knowledge to compromise the security of critical assets, which allows the defender to develop a more effective response.

As Parrado assures, “in this case, it is not necessary to think only of technical measures and cybersecurity programs. It is just as important to know how the user interacts with the organization’s systems. This management layer contains all the policies, regulations and procedures, in addition to providing the basic principles on which to articulate the rest of the more technical safeguards. The complexity of the infrastructure of organizations makes it necessary to implement a management framework that allows all the implemented processes to be carried out correctly, from reports to the management of relevant data, to the evaluation and management of risks and compliance”.

This is how a correct cybersecurity strategy should be carried out

But that is not all. When defining a strategy, we must bear in mind that our reality is constantly changing when we talk about cybersecurity, so the one we define for our company must be flexible enough to adapt to market requirements and new technologies over time. weather.

Parrado shows an example of this situation: “At the time of the outbreak of the pandemic, most companies had a strategy based on centralized authentication in corporate systems to protect those users who were outside the corporate network. . This model exploded at the time when all employees had to start working from home, forcing organizations to provide access to new devices, in some cases non-corporate, as well as a huge number of connections incompatible with the licenses they had, etc. In other words, from one day to the next, the protection strategy for user devices had to change. This is a simple example of how the cybersecurity strategy must be constantly evolving.”

Implementing the right strategy

A cybersecurity strategy implies the acquisition of knowledge by the team, the management of necessary programs and constant updating when implementing all these controls. This implies a level of complexity that, on many occasions, an organization cannot assume by itself. herself.

For this reason, many companies rely on external support to help them in the event of cyber incidents, monitor their infrastructure for anomalies or, in short, provide specialized cybersecurity solutions. We would be talking about managed SoC services, CERTs, cyber risk insurance, etc. With this in mind, to define a strategy, the following points should be taken into account:

• Decisions based on data and information. The first step in defining a strategy is knowing our organization, what is important and what our strengths and weaknesses are.
• The cybersecurity strategy must be supported by senior management. And vice versa, cybersecurity must support and adapt to business objectives.
• Implementing a cybersecurity management framework will allow us to better manage processes. Be it ISO 27001, 27110, ENS, NIST framework… It is a good strategy to choose a standard that defines and relates the different processes.
• Strategy is a consequence of your context. To define a strategy you must know your reality. Resources are always limited.
• Defined security roles and responsibilities. It is essential to determine who is in charge of what to define the different processes to be implemented in order to carry out good cybersecurity management.