CHAPTER ONE
Cyber Strategy: The Strategy-Centric Approach

Cybersecurity is the mission-focused and risk-optimized management of information which maximizes confidentiality, integrity, and availability using a balanced mix of people, policy, and technology while perennially improving over time.

-Mansur Hasib, speaker, educator, career coach

INTRODUCTION

What exactly is a cyber strategy? Let's start by defining strategy. The word "strategy" is derived from the Greek word strategos, which is a combination of two words-stratia (meaning army) and ago (meaning to lead or move). Merriam-Webster defines "strategy" as "a careful plan or method for achieving a particular goal, usually over a long period," or "the skill of making or carrying out plans to achieve a goal."1

A strategy is a course of action taken by management to achieve one or more of the organization's objectives. We may alternatively define strategy as "a broad direction established for the organization and its many components to reach a desired condition in the future."

A comprehensive strategic planning process yields a strategy. A strategy is all about integrating organizational operations and using and distributing corporate resources to fulfill current objectives. We do not build a plan in a vacuum; let's keep this in mind. Any action conducted by an organization is likely to elicit a response from those affected, whether they are competitors, customers, workers, or suppliers. We may also characterize strategy as knowing what we want to achieve, being aware of the unpredictability of events, and considering possible or actual actions. An organization's strategy explains its business, the economic and human organization it aims to be, and the impact it intends to make on its shareholders, customers, and society. So strategy is preparing a long-term plan that will guide an organization in achieving its objectives.

In "Strategic Planning for Public and Nonprofit Organizations," an article on the Insentra website, John M. Bryson defines strategic planning as:

• A disciplined effort to produce fundamental decisions and actions which shape and guide what an organization is, what it does and why it does it-all with a focus on the future.2

CYBERSECURITY STRATEGY

The European Union Agency for Cybersecurity (ENISA) defines cybersecurity strategy as:

• A national cybersecurity strategy (NCSS) is a plan of actions designed to improve the security and resilience of national infrastructures and services. It is a high-level top-down approach to cybersecurity that establishes a range of national objectives and priorities that should be achieved in a specific timeframe.3

In essence, a cybersecurity strategy is an organization's plan to reduce business risk from cyber-attacks by maintaining confidentiality, integrity, and availability in all the organization's information systems and data.

The primary request of any organization or institution's Board of Directors (BOD) and C-level executives (C-LE) is for a robust, scalable, and agile cybersecurity strategy that enables business agility and sustainability. A robust cybersecurity strategy is critical for business operations as it protects against cyber risks and mitigates potential data breaches and other cyber threats to critical infrastructure and critical data. For a BOD member or a C-LE to be able to fathom the value proposition of the organization's cybersecurity strategy, there must be invested accountability on how business is aligned to the specific organization-level approach to cyber value, cyber compliance, cyber culture, and cyber resilience, but all of this starts from the strategy. All these are the precepts in the following chapters of the book.

THE VALUE PROPOSITION OF A CYBERSECURITY STRATEGY

Most executives' first thought is determining what the return on investment (ROI) is on investing in a cybersecurity strategy. The ROI is the total value of the cost of cyber breaches averted minus the cost of mitigating cyber risks. After reading the next chapter, you'll understand why this is often difficult to measure and learn how to calculate it better.

Beyond the ROI or net value, the absence or misalignment of a cybersecurity strategy will not enable the board of directors or C-level executives to take the subsequent business strategic risks that facilitate business growth and success in the foreseeable future. A cybersecurity strategy allows the organization to capture more value from its business model.

For example, suppose an organization's strategy is to grow through mergers and acquisitions (M&As). The cybersecurity strategy should mitigate any cyber risks that emerge with each new M&A while not losing focus on the current cyber risks. The organization's expansion and growth depend on the trust of existing and new consumers. The cybersecurity strategy should be in line with building the trust of its customers after the M&A-critical infrastructure and data are secure. A strategy in line with the business's objectives is the only assurance that enables the board of directors and C-level executives to take the business to the next level or the next innovative idea or concept. After that, executives can confidently answer the questions posed in this chapter.

The primary concern of any executive in this realm should be a successful cyber-attack or security breach. Cyber-attacks have caused significant damage to businesses, affecting the bottom line, their business standing, and customer and consumer trust.

THE EXECUTIVE'S ROLE IN CYBERSECURITY STRATEGY

You may wonder why a cybersecurity strategy should be the first foundational precept for the BOD and C-LEs, as prescribed in this book. Most organizations' executives are not treating cybersecurity like any other strategic business decision. For a cybersecurity strategy to enable the business effectively and successfully, it has to be driven by the organization's leadership. Cybersecurity strategy that has the support of executive leadership invites the actionable strategic-centric approach and governance model that gives the right priority to cyber risk management. Members of the BOD and C-LEs need to start asking the right questions about cybersecurity strategy to make sure sufficient investments are made to minimize business disruptions from cyber risks. A cybersecurity strategy that is well articulated by the executive leadership will automatically align business strategy objectives and organization risk appetite. Some of the implications of ignoring cybersecurity strategy are listed below:

• BOD and C-LE insecurities emerge from the lack of a cybersecurity strategy or plan to reduce cyber risks tailored to the organization's objectives and risk profile.
• BOD and CLE insecurities emerge due to the absence or misalignment of the cybersecurity strategy to business strategy. The lack of and misalignment results in crippling the business to be more innovative and remain sustainable for the foreseeable future despite operating in an era of increase in cyber-attacks.

If you are a member of the BOD or a C-LE of an organization, you need to be able to articulate answers to these questions:

• Does your organization have a cybersecurity strategy that's specific to the organization's core business?
• Is the organization's cybersecurity strategy aligned to the business goals?
• Does the cybersecurity strategy have adequate resources to mitigate risk within the organization's risk appetite and risk tolerance?
• Does the cybersecurity strategy have adequate financial support to manage cyber risks against the critical assets?
• Is the organization cyber-compliant with all laws and regulatory or industry-specific requirements?
• How does the organization's cybersecurity strategy ensure that it can avoid, respond to, and recover from constantly changing cyber threats?
• Has the organization integrated people, processes, and technology into its cybersecurity strategy?

The failure to clearly articulate a response to these and other questions invites business risk that would result in lost shareholder value, less consumer and customer trust, limited business growth, and more. No single strategy-centric approach to cybersecurity strategy is ideal for all business models; the cybersecurity strategy has to be one that suits your business. Given the rising prevalence of technology, software vulnerabilities, ransomware, and other vectors of cyber-attacks, this makes it imperative for cybersecurity strategy to be at the top of every executive's agenda. We live in a world of constant volatility, and if you have invested interest and support in how your organization's cybersecurity strategy will cope with the continual change of cyber-attacks, in both scale and complexity, you will enable your organization to archive its business goals while managing cyber risk within the organization's risk appetite. Cybersecurity strategy enables BOD members and C-LEs to recognize and have a high level of understanding of the potential impacts of and losses due to cyber risks, which have resulted in an impact on operations, reputations and revenues.

Potential Loss Due to Cyber Risks

Cyber-attacks can result in economic, reputational, and...