Cyber-attacks and the impact they have on organizations are becoming much better understood. However, in facing increasingly sophisticated, targeted and untargeted attacks, the complexity and scale of the threat means that avoiding a cyber-attack is becoming harder for organizations. If a cyber-attack is going to happen at some point, it’s essential that organizations plan for, and prepare to respond to, the inevitable. But this can be easier said than done. What steps do organizations need to take to develop a cyber security strategy that ensures they are prepared?

Defining what success means

Nettitude has experience helping countless organizations (large and small) develop their cyber security posture, defense and response as well as their governance and assessments of their assurance levels. This experience has shown that it is fundamentally critical to ensure that time is taken to develop a longer term vision of what ‘good’ looks like for your organization, especially in relation to cyber threats. It’s vital that this vision is clearly articulated, has board level engagement and is appropriate and relevant to the threats faced.

Many organizations have had, and in some cases many, historic cyber security assessments and gap analyses performed on their controls. They have studied relevant cyber security standards and regulations. They have implemented technology and written policies. But they don’t have a clear idea of why they are doing what they are doing, or are not able to determine when they have done enough.

The building blocks

Once you have defined success, you’ll need to go through the key building blocks to developing your cyber security strategy. These should include:

1. Defining your strategic approach and leadership: Ensuring that you have identified and resourced the people, teams and focus that is appropriate for your organization
2. Becoming threat-centric. This will require your team to:
   1. Know what assets are important to your organization
   2. Understand how cyber threat actors are likely to strike
   3. Gain a true picture of your organization’s threat environment and threat surface
3. Considering it now: If you wait to think about cyber security after a breach, you’re already in trouble
4. Expecting the worst: Shift mindsets and attitudes from ‘it’ll never happen to us’, to ‘when it happens to us’
5. Looking at the most likely attack paths first: Work on common attack vectors/paths (e.g. phishing) – consider the risk of issues that come from human error
6. Implementing privacy by design: Build security thinking into each part of your business eco system
7. Gaining assurance: Ensure awareness of your current ability to detect and respond effectively. Conduct Threat Led Red Teaming simulation exercises and verify the response capability
8. Testing, training and preparing: Continuously emulate adversaries, measure and assure how your detect and response capability works
9. Learning, evolving and maturing: Recognize that your business is living. Scope, operations, threats, processes, innovation, technology, people - all of these change, and therefore your cyber strategy must be constantly reviewed, dynamic and adaptable.

Building a strategy: Nettitude’s Approach

Once success has been defined and the key building blocks above are in place, Nettitude has developed a five step approach to build a robust cyber security strategy that can be applied across all sectors, geographies and business models.

We outline these five steps in our Effective Cyber Security Strategy whitepaper, which you can download here. Using this approach, Nettitude has helped countless organizations develop an overarching cyber security strategy which is pragmatic, adaptable and measurable, in order to protect themselves long-term.