Building a strategy and making it stick

Looking up the collective hive-mind (better known as Wikipedia) it will tell us strategy ?is a general plan to achieve one or more long-term or overall goals under conditions of uncertainty. ? I find that to be a good definition.

Why is strategy important?

As a cybersecurity professional over many years, restraints on time and resources are challenges I am very familiar with. From its birthplace in IT, our discipline has grown both in scope and importance and often sits higher in organizations these days – outside of IT – and with regular reporting to executive management and the Board of Directors. However, what security professionals do is in most cases still seen as a cost of doing business and often somewhat of a black box, thus, the struggle of resources continue.

With many areas to cover, and a galloping threat picture fueled by international conflict and geopolitical tensions, it’s impossible to be everywhere at the same time. Working out a strategy is therefore ever more important as time and resources available to us usually are limited.

To get everyone behind a strategy – goals, priorities, and actions – it is of uttermost importance to be inclusive in the development process already from an early stage. When stakeholders are involved and allowed to voice their opinions – alignment and ownership is much more likely to happen.

An ongoing process

As with many business processes strategies need to be constantly adjusted to adapt to and meet changes – both external ones, but also those that occur internally. For the security strategy this is especially important as security is there to support the business and not do security for the sake of security.

Leading a global security team spread across multiple time zones I’ve found it smart to start early. Last year we sent out a survey to the head of security for each operational company already end of June, with a mid-August deadline. The goal was to gather inputs on what key risk-drivers we see, and the emerging threats following in their wake.

At the end of the third quarter, we gathered physically to collectively go through all the individual inputs and see if there were similarities and ways to group them into focus areas. Taking the output from this workshop back to the office, a first draft of the updated strategy was made and then circulated back to the participants for inputs and comments.

Towards the end of the year a second workshop was held to go through all individual feedback and ensure everyone’s opinions were taken into consideration. The output was then taken back to the office again and a second draft was made. This was finally circulated one last time to the peer group, as well as with the security team on Group-level. And there we had our strategy. Endorsed, aligned and ready to execute.

For each operational company there will be individual priorities and individual actions that needs to be worked out, but the general plan to achieve an overall goal for the Group is in place.

What does the future hold?

If you have read this far, I am sure you’re curious what risks were discussed, so I’ll include a short summary. While different industries and different regions naturally face different challenges, we all live in the same world. Thus, the bigger lines will usually encompass all of us and we found the following three focus areas to be a common denominator.

? Escalation in geopolitical tensions and international conflict

The first one was brought up already before summer last year and it has not been reduced in severity throughout the year. Hybrid attacks are on the rise with increased conflict, and the threat of physical damage or sabotage to assets is increasing with it. An increase in espionage is also following in this wake, both through digital channels as well as through humans. The insider risk in general is growing on this basis – both the accidental side of it as well as that with intent. Finally, sanctions and protectionism are being used more and more creating uncertainties around supply chains and collaboration – especially for global companies.

? Rapid increase in development and uptake of new and disruptive technologies

Generative AI is currently the number one example of where people are scattering around to see what’s happening. It brings a lot of promises in terms of heightened efficiency, improved quality, and better user experiences – but what are the drawbacks? Issues that need to be investigated and managed would at least concern: 1. what new threats does AI pose to us? 2. How do we secure our own adoption of AI? 3. How can we use AI to improve our defenses?

? Resilience and dependencies in complex supply chains

Especially in Europe, the NIS2 directive receive a lot of attention in 2024. As with GDPR back in 2018 it introduces hefty fines for organizations that are non-compliant and include a step-up in many areas that often tend to be somewhat overlooked. Going forward every organization will have to put a lot more work into ensuring operational resilience and make sure they have end to end control on their most important processes, including how to get them back into action should they fall out. And in this interconnected world with the above-mentioned heightened level of political tension and conflict this will also include every third-party that is a part of the supply chains connected to these processes.

How to go about it then? Well, there are obviously as many suggestions to that as there are issues, and we’ve already started working on them as part of the strategy execution program. But that’s a tale for another time.

2024 will be an interesting year.