Library Header Image Library Header Image

Cybersecurity Strategy and Architecture


Posted on by Robert Ackerman

Cybersecurity strategy and cyber architectures – an important partner in the mix – have been improving. This is crucial because they are needed to fend off ever-more sophisticated cybercriminals chronically enhancing their weaponry. Yet as so often is the case in cybersecurity, they must keep upgrading. Even more threatening are companies that have evolved dangerously behind the ball.

Let’s start with some background basics.

A cybersecurity strategy is a comprehensive, multi-layered plan that guides an organization to protect its digital assets from cyberattacks. It goes beyond simple technical measures like installing antivirus software and instead provides a high-level roadmap that aligns with the organization’s business goals to manage risk. In short, an effective strategy shifts an organization from a reactive stance – one that responds only to threats – to a proactive stance focused on prevention, detection, and continuous improvement.  

While the majority of companies and other organizations have embraced this, far too many still have not. According to Gartner, only 60% of cyber teams adapt their strategies to the proactive stance, largely because cybersecurity leadership needs serious improvement. Too many are still so occupied by tactical challenges, they don’t take the time to engage in effective strategic planning.  

Companies too slow to move to the newer proactive stance clearly have less effective security. In addition to weak cyber leadership, also sub-par is risk assessment and management overall – the foundational step that involves identifying all critical assets and evaluating the potential business impact of cyberattacks.

Asset identification and protection are also weak. An organization must know what it possesses and its value to protect these assets. And, too, incident response plans (IRPs) and protection tend to be fragile and, in many cases, non-existent. According to Jumpcloud, a Colorado-based enterprise software company, almost half of companies have no IRPs. No strategy can prevent every attack, but more security is almost always better than less. A solid plan includes clear procedures for detecting, containing, and recovering from security incidents. This includes communication plans, containment measures, and disaster recovery processes to minimize downtime and financial loss. A strong, so-called architecture – the backbone of security strategy – should be studied and perhaps also changed.

One especially noteworthy winner, if financially doable, is Zero Trust architecture, which assumes no one, whether inside or outside the network, is automatically trusted. Other major cybersecurity frameworks include the NIST Cybersecurity Framework, ISO 27001, CIS Controls, and SASE.

How did all this develop this way? Here is the explanation.

The move to digital platforms for businesses and individuals has been ongoing for a number of years, accelerated by the restrictions imposed during the Covid 19 pandemic. To offset the effect of many employees newly starting to work from home instead of the office, businesses moved quickly to e-commerce and used automation to reduce operating costs. They also quickly pushed systems and data to the cloud, making remote working as easy as possible.

These changes fed into still more changes. They generated significant increases in network infrastructure, bringing an explosion of Wi-Fi based networks to public spaces. This move generated serious security issues. The upshot: development of cybersecurity defenses lagged behind new cyberthreats among hackers, thereby initiating attacks on systems, networks and data.

Turning the page, there are two types of companies that are regularly victimized by cybercriminals -- large enterprises and small and medium-sized businesses (SMBs).

They share their key objective -- the prevention of harm by activities that compromise systems and data. What is different is their level of protection and the differences in hackers motivated to attack them. Accordingly, this can help tailor a cybersecurity strategy for each type of company.

Large organizations have more dedicated IT and cybersecurity teams, advanced tools for the likes of complex IT infrastructure and round-the-clock monitoring, and substantial budgets for technology and cybersecurity. They are more likely to be targeted by sophisticated attacks, such as supply chain attacks and nation-state-sponsored attacks.

Small businesses, on the other hand, have simpler infrastructures. Many of them instead rely on cloud services, such as Google Workspace or Microsoft 365. Without configuring these environments securely, however, they are vulnerable to attacks such as cloud misconfiguration attacks. Small businesses are most commonly targeted by ransom, phishing, or social engineering.

Businesses and organizations can start to build a proactive cybersecurity strategy if they don’t already have one with just a few steps. Here they are:

+ Understand the cybersecurity landscape. Examine the types of attacks faced by an organization today. Determine which types of cyberthreats currently affect the organization most often and most severely. Then get up to speed regarding trends that could affect the organization down the road, including those not impacted by businesses today.

+ Assess the company’s cybersecurity maturity. Once a company knows what they are up against, they should select a cybersecurity framework such as the federal government-created NIST Cybersecurity Framework, use this framework to assess the maturity of an organization in dozens of categories and subcategories. Then determine where the organization to be in the next three to five years.

+ Determine how to improve a cybersecurity program. After establishing a baseline and determining where a business wants to be going forward, figure out the cybersecurity tools and capabilities that help them reach their goals. Each improvement will consume resources. So, they may ultimately decide to outsource some or all of their security tasks. Regardless, management also needs to tell employees why the changes are being made.

 Lastly, there is always more that companies can improve in addition to a purely technical security function. Also important is a focus on protecting an organization’s most critical assets. And, too, companies and organizations should also invest as much as possible in human capital and security awareness training. Ultimately, technology is still only one part of the total solution.  

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital, & Co-Founder, cyber startup foundry DataTribe

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs