Given the wildly unexpected events of 2020 and their potential lasting impact that could change the way we work, CISOs should consider revisiting their existing strategies now or begin to plan new ones for 2021 and beyond. At Security Risk Advisors, we often field questions about building security strategy. A well-written strategic plan can serve as a guiding-light for decision making in a rapidly changing environment. Unfortunately, it is too common for CISOs and other security leaders, while intending to develop strategy, to actually develop tactical plans that are overly focused on technologies and specific outcomes with little guidance for the decision-making process and no common plan for team members to follow. Often, the result is a program that is painted into a corner and overly reliant on tools and technologies that are not right for the job. Building a security strategy, the right way, will be less impacted by unexpected events (like a pandemic) and will provide clear direction for how short-term tactical plans must change to continue to meet strategic goals.
How Do You Write a Strategic Plan?
There are many methodologies for writing a strategic plan, but one continually stands out to me as the most effective. In his book, Good Strategy / Bad Strategy: The Difference and Why It Matters, Richard Rumelt outlines a formulaic approach to designing a well-organized strategy that I have found incredibly useful in real world strategy development. The book is an excellent read and I highly recommend it to any leader. The basic formula is relatively straightforward and outlined below, as I have interpreted and used it.
A good strategic plan is:
- Succinct. Written in one page, maximum.
- Simply stated. Using plain language that does not reference specific technologies or platforms.
- Structured. Broken it into three sections, each of which should be 2-5 sentences maximum.
Section 1. Diagnosis: Acknowledge the challenges at hand.
What is the current state? What threats and opportunities do you foresee, and how do they tie to the overall mission of the group (be it company, department, or team)?
Section 2. Guiding Policy: The high-level visions for how you will overcome the diagnosis and challenges at hand.
Guiding policies will often have tradeoffs, prioritizing desired outcomes and informing when its ok to focus on one thing vs another.
Section 3. Coherent Actions: Specific actions that directly support the Guiding Policy vision.
This is the most important part but be careful that it doesn’t become your tactical plan. Avoid all direct technology references and focus on providing tangible direction to your team on how to achieve the guiding policies.
Tips for Security Strategy Writing
- Educate yourself on company and IT goals and confirm that your strategy is aligned to business objectives.
- Brainstorm. Get out all your ideas. Initially, I am able to write double or triple the maximum for each section. Subsequent analysis and restructuring allow me to clarify and condense my message, eliminating jargon, fluff, and duplication.
- Vet it with your peers and anticipate resistance. Get ahead of their objections. Have them read and challenge it with hypothetical scenarios. I find it useful to provide the formula as a guidepost, so my peers understand all the pitfalls I’m trying to avoid. Chances are, they don’t know how to write good strategy (yet).
Putting It to Good Use
- A good strategy, once complete, should be shared with and commonly understood by everyone involved and impacted by it, including key stakeholders in the organization.
- When debating technical solutions, long term commitments, or other key decisions, the strategy should be on the table, considered, and followed. If it is not followed, that generally means the strategy was incorrect or shortsighted and needs to be updated.
- On an annual basis, at minimum, revisit and revise existing strategy. I find that by following the formula, in addition to being quick and easily understood, strategy can be continuously word smithed and improved.
- Cascade strategy writing throughout your organization. It would be entirely feasible to set an overarching strategy with your team and then have each of your leads author their own team strategy that both aligns with the overarching strategy and serves as a more focused strategy for each of their teams to follow.
As referenced in Good Strategy / Bad Strategy: The Difference and Why It Matters by Richard Rumelt and observed in real life, few people take the time to sit down and actually write a strategic plan and even fewer approach it the right way. A strategy document, when written correctly, can be an incredibly useful guidepost in decision making and empower teams to think about their long-term plans and goals.
Example Security Strategy
While strategies can exist for the entire security program or individual teams, for the purpose of this article we will focus on developing a strategy to combat ransomware in the healthcare industry, a top risk of many hospitals today. Focus less on the content than on the execution in this example!
Ransomware is the top risk faced by healthcare providers today, based on both the catastrophic and life-threatening impact, as well as the prevalence of the threat due to the lucrative payouts claimed by attackers. 2020 saw yet another increase in hospital ransomware attacks, the first documented death as a result of ransomware, and an increased overall risk due to the pandemic’s effect of shifting workers to remote work. The cybersecurity organization’s mission is to enable the organization to provide top quality clinical care without interruption, and as such, cybersecurity needs to set ransomware resilience as its top priority, with a focus on prevention, detection, and response in the event of an incident.
As a guiding policy for the cybersecurity organization, in 2021 we will allocate at least 50% of the cybersecurity team’s available project time to improve our resiliency to ransomware threats. We will allocate time equally across enhancing our prevention, detection, and response capabilities. Our progress will be tracked and updated monthly, using an Objectives and Key Results (OKR) methodology to ensure transparency across the team and clarity in reporting to leadership.
The specific actions we will take to achieve this will be:
- Conduct a ransomware focused attack simulation purple team event in February 2021 to establish a baseline of our current prevention and detection capabilities, including a quantitative result to establish a comparable metric for future use. Mitigate at least 50% of the findings from this test during 2021.
- Hold a workshop with security leadership across Security Operations, GRC, Identity and Access Management, Threat and Vulnerability Management, and Network Security to identify opportunities in each area to improve our overall resiliency to ransomware threats. Identified opportunities will be tracked and added to the security team’s OKRs for 2021.
- Have an external organization conduct a technical assessment of our domain controllers, workstations, and servers to look for vulnerabilities and configurations that could lead to increased risk of compromise.
- Establish a monthly process with the Windows team to review, assess, and implement Windows Server and Desktop hardening best practices from Microsoft, CIS, and other key sources.
- Develop a written summary of high-risk configurations and weaknesses, with remediation recommendations and prioritization, of those finding that are outside the sphere of control of the security team. Review this summary with the CIO and other key IT Leadership.
- Conduct an EDR hardening assessment to identify any configurations or tuning that can be enhanced to improve prevention and detection of ransomware related threats.
- Establish a process to consume ransomware related threat intelligence within 24 hours of creation and turn it into actionable alerts in our SIEM, EDR, and DNS security tools.
- Identify and mitigate any open file shares or any file shares that only require domain credentials.
- Acquire, implement, and test tooling to allow for file share-based ransomware activity detection, rollback, and response to allow immediate recovery if file share based data is encrypted.
- Require all privileged domain accounts to employ best practices for for all activity, including MFA, pass through credentials, and passwords resets upon each use. No exceptions will be permitted.
- Develop a network segmentation strategic plan to begin segmentation of different computing types (data center, workstations, medical devices, printers, IOT, labs, etc).
- Develop plan in conjunction with IT leadership and establish a timeline for implementation in < 3 years.
- Request updated business impact analyses be performed and provided to IT and cyber security from at least the 5 largest revenue driving departments at the organization.
- Conduct at least 2 tabletop exercises focused on ransomware, one focused on IT and Security technical recovery, and one focused on executive leadership breach response.
- Present OKR results to CIO on a quarterly basis and at least annually to the Board of Directors
- Conduct a follow-up ransomware focused attack simulation purple team event by February 2022 to obtain comparable results to demonstrate progress since initial test.