Architecting a Security Strategy.
Posted on 19/05/20 in
This is the first in a series of articles we will be publishing in the Cyber Security space. As more of our lives and businesses are digitised it is critical organisations have appropriate strategies in place to effectively protect their businesses and manage risk appropriately.
If you would like to talk about developing the appropriate Security Strategy, reviewing your existing capability, assessing the risk or developing your security architecture please do get in touch.
These articles have been kindly put together by our guest writer Abhishek Vyas a Security Architect.
Strategies are used to help the business achieve its goals and objectives. There are a range of strategies that run concurrently in a business at any one point in time e.g. Product, Sales, Marketing, Finance and IT to name a few.
Security departments can help the business achieve its goals and objectives by
A good security strategy can help re-position the value it provides. Moving it from “Security always says No” to a “Threat led, risk-based approach”.
Most security strategies involve some degree of transformation, hence the need to architect it, as ultimately change is needed to help support the business moving forward.
To build a cohesive, fit for purpose strategy — some deep research should be carried out:
Deep Dive on the existing security estate (Security baseline)
Identify and assess the security related technology, people and processes (security capabilities) that underpin business activities. This provides the “as-is” position.
The NICE framework which can help as it describes what a fully-fledged security team comprises of (in terms of roles and tasks). It may not all be applicable, but provides a view to work from.
Know the existing security value
The security estate will be supporting business activities, which in turn generate profit. “If the security estate was not there, how much would it impact the business profit?” This can be used to help derive how much value the security estate is providing.
What new activities the business wants to perform
What does the business want to do in the future? Launch new products, services etc. This is the “to-be” position. There may be several milestones on the journey to enabling these new business activities. How does this impact the security estate?
Understand the ability of the business to absorb security change
There needs to be enough resources to bring the actual changes about. Where there is an impact to the security estate, it is vital to take into account how it will respond to being changed.
Draft a security capability roadmap
This will provide a view of what new security capabilities are needed to help support the new business activities. It should also include where the existing capabilities need to be uplifted or changed to support new business activities. Ideally the roadmap should be able to demonstrate where the new security value is being added. The new security capabilities can then be aligned to the milestones, to help sequence the delivery.
To help bring the strategy to life, some high-level principles can help for example
By hosting security technologies in the cloud or consuming Software as a Service “SaaS” can decrease onboarding time considerably, helping provide business benefit faster and potentially more cost effective. Most cloud providers also hold security accreditation.
Maintain in-house security skills
Longer term, having in-house skills is more cost-effective and allows for greater agility. It may mean in the short term some external skills are used, but this will be transferred over.
Consolidate where possible
Where there are several technologies offering the similar security value in the business, there will be an active effort to consolidate the technologies, reducing total cost of ownership.
Build in a positive security culture
To support the execution of the security strategy, the organisation security culture is key. The NCSC has published some practical guidance here
In summary the security roadmap and principles form the foundations of a cohesive security strategy. It is aligned to the business goals and objectives. The security strategy itself can be now be presented at an executive level, with a focus on how it will help move the business forward. There is also a Board Toolkit which can help in formulating the strategy, providing some useful tips: