What is a cybersecurity strategy?
Before moving forward, let us first establish what we mean by a ‘cybersecurity strategy’. It is a comprehensive plan that outlines the approach and practices an organisation will take to protect the confidentiality, integrity and availability of its information and information assets.
A lot is packed in this definition. A cybersecurity strategy can mean so many things, but it boils down to the cybersecurity culture of an organisation – the total package of what they do and their attitude towards cybersecurity.
Tip #1: Avoid box-ticking practices
Security solutions and practices should be intentional and not just for the sake of fulfilling requirements. For example, security policy documents should be concise, straight to the point, and carefully written. It is of no use, having a policy of 100 pages that no one reads – yes, it may tick the box of a certain requirement but it may not translate to actual security gain. A good practice is to have summaries of long documents, with users able to refer to a full version for more details.
Complacency is an enemy of solid cybersecurity. A story is told of an oil company that had a control centre for monitoring their network of pipes. It happened that a seasonal weather condition caused some of the pipes to expand/contrast and this kept triggering some of the sensors to think that there were leakages. The staff at the control centre got used to the ‘frequent’ false positives and started ignoring the alarms until a farmer phoned in one day to report a flood of oil on his farm.
Don’t leave anything to chance or ignore anything, even the seemingly boring or mundane ones. DON’T IGNORE SECURITY ALERTS. There will always be false positives/negatives. These should be opportunities for improvement and not lead to complacency. Enforce a culture of zero tolerance for ignoring security alerts/warnings.
Tip #2: Stay on top of the game
Cybersecurity can feel like a game of ‘cat and mouse’; “a series of cunning manoeuvres designed to thwart an opponent”. Playing this game effectively entails taking proactive practical steps to stay ahead of attackers and preparing for when (not if) an attack does happen. Some of these practical steps include:
- Continuously (at company defined interval) research about the current number one and four past most prominent security threats and address them. Keeping your eyes on at least 5 top threats on the list of official and/or recognised cyber threat reports is a good way to be proactive.
- Conduct social engineering campaigns at company defined intervals. It is important that this is (and should be seen as) an opportunity to learn and tighten security, and never for punitive intentions.
- The good old risk assessment, penetration testing, incident response, patch management, relevant security compliance etc. are still important.
Tip #3: Implement robust and user-friendly access control
People typically associate the phrase ‘access control’ with strong passwords. Although a ‘strong password’ is relative, it is generally seen as one that is ‘long and complex’. Because long and complex passwords are usually difficult to remember, and password rotation policy has worsened things, people have resulted in unsafe practices ( e.g., writing passwords down, password recycling, using password managers, etc.) to help them remember their passwords. Start moving away from over reliance on passwords.
Multi factor authentication should be a basic requirement. Given the inherent complexities of using passwords (simple ones are easy to hack, while hard ones are difficult to remember), organisations should also consider passwordless authentication. After all, password is not the only item (factor) in the ‘what you know’ bag – only ‘what you have‘ + ‘who you are‘ is also multi-factor authentication.
Moreover, access control should be user-friendly and not get in the way of people doing their work. Help people understand the goal of access control (what you intend to achieve), the importance of it, and not just the means. Carefully implement zero trust, separation/rotation of duties, least privilege, and need-to-know principles.
Tip #4: Focus more on the people
According to Advisera*, only 37% of the 114 ISO 27001:2013 security controls are IT-related. However, 88% of data breaches are caused by human error . These, and many other studies, show that humans are the most important link in the cybersecurity chain . It is not always about the tools, but the people.
Security should start from the recruitment process, including writing job descriptions. Ensure that you target and get the right people. Diligent checks are important. For example, a prospective employee who posts unnecessary details of their current employer’s system/network on social media might be a security risk.
After recruitment, help employees achieve more security with user-friendly solutions. Ensure that people are motivated, understand what is required of them, and that they have what they need to do their job. Avoid ambiguity and complexity where possible. According to NCSC, “Good operational security should not require complex, bureaucratic, time consuming or expensive processes.”
*Dejan Kosutic’s training old notes on ISO 27001:2013 for Advisera
Tip #5: Develop fit-for-purpose user awareness and cybersecurity training
A high percentage of data breaches are caused by human error, and training has been identified as the best solution for ‘patching’ such human vulnerabilities. However, training has to be fit-for-purpose. The traditional one-hat-fits-all approach has been proven inefficient and ineffective. When it comes to cybersecurity, we know that there is no single-training-fits-all solution – people have different technical skills, different prior knowledge and experience, are in different roles, exposed to different security risks, and require knowledge that is relevant to what they do.
Implementing tailored role-based cybersecurity training that recognises prior knowledge and skills personalised to the specific role  is a good approach. We need to rethink training and awareness. This should not be another box-ticking exercise, but designed and tailored to ensure that every individual is properly equipped to do their job.
The bottom line
In this article, we have discussed cybersecurity strategy from a more holistic and less formal perspective. When conceptualising an effective cybersecurity strategy and understanding how it can be achieved, it’s helpful to remember three key attributes – organisational culture, people-centricity, and user-friendliness.
First, cybersecurity strategy should be embedded in the organisation’s DNA. It should be naturally obvious to anyone how seriously the organisation takes cybersecurity. Does a new employee’s experience (from recruitment, through the first day in job, to weeks after job start) demonstrate to them that security is a big deal for the organisation? Second, since ‘humans are the weakest link in the cybersecurity chain’ and that organisations are as ‘secure as their weakest link’, cybersecurity strategy should be people-focused. ‘Securing’ the user addresses most of the security risks. Third, security controls/systems should empower the user to do their job securely and not get in the way. Complexity can sometimes lead to security exposures.
 Hancock, J.: Psychology of Human Error: understand the mistakes that compromise your company’s cybersecurity. Tessian Research (2020). https://bit.ly/3Lzn1Fg
 Eze, T., Hawker, N. (2022). CAP: Patching the Human Vulnerability. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_9