After having successfully mobilized its executive committee on cybersecurity, having made a realistic and concrete assessment of the situation, you had an agreement in principle to start a remediation program!
A great victory, and the beginning of a multi-year adventure!
Defining ambitions and framing governance
The cybersecurity assessment and its benchmark have enabled us to position the organization’s current level of security. What remains now is to define the target to be reached and the means necessary to achieve it. This involves working with the cybersecurity teams, the IT department and of course the executive committee sponsor! The target can take many forms, but it must in any case respond to clear and concrete business challenges:
“To have an above-average level of security overall to avoid the most frequent attacks”, “To protect the data of large public customers”, “To ensure the resumption of factory production in less than 4 days in the event of a cyber attack”, or for more mature structures “To rationalize cyber investments by saving 20% for the same level of risk”, these are just a few examples of ambitions encountered in the field.
It is at the time of this target definition that we can adopt a risk-based approach, for example with different targets between businesses or entities; a regulatory approach with different levels depending on business constraints or a global approach.
Each target will be the subject of performance or risk indicators (KPI/KRI) to specify how progress will be measured. These ambitions are then translated into a concrete positioning on a cybersecurity benchmark, by theme and by scope. The easiest way to do this is to use the results of the previous benchmark, but it is possible to use another benchmark. Be careful, however, it will be used throughout the program to monitor progress and guide the various teams and entities, so plan on a lifespan of at least 2 years! The definition of the repository and the indicators is a key step in the success of the program, so plan to devote time to it. It is best not to immediately launch a whole series of technical projects without the necessary consistency.
To manage this program, the CISO must know how to surround themselves with people. The IS (Information Security) departments rarely have the experience to carry out such a transformation and budgetary requirements at this level. A good practice is to identify an experienced program director within the organization, who is used to the workings of the organization, and who can work closely with the CISO. The skills of the two profiles will naturally complement each other, on the one hand with security expertise, and on the other with large-scale management expertise. The choice of the binomial is also an important key factor of success, do not hesitate to spend time on it!
Build budgets on clear axes and know how to commit expenses
Once the agreement in principle has been received, the next step is to clearly structure the budgetary commitment. Once again, the major challenge in the relationship with the executive committee will be to make a clear and precise proposal: Acronyms, project codes and other abstruse terms should be avoided. The structure of a simple strategy; “Protecting the digital work environment”, “Encrypting and avoiding critical data leaks”, “Detecting attacks on our key assets” are some examples of terms used successfully.
The structuring of a program should be kept to around 4 or 5 axes and to group about 30 projects maximum is something to keep in mind. Beyond that, reporting and monitoring will become too complex.
It should be noted that it will be necessary to break with the budgetary exercise obviously on the construction actions (“build”) but also on the additional operating costs (“run”) without that, the beautiful remediation will not last long… The identification also of the HR elements (number of recruitments/mobilities, trainings to be envisaged, salary evolution, evolution of the hierarchical relations in the entities or the subsidiaries…) are key elements to be created in the program to ensure its durability in time. This is clearly the right time to create a real cyber department within the organization and have it managed by a “Chief Operating Officer” like any other major department.
The preparation of these different budgetary elements will also have to consider the difficulty observed for several years now to commit the budgets obtained. The market is in dire need of cyber expertise and many projects have to be postponed. It is a good idea to take some leeway in the planning process to consider this situation, which will continue. The classic program timeline of, year 1 scoping, year 2 implementation, year 3 control, should be reviewed and instead be based on waves of smaller projects that are initiated as they come along. In short, it is better to have 5 waves of 5 projects that come to fruition than to launch 25 scopes simultaneously!
It should also be noted that these budgets and priorities will have to be reviewed annually, as the cyber threat is very dynamic, it is important to keep flexible budget lines to adapt to an unprecedented evolution of threats – as we have experienced in recent years.
Show progress to the executive committee!
Once the program has been launched, the challenge will be to show the executive committee the progress and the effects on risk levels. On a quarterly or even a semi-annual basis there are key points that need to be established: clear reporting, using simple terms that are linked to the reference system used, adding a vision on the progress of the projects and the progression of the risk level.To directly demonstrate the transition to regular reporting mode, it may be useful to add operational indicators linked to the level of security. In the long term, the challenge is to maintain an exchange with the executive committee at least every six months in order to maintain the level of attention on the cyber subject. These long-term exchanges can be structured around two annual meetings, one on risks (evolution of the threat and risks weighing on the organization), the other on investments (effects of projects, budgetary and HR issues for the following year).
Finally, the most advanced structures and those whose core business is based on digital technology can consider using their cybersecurity investments as business differentiators! Today, the cybersecurity requirements of customers, both large public and professional, are increasing rapidly. It is possible, and even desirable, to enhance the value of investments made to show that the subject of cybersecurity is a priority for the organization! For some organizations, cybersecurity may even become a profit centre, which will clearly change the discussions with the executive committee.
