Building an effective cyber security strategy in today's cyber landscape (UK) | Cybaverse

As the cyber security threat landscape continues to grow, how do CTOs, CISOs and Information Security Managers present a cost-effective cyber security strategy, and what does that look like?

Cyber security strategy - a multi layered approach

Companies should focus on building a comprehensive security program that includes multiple layers of defence tailored to their organisation's specific needs.

However, this is often easier said than done with several considerations required to address cyber security, including a budget, emerging threats, and risk management.

How to build a cyber security strategy

It is important that your cyber security aligns to the organisation's goals. This will help manage risks and improve the businesses overall security posture.

Additionally, aligning cyber security to organisational goals can help to ensure that investment is in line with the overall strategic direction. In turn, building support for the cyber security program and increase its effectiveness.

Protect your assets and sensitive information

Building a cyber security budget and strategy is crucial to protecting a company's assets and sensitive information. When mapping out existing cyber security requirements, companies should focus on identifying their most valuable assets and the potential threats to those assets.

They should also assess their current security posture and identify any vulnerabilities or gaps in their defences.

What should a cyber security strategy include?

A cyber security strategy should be fit for purpose, written in plain English and easy to digest even by those who are not from a technical background.

The strategy should outline key tasks and develop policies specific to each aspect of your organisation's cyber security needs, clearly defining roles, responsibilities, and expectations and outline practices for the business to follow. For example, include requirements for data security, password practices, and patch management.

Key areas to consider

A cyber security strategy can be a highly detailed document or a top-level overview, this will depend on each organisation. Key areas to include in a cyber security strategy are:

1. Risk Assessment

Document your IT infrastructure and the types of data it collects, stores, and processes. This information provides insight into the types of security risks that the organisation needs to manage and that should be covered in the cyber security strategy. Then identify and evaluate potential threats to the organisation's systems and data.

2. Security Architecture

After identifying assets and associated threats and risks, a company can start comparing the security controls it has in place against what is needed to protect those assets. Compliance standards, frameworks, and benchmarks can be useful when evaluating security maturity.

3. Employee Awareness and Training

Understanding employees awareness level of cyber threats and ensuring there is a strategy in place to educate staff on security best practices and policies to reduce the risk of human error, the most common cause of initial compromise.

4. Access Control

A strategy should include a review of access levels, and an ongoing plan to manage who has access to sensitive data and systems. Implementing robust authentication and authorisation mechanisms, commonly implementing the principle of least privilege, meaning that a user should only have access to the specific data, resources and applications needed to complete a required task.

5. Incident Response

A cyber security strategy should include the organisation’s plan or intention to respond to security breaches and how to recover from incidents to minimise financial and reputational damage.

6. Data Backup and Recovery

Ensuring that a robust backup and recovery plan is documented to ensure the availability of critical data in the event of a disaster or compromise.

7. Compliance

Ensuring the organisation complies with relevant regulations, standards and laws such as HIPAA, PCI-DSS, and ISO 27001.

8. Continuous Monitoring and Improvement

The strategy should identify any known existing vulnerabilities and outline steps for improving security by utilising prevention and detection methods. In addition, the strategy should outline how the organisation will monitor and audit its security systems to ensure they remain up to date.

Cyber security strategy development process

You must understand your current security posture to build a robust security strategy. This includes identifying critical assets, potential vulnerabilities, and areas for improvement. Then, you can conduct a risk assessment to help you identify potential threats and prioritise your security efforts.

Knowing what you want to achieve with your security strategy is important. This could include protecting your company's intellectual property, complying with industry regulations, or maintaining business continuity. Defining your security objectives will help you prioritise your efforts and ensure that your strategy is aligned with your business goals.

Cyber security is not just the responsibility of the IT department. It's important to engage all stakeholders, including senior management, employees, and business partners, to build a security culture. Involving all relevant parties in the strategy development process will ensure that everyone is aware of the security risks and can contribute to the organisation's overall security.

A defence-in-depth approach means having multiple layers of security in place to protect against cyber threats. This includes technical measures such as firewalls, intrusion detection systems, and encryption and administrative measures such as security policies and employee training programs.

The threat landscape is constantly evolving, so monitoring your security posture and reviewing your strategy regularly and continuously is important. This includes staying up to date with the latest security technologies and best practices and regularly assessing your security posture through penetration testing and other methods.

Building a successful cyber security strategy requires a comprehensive approach covering all security aspects.

By following these key steps, you can ensure that your organisation is protected against cyber threats and can continue to operate effectively in the face of evolving cyber threats.

Cyber security budgets

Traditional budgets vs company size

Although there is no set rule for how much should be allocated, cyber security budgets often follow the below.

For small businesses, the average spend on cyber security is around 5-10% of their IT budget.

For medium-sized businesses, the average spend on cyber security is around 10-15% of their IT budget.

Large enterprises' average spending on cyber security can be as high as 20% or more of their IT budget.

However, alongside the organisation's size, available resources, level of risk acceptance, and compliance requirements are all key considerations.

Similarly, different industries, particularly those who operate in finance and banking or hold a large amount of sensitive data may allocate additional budget to allow for regularly penetration testing and other ad hoc cyber security tests.

UK  companies spend between 11.3 and 23.1% of their IT budgets on cyber security

How to develop a cyber security budget

Cybaverse believe that cyber security should not sit within an IT budget. Cyber security is the responsibility of every department and the company as a whole, and therefore should have its own budget.

Having worked in cyber security for over a decade, we've found that generally speaking, organisations can spend around £250 per employee per year on cyber security. It's a subject we're extremely passionate about and we will cover in more detail in our next blog.

Security software/programs that will need to be accounted for in a cyber security budget include

• Network and Endpoint security - firewalls, antivirus, intrusion detection and prevention systems and endpoint protection
• Identity and Access Management - solutions to secure and manage use identities such as multi-factor authentication and single sign on solutions
• Data Loss Prevention - solutions to protect sensitive data and prevent data breaches (including encryption, data masking and classification tools)
• Threat Intelligence - services and solutions to gather analyse threat information, such as threat intelligence feeds
• Incidence Response and Recovery - services to help organisations quickly responds to and recover from cyber incidents
• Training and Awareness - resources to educate employees about cyber security risks and best practices, such as regular security awareness training, phishing simulation

You will also need to factor in staffing costs for managing the cyber security in the business. This leads us on to the next question - inhouse, outsourced or hybrid?

In house, outsourced or hybrid cyber security?

Theoretically, a highly skilled and competent in-house team can deliver the best protection with more visibility and control. However, unless the company has significant resources and a mature cyber security posture, it's unlikely to be achieved short term.

So, the other option is to outsource, this can be cost-effective over hiring a team of experts, maintaining expensive software and hardware, and allowing more time to focus on the core business.

In addition, a good cyber security partner can deliver exceptional expertise and provide scalability whilst keeping your risk profile low and protecting your business from any potential threats.

UK Government guidance

The UK National Cyber Security Centre (NCSC) provides guidance to organizations and individuals on how to stay safe online.

The NCSC's top 10 cyber security points are:

1. Risk management - define security policies and procedures, implement security technologies, and regularly monitoring and testing the effectiveness of these measures.
2. Engagement and training - communicate with stakeholders about cyber security issues, identify and address security concerns, and ensure that they are involved in the risk management process.
3. Asset management - identify, classify, and track assets within your organisation's network and ensure they are protected against potential security threats. This includes both physical assets (such as laptops and servers) and digital assets (such as data and software).
4. Architecture and configuration - architecture (overall design of the network including hardware and software) should be designed to support the organisation's security goals, meet regulatory requirements, and provide a high level of protection against security threats.
5. Vulnerability management - identify, evaluate, and mitigate security vulnerabilities in your network, systems, and applications.
6. Identity and access management - processes, policies, and technologies that you use to manage digital identities and ensure that only authorised individuals have access to sensitive information and systems.
7. Data security - protect sensitive and confidential information from unauthorised access, use, disclosure, disruption, modification, or destruction. This includes protecting personal and financial information, trade secrets, and other sensitive data.
8. Logging and monitoring - the collection, analysis, and storage of data related to network activity, system events, and user behaviour. The primary purpose of logging and monitoring is to detect, respond to, and prevent security threats in real-time.
9. Incident management - detect, respond to, and resolve security incidents that occur within your IT environment.
10. Supply chain security - protection of the entire network of suppliers, service providers, and other partners involved in delivering products and services to customers. This includes protecting against threats to the integrity and confidentiality of information, as well as threats to the availability and reliability of products and services.

Read more on the government website.

Educate, Build, Enhance, Train and Maintain

The Cybaverse way – how we build cyber security strategies with our clients.

We can help develop cyber security strategies, working alongside CTOs, CISOs and Information Security Managers to help them develop a roadmap to ensure cyber security spend goes as far as possible.

We do this through a 5-step process; Educate, Build, Enhance, Train and Maintain.

1. Educate - We work with the business to exchange knowledge and ensure that we have a mutual understanding of the cyber security landscape in the organisation and what services are available to help support the business
2. Build - We build a strategy and roadmap that works long term for your business. This is often includes managing whole services, such as penetration tests, ISO 27001 (including gap analysis), when and how to bring on internal staff and ensuring that the correct software and procedures are in place to ensure maximum return
3. Enhance - We will look to enhance your current cyber security posture year on year. We work on short term projects and also long term road mapping and partnerships to ensure an organisation’s risk is managed whilst they grow‍
4. Train - We will work with your in-house team to train them on any platform or provide guidance and assurance on best practices
5. Maintain - Once we have completed our project you will have all the tactics and tools in place to effectively monitor your cyber security inline with the organisation’s goals and risk management procedures.