Cybersecurity 101: Don't Confuse Strategy and Plan

Key Definitions

When we launched our new Cybersecurity Service offering, we were immediately faced with the need to clarify two pivotal concepts: Plan and Strategy. Though these terms are frequently used interchangeably, they have nuanced differences. Failing to understand and distinguish the difference between the two can leave organizations adrift in a sea of cyber uncertainty. In fact, to navigate this volatile landscape, you need to have

·????? a robust strategy,

·????? an actionable plan,

and

·????? the ability to differentiate between the two.

There are varying interpretations of "strategy" and "plan," including their frequent use interchangeably. In the context of information security, step one is understanding the differences between the terms. Both are crucial for leadership awareness and fostering a strong security posture.

Cybersecurity Plans are detailed blueprints addressing specific steps, tasks, personnel, financial aspects, and actions needed to implement the strategy. Plans are concrete and operational, focusing on short-term objectives and specific deliverables. As such, they require frequent adjustments and revisions, often yearly, quarterly, or monthly, based on emerging themes.

Cybersecurity Strategies are high-level, long-term approaches outlining the overall direction and purpose of cybersecurity across the organization. Strategies focus on the "what" and "why" of achieving goals and provide a framework for decision-making. They are typically updated every few years unless significant shifts occur in the business or threat landscape.

Artificial Intelligence as Disruptive Force in Cybersecurity

The sudden onslaught of AI in all areas of technology, including security, provides a good illustration of the difference between the two concepts.

In 2023, the rise of AI prompted an urgent need for organizations to revisit both cybersecurity plans and strategies. Our cybersecurity team recognized the necessity to incorporate AI elements into clients' strategies and plans. In essence, this was an out-of-cycle modification aimed to harness AI's accelerating influence within organizations and address evolving threats.

What did it mean in practical terms?

With respect to Cybersecurity plans, we worked with clients to introduce new policies regarding AI use. We also conducted educational sessions for leadership on AI's impact on data and operations.

While AI was already acknowledged in most Cybersecurity strategies, we fine-tuned them that specifically highlighted the influence of AI on the speed to market of quality and quantity of emerging threats.

Interconnected but Distinct

In essence, a strategy is a high-level, long-term approach or method designed to achieve a specific level of maturity, making directional choices about resource allocation and the advancement of security posture.

In contrast, a plan is a detailed, specific set of action steps with start and end dates, focused on accomplishing specific cybersecurity objectives derived from the overarching strategy.

With respect to flexibility, cybersecurity strategies are more adaptable and flexible. They allow for adjustments in response to changes in the external environment or shifts in organizational priorities.

Plans, on the other hand, are more rigid and may need to be adjusted or revised if unforeseen circumstances arise. However, they provide a structured framework for achieving short-term goals.

Summary

Cybersecurity Strategy:

• Focuses on the “what” and “why” of achieving goals and offers guidance on the overall approach.
• Outlines the overall direction and purpose of cybersecurity across the organization.
• It defines the order of priority of threat types for the organization to address.
• Provides a framework for decision-making.

Cybersecurity Plan:

• Focuses on the “how” of achieving specific cybersecurity objectives.
• Outlines specific steps, tasks, personnel requirements, financial aspects, and actions needed to implement the strategy.
• Concrete, operational, and focuses on providing deliverables and the sequencing of the work required.
• The domain of Project and Program Managers who are tactical, focused on delivering desired outcomes across timelines identified in the cybersecurity strategy. Rarely do you see project managers concerning themselves with strategies.

Need More Information or Help?

Give us a call and get the full benefits of an experienced CISO leading a panel of active CISOs assisting in the review and development of your cybersecurity strategy, prioritization of your security work, and enhancing your organization’s overall security posture.