A strategy for cybersecurity strategy

John Hellickson, CxO Advisor, Coalfire

Let's start with an assumption:  Having a cybersecurity strategy is best practice.  So, what makes a good cybersecurity strategy?  You'd be surprised how this answer varies across the security industry, especially from seasoned CISOs of Fortune 500 companies.

I've been fascinated with – and practicing in – the topic of cybersecurity strategy for more than a decade.  During this time, I've seen some good strategies, but I’ve also seen many that were quite embarrassing.  Is this the fault of the CISO or security leader? Not necessarily.  The one consistent theme many CISOs have struggled with is developing a business-aligned security strategy, for many understandable reasons. I particularly struggled when I became a Global CISO of a 400-person security program, and wished I had a better grasp and solid approach to cyber strategy at that time.

We as an industry have focused primarily on the nuts and bolts of security programs, from compliance and security frameworks to industry best practices and technology solutions, and using those as the basis to formulate our cybersecurity strategies.  However, our industry has not done a great job of moving beyond security frameworks to develop strategies that are truly aligned to our businesses.

The purpose of this blog post is to spur some thought on how we can elevate the effectiveness of cybersecurity strategies.  This is the first of several posts over the next few weeks, that will tackle different elements of what makes a more advanced and compelling business aligned strategy. 

/* Sales Pitch Warning: Here at Coalfire, we recently brought together a team of former CISOs and industry experts in various topics of information security, along with the input of dozens of CISOs, to solve the problem of developing business aligned security strategies.  We call the outcome of this effort, Strategy+. End Sales Pitch */

I already mentioned a few challenges to the industry's general approach to cybersecurity strategy, and I could create a long list of additional ones that security leaders run into, let alone how security service providers contribute to that list.  The process of strategy development should also be considered when putting together your overall security plan.  I will dedicate a blog to this topic in the coming weeks.

More than 80% of the cyber program strategies we've seen were centered on a specific framework, maybe with an added category or two to address the areas where the frameworks fall short when leveraged as the foundation for their strategy. This might include strategic and budget planning, leadership, etc.  Similarly, most products that focus on strategic risk management do the same bolting on a few categories to the top of an existing controls-based framework.

We believe in a completely different approach – one that’s specific to strategy.  Essentially, there are additional lenses that should be applied, when looking at different areas of an overall cybersecurity program.  Multiple dimensions that allow one to take off their technical controls hat (that a majority of CISOs are so familiar with) and reassess those complete set of controls from a business value perspective.  It doesn’t matter whether an organization has the best set of controls if those controls impede business growth or fail to retain profitable customers.

Ultimately, it's time for security leaders across the industry to build upon their controls-based programs (what we call 'Controls Discipline') by applying two additional dimensions: called 'Business Alignment' and 'Performance Management'.  Controls Discipline is the one dimension where most Security Programs excel as it has been the lifeblood of security practitioners for decades.  By adding these two additional dimensions, cybersecurity professionals will now be able to pinpoint where a gap may be when it comes to doing the right things right at the right times with the desired outcomes.

The next post will explore more details on the application of a 'Controls Discipline' lens for a given cybersecurity program strategy.  In the meantime, it would be great to hear from you on strategy development approaches that you’ve found to be useful.  Please send your thoughts to me on LinkedIn or via email at jhellickson@coalfire.com.

John Hellickson


John Hellickson — CxO Advisor, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail RISE Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS