ABSTRACT
There are 6 major steps that should be taken for an organization to develop and maintain its Cybersecurity and Cyber Resiliency Strategy. This chapter provides an introduction and synopsis of each Step.
STEP 1: Preplanning: Preparation for Strategy Development – Identifies the critical initial steps that must be taken by senior management which include understanding the culture of the organization and locating the existing/planned cybersecurity and cyber resilience efforts to determine the degree of influencing required.
STEP 2: Strategy Project Management – Provides examples for missions/visions, principles, strategic objectives, and their corresponding initiatives for the Strategy. It also discusses tasks such as Steering Committee management, corporate culture and business values determination, project charter creation, existing or planned strategies alignment, reporting templates development, final strategy deliverable outline, and tool utilization, e.g., Responsible, Accountable, Consulted, Informed (RACI) diagrams, swim lanes, timelines, cyber risk assessment methodologies, National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) framework mappings.
STEP 3: Cyber Threats, Vulnerabilities, and Intelligence Analysis – Analyzes common types of threat actors and discusses threat intelligence and threat modeling. It presents the Open Web Application Security Project (OWASP) Application Security Vulnerabilities and asset-related vulnerabilities.
STEP 4: Cyber Risks and Controls – Identifies risk methodologies to be used in a strategy plan performance evaluation. It discusses main types of controls and their correlation with typical cyber risks. A quantitative risk assessment example is presented. Cyber insurance is discussed including a definition of risk transfer.
STEP 5: Assessing Current and Target States – Presents typical business risks and discusses a variety of methodologies for assessing the state of cybersecurity and cyber resiliency risk as well as current and target state gap analysis. It explains risk appetite and risk tolerance – their difference and importance to the organization.
STEP 6: Measuring Strategic Plan Performance and End of Year (EoY) – Discusses methods of measuring strategic plan performance: critical success factors, strategy alignment, initiative progress, assessment results, risk mitigation, Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). It reviews the “Governance Hoops” and presents a sample governance organization hierarchy diagram. It identifies significant input types contributing to next year's “new initiatives analysis”.
