Defining the cybersecurity strategy in a large organisation

15 years of “security models” means 15 years of conversations started on the basis of accelerating threats, tightening regulations, supporting transformations. Today, the reasons for establishing a cyber strategy are still generally the same. However, the method itself, of designing the cyber security models has considerably evolved.

10-15 years ago, life was easier: a security model could be designed in a few meetings with the CISO and their team, based on their “expert opinion”. To provide some logic, consultants would rely on an illustrative model such as a fortress or an airport, which served as the basis for setting up the foundations and explaining their choices. Cyber attacks still seemed distant, cyber was less dispersed than today and security models were more or less the same. With hindsight, these cyber strategies had, above all, a big real role in raising awareness and training top management, who were gradually becoming involved in the decisions and discussions.

In 2021, the context has changed considerably. Relying solely on “the expert opinion” no longer suffices: companies are now investing hundreds of millions of pounds a year in cybersecurity, and executive committees are demanding proof of the effectiveness of the deployed strategy. This raises questions about the relevance of a single strategy for a large company. For example, it is clear that the priorities are different for a retail bank focused on the leakage of customer data and an investment bank fearing the unavailability of certain trading channels. The current crisis is certainly likely to reinforce this trend: strategies must be adapted much more to the distinct business entity.

The first months of work are always dedicated to the method that will provide rigour and credibility amongst management and regulators. More specifically, it is a question of defining the company’s Cyber Framework and a method enabling each entity to define its Target Profile (i.e. the target that is to be achieved on the Framework).

Large organisations no longer have questions about the Framework as NIST has established itself as the market leader. The 5 functions (identify, protect, detect, respond, recover) are very clear and extremely popular amongst management teams. The chosen frameworks (ISO, CIS etc) no longer matter as long as they are based on a market standard. It should be noted that most companies do not hesitate to define controls to make them more pragmatic: EDR, SOAR, AD security, anti-fraud; the Framework simply acts as a library of potential controls on which the company will base its strategy.

In large companies, the Group often imposes a first level of security for all, reflecting the need for the fundamentals: SOC, bastion, patching, etc. Most systemic attacks still exploit these weaknesses, and the risk of inter-entity propagation must be managed across the board. This common target is quite similar from one company to another and is generally established based on benchmarks provided by the consulting market. Each entity is then led to define its own target, depending on its own needs. The key is often to get out of the cyber department and work jointly with the Risk Department.

Cyber strategy is an essential tool for setting the direction, federating actions, and involving management. Establishing a multi-year security model is a great opportunity to get teams onboard around a common goal. Some security departments have grown from a few dozen people to several hundred or even thousands in the space of a few years, and many employees are currently searching for meaning in their role (read our article about how organisations can reorganise their security function).