So, you’ve landed a senior cyber security role in a new organisation. You’re full of excitement, but you’re also feeling a bit of apprehension. Why? Because you’re now responsible for transforming the organisation’s security posture. And your bosses have probably given you a timeframe of something like 24 months.
Those working in the security industry know that implementing transformation programmes takes time. But there are still real changes you can make within a 12-24-month period.
If you’re looking for guidance on where to start with a cyber security transformation programme and the four high level phases of a programme, this is the article for you. Here at ThreeTwoFour, we’ve managed a number of programmes and helped our clients make positive transformational changes to their organisations’ cyber security posture.
First off, what’s considered a cyber security transformation programme?
A cyber security transformation programme is a collection of complex security projects, ranging from standing up a new data loss prevention (DLP) capability, to improving security culture and awareness. These projects typically involve people, process, and technology. They are rarely only about installing the latest and greatest security tools.
A transformation programme must produce significant and measurable improvements. This could include improved user phishing simulation results due to increased security awareness training, and increased number of cyber attacks detected and prevented due to improved cloud, network and endpoint security capabilities.
Before you begin with your cyber transformation programme
Before you charge ahead, it’s a good idea to get a clearer picture of the current state, as it’s not unusual for organisations to only have partial sight of all its security issues. You can do this by:
- Understanding the business strategy, its challenges, and its critical systems and assets;
- Conducting a “red team” exercise (this is a form of ‘ethical hacking’ that will reveal obvious security gaps and vulnerabilities);
- Examining and refreshing existing risk and issue registers; and
- Choosing one or two security risk and control frameworks to assess against. Consider SANS, NIST, COBIT and ISO/IEC27001.
Phase 1: Planning and ‘No-Regrets’ Activities
Once you’ve got a solid understanding of your current state, write a cyber security strategy and plan. This should articulate your recommended target position and how to get there. The strategy needs to be business-led, and it’s important to communicate security gaps to executives in terms of impacts on their business.
The strategy will likely need a few iterations, to find that balance between aspiration and deliverability.
Define success criteria that are both ambitious but achievable. Trying to fix too much and too fast, will lead to failure. You should also consider using a mixture of waterfall and agile project methodologies.
Estimating and budgeting for such a programme is deserving of another separate article. But, remember that implementing cyber change involves people and processes too, so ensure there is enough budget for documentation, communications, and training.
During the planning phase, you can kick off some ‘no-regrets’ activities in parallel. For example, start fixing the highest-risk issues from the red team exercise (“act like you’ve been hacked”). You’ll also want to start recruiting for key positions in your team.
Phase 2: Mobilise
So you’ve secured a budget and have executive buy-in. Now what?
This is where you should establish solid foundations and start mobilising the programme. This phase involves activities such as standing up steering committees and defining Key Performance Indicators (KPIs).
This is also where you can use ‘accelerators’ to give your programme a kick-start. For example, some governance setup activities can be fast-tracked if you have access to terms of reference and charter templates. Don’t reinvent the wheel if you don’t have to.
Phase 3: Execute
This is where the fun begins. You’ll be in the throes of product and service selections, solution design, testing, and implementation. Measuring successes along the way through KPIs will keep your project sponsors engaged. For example, a phishing awareness project could measure success by the reduction in the number of users falling for test phishing emails over a period of time. Or a Security Information and Event Management (SIEM) implementation could measure success by the number of Tactics, Techniques and Procedures (TTPs) the organisation is able to detect.
And don’t forget to execute a communications plan to build up awareness of the programme across the business. Your programme will likely experience scope changes along the way. For example, the organisation may discover new threats or uncover more issues. Because of this you must ensure that your programme has a change request process that assesses the impact on the existing projects.
Phase 4: Transition
Most technology projects install tools well, but it can all fall apart after handing over to the production teams. Production teams must receive appropriate training, documentation as part of the project. The organisation’s service transition process should also ensure that there are enough resources to support a new service.
Now that you have a high level view of the four phases you’ll probably want to start diving into creating high level project plans to provide a view on timelines to your stakeholders. You’ll also need to provide budget forecasts including CAPEX and OPEX.
If you would like to discuss how your cyber security transformation outcomes could be improved, why not contact us on +44 203 603 4733 or email us at email@example.com.