Craig Barber MBCS M.Inst.ISP CISSP tells ITNOW why strategic planning in cyber security is a little more challenging than you’d first think.

The information security industry is continuing to grow and change exponentially. Cybercrime is now one of the greatest threats to every company in the world and is costing trillions of dollars, globally, each year. Statistically, the number of vulnerabilities discovered is increasing year-on-year and the same goes for advanced persistent threats (APTs). From a strategic perspective, this is akin to needing a crystal ball when it comes to planning ahead.

Let’s think back to 2016 when Mirai, the first large internet of things (IoT) attack happened. Can you say you were prepared for it? Did you consider something like this in your security strategy in the previous years? What about the more recent, sophisticated phishing attacks like Emotet, or the fact that malicious PowerShell scripts are up over 1000%? Attack vectors are evolving almost daily; constant awareness of controls to protect your organisation is required. As a result, strategic planning can become a bit of a nightmare.

The long-term goals

So, what should you consider as part of your long-term plan? The typical approach to this does not change in security. Remember to work closely with the wider business strategy and requirements over the coming years. New ways of working are always worth looking into - think cloud or zero-trust and borderless networks. One of the best ways to accomplish this, is to keep a close eye on the big players - Google, Amazon and so on. They do some great research and development, which is viewable online.

At some point you’ll need to consider security controls around new trends, so start thinking about this as soon as possible. The challenges around up and coming communications protocols like TLS 1.3 should also be considered, although you probably feel like we’ve been rolling out IPv6 forever! On an administrative front, keep a close eye on regulatory changes in the countries in which you operate, including the introduction of any new legislation. If you need to implement controls around this, you should have plenty of time to consider these over the next few years.

Where it’s not so easy...

So, where does planning ahead become more difficult? Unfortunately, new attacks appear almost every day. 0-day vulnerabilities are expected to become more and more frequent over the coming years, driven further by the growth of IoT and connected devices. It is practically impossible to consider certain vectors like these as part of a three-year plan, simply because they change so fast.

This is where a balancing act comes in: Consider these trends as part of your mid-term plan, but also remember to build in plenty of contingency options. This requires a sort of ‘loose’ tactical plan that may not actually cover much detail at all - and plenty of options for change as the year progresses. A good approach to facilitate this, is to ensure regular, proactive threat modelling. Whilst the general concepts of an attack stay relatively similar (think OWASP Top 10), you’ll need to be able to cope with changing requirements as quickly as possible to stay ahead of the game.

Are you mature enough?

What if your organisation is lagging behind when it comes to security? Sadly, many businesses are not prepared for today’s threats - let alone the threats of the future - and this can be an issue up to board level. 60% of execs believe current technology and business processes are all that is required to keep the company safe. As a result, you may struggle to secure additional budget, particularly if a new requirement rears its head mid-financial year.

The good news is, increased publicity and the new breach notification requirements are starting to change thoughts. If you do not have basic security controls in place, or are focused on the minimum compliance requirements, you probably feel like security is moving even faster!

To bring your organisation up to speed, select a good maturity model. It doesn’t have to be a security focused one - for example, you could use the COBIT model. It’s important to mention this isn’t about comparing your organisation to another. A maturity model is more useful for driving improvements internally, so you could even develop your own. It’s a great way to establish a roadmap for cultural change. To achieve an increase in security maturity will likely require a significant budget increase and a lot of time - so, consider this within your strategic planning.

Fixing internal processes

If you’re already at a reasonable security maturity level, that’s great! However, keep in mind there will be further challenges to consider when rolling out new controls, particularly over a short timeframe. A new method of attack could rear its head tomorrow - if this happens, how do you get protection in place as quickly and efficiently as possible? Having a well-versed security operations team is an obvious must for first defence. Use the NCSC exercise in a box to assess your response function.

However, when it comes to something like infrastructure changes, internal business process can add delays in getting new security technologies procured. For example, if a request for proposal (RFP) is required over a certain value, this results in further administration activities - defining requirements, organising responses, arranging scoring sessions and subsequent disagreements between the finance department (cost) and security (functionality). Also; consider supply chain issues where your equipment is built to order. Historically, this caused delays, but is less of a problem with virtualisation and the cloud.

What is the solution?

Ensuring a contingency fund for security and compliance related issues is a must, particularly over each financial year. Focusing on short to mid-term planning can ensure your organisation maintains a good security posture and can react to industry changes faster when it comes to evolving threats.

On a purchasing front, if your internal procurement processes are poor, try and drive a review - even if it’s just for security related matters. An option such as an RFP ‘fast track’ could work for you. This is where an RFP is completed on a supplier basis instead of using multiple vendors. You may find this fits into your strategy better, especially where you already have a chosen portfolio of vendors. When constructing your mid and long-term plans, it is critical that your security experts have received regular training and keep records of continuous personal development (CPD). This isn’t just beneficial for your employees, it’s good for the business, too - showing a clear alignment and understanding of today’s threats.

Your competitors could help!

Have you considered working with your rivals? Sounds odd - but establishing or contributing to working groups with businesses in your sector is a great option. Some industries really make good use of this - banking, for example. This gives you the opportunity to share valuable intelligence. If this is something new to your organisation, it can be hard to encourage due to concerns working with competitors. However, this can be hugely beneficial for your industry and ensures your company is seen to be doing the right thing. If your rival has seen a sophisticated attack that may also impact you, you will certainly be grateful for the heads-up!

Furthermore, if your company is involved with something like national infrastructure, you may also be a part of the NCSC Cyber Security Information Sharing Partnership (CiSP). Use this to your advantage when planning for the future. Whilst there is no ‘one size fits all’ solution to tackle the uncertainty, taking some of these options into account could help protect your business in the years to come.