What I’ve learnt writing cyber strategies with grand scopes

As part of my new role, one of my first tasks has been to develop a cybersecurity strategy for the Health and Social Care sector. I was recently asked:

“How do you write a cybersecurity strategy for something so big and complex?”

I’ve learnt a few lessons here and in previous roles about writing strategies with immense scopes that cross organisational boundaries, and I think they apply as easily to a cyber strategy for any large organisation. Still, the size and complexity of Health and Social Care made these even more important lessons to bear in mind this time.

Don’t start from failure

The first thing is to avoid starting from the wrong place. The following questions make it much more likely you won’t succeed in changing anything of value:

  • What do we want to do?
  • What do we need to do?
  • What framework should we use?
  • What are our top risks?

These are essential questions for later in the process, but they are the wrong place to start. They come with implicit assumptions and biases that will structure your process very firmly at the beginning and will make it much harder to break out and challenge those assumptions later on.

Identify what context you are in

The first area to get to grips with is the organisational context. I’ll structure this as questions to answer, more applicable to different organisations and scopes.

  • What does the organisation exist to do?
  • What are the organisation’s critical activities or services?
  • What is the view from the frontline staff about which aspects of security does and doesn’t work?
  • Who are the decision-makers who control implementation timescales, resources and scope?
  • Who are the accountable stakeholders, and what are their views, experience & knowledge?
  • How is the cyber team tasked, how are they structured, who do they work with across the organisation?
  • How is the rest of the organisation’s risks governed?
  • How are other back-office functions (legal, finance, technology, human resources, commercial etc.) structured?
  • How are the non-cyber teams that deliver cyber outcomes structured?
  • What cyber issues are you managing now?
  • What is the reliability and scope of the data driving your understanding?
  • What is the threat you are facing?
  • What were you asked to do?

I would argue that you need the answers to these questions before you go any further.

Identify what constraints you have

Then you need to understand the constraints on your strategy. Constraints on your strategy are what provide limitations on possibilities, but also forces that drive the organisation and you in specific directions. These can seem annoying if they present a difficulty but they are actually key enablers in focusing your activities where you can actually make an impact. Some key constraints questions you need the answers to include:

  • What are the issues and problems for the organisation right now? How does that affect the capacity to do your work?
  • Is the organisation and its context truly complex?
  • What decisions are yours to make and which rely on bureaucracy or other leaders?
  • Who controls your channels of communication?
  • How many people do you have and can you have?
  • Does the organisation have the skills you need?
  • How quickly can you recruit?
  • Who makes the decisions to approve job roles, and who makes the hiring decisions?
  • How much money do you have?
  • When can you spend it?
  • What is the Capital / Revenue mix?
  • Are there any sector/activity specific laws, partnership agreements or union agreements that the organisation must follow?

Identify what affordances you have

Affordances to our strategy are what provide us with a range of possibilities. Good questions to identify affordances that can be useful in implementing a cyber strategy include:

  • How many constraints are perceived rather than absolute?
  • How much of the context can you directly change in your strategy?
  • How influential is your sponsor?
  • Do you have a regulator that cares about cyber?
  • Is the organisation mission-driven?
  • Is the organisation collaborative and collegiate?
  • Does the organisation learn from failure?
  • What changes does the organisation want to make to itself?
  • What other organisational functions would be materially hurt or limited by cyber events?
  • Who wants to help (Internally or externally)?
  • Do we have simplicity or scale on our side?
  • What other strategies or programmes exist with which we can collaborate?
  • What is the organisations relative purchasing power?
  • How attractive are we as an employer?
  • How influential in your sector is your organisation?
  • Is the sector collaborative?
  • Does your organisation work in the open?
  • How mature is the organisation’s commercial supplier management capability?

Develop the content of your strategy

Once you know your context, constraints, and affordances, you can start thinking about what you will do. Some simple rules of thumb that will improve your strategy include:

  • Find things that currently work. Do more of them or invest in making them work amazingly well.
  • Find things that don’t currently work. Don’t assume you’ll fix it; consider just stopping them or replacing them.
  • Start with foundations, use strategy to look at organisational levers and incentives to drive foundational practices.
  • Are you assuming failure? How many resources are you dedicating to recovery and response?
  • Step away from technology and risk and think about overall organisational outcomes and how they are delivered.
  • Strategy must describe movement or measurable concrete change. Anything else is just wishful thinking.

Now start thinking about the questions we put to one side earlier but in a different order and with some additions:

  1. What are our top risks? Do we trust those risk analyses? Do we trust the data they rely on?
  2. What harms/incidents/breaches have we seen in the last few years? How much underreporting do you estimate? Do we trust our incident data?
  3. What do we need to do? Why? What is the value? How will we measure success?
  4. What do we want to do? Why? How will we measure success? What is the value?
  5. What alternative delivery models exist? (Insource, outsource, automation, capability sharing, capacity building etc.).
  6. What legacy will your strategy leave behind?
  7. What framework should we use?

Be prepared to upend your draft strategy if someone challenges your assumptions and has a point. A beautifully constructed strategy is of little value if it won’t work. Take the ego hit, spend time thinking about it and respond.

And one that has been a lesson learned in several roles in my career: Try not to write your strategy until you’ve had at least three months in the role and you’ve met the frontline cyber and business teams.

Valuable tools and resources for developing cyber strategies

This is where the classic blue sky thinking comes in. A lot of people swear by SWOT and PESTLE, I have found PESTLE useful but neither have been my preferred tools so far. VMOST (Vision, Mission, Objectives, Strategies and Tactics) works but use it as a prompt, not a prison. Identify critical themes or pillars around which to group tactics or activities. Value Chain Mapping and Wardley Mapping can help with the detail under the strategic pillars. Decision matrix analyses are helpful for me because I tend towards a more visual and data led decision making style, I like to use these to consider different delivery options once I understand the outcomes I want to deliver. Pre-mortems are excellent in my experience for testing strategies and plans!

Nick Hutton has a great series of blogs on winning systems in cyber that are worth a read. This quote is particularly valuable:

How can we identify a likely winning system? It’s going to have one or more high-level characteristics:

If it requires human effort, that effort will be coupled to a force multiplier.

It will have the inherent property of being able to adapt to threats.

It will operate with an assumption that failure is an inevitable state of any supposedly secure system.

Nick Hutton, https://blog.eutopian.io/forget-solving-the-cyber-security-skills-shortage/

I also strongly recommend reading Phil Venables blog for a whole variety of cyber strategy relevant articles.

I enjoy Mario Platt’s blog as we share an interest in the impact of complexity on cybersecurity, heady stuff.

Implementing your strategy

  • Plan to do more stakeholder engagement than you think you need; then double it.
  • Identify whom you could educate about security that would indirectly support your work?
  • Make work visible AND make delivery friction visible.
  • Encourage feedback from activities to inform future action.
  • Identify where the data you will use to make decisions in operations comes from in your strategy.
  • Challenge yourself to experiment and establish activities in the strategy to learn from instead of solving problems.

Conclusion

Each of the questions in this blog could be a whole post on their own, don’t think about them as simple or obvious, really interrogate the answers you have to these questions and what they mean to your strategy.