The 3 T’s of Cybersecurity Strategy: Tactics, Talent, and Toolsets
Cybersecurity is recognized as one of the fastest-growing technology markets globally. According to Fortune Business Insights, “The global cyber security market size is projected to grow from $172.32 billion in 2023 to $424.97 billion in 2030, at a CAGR of 13.8%.”
As cybercrime continues to increase, business and IT leaders are having to rethink traditional approaches to security. This is further complicated by an evolving global privacy landscape where laws seem to change every day.
Companies should be asking these 12 questions before adopting cybersecurity.
- Why do you need cybersecurity?
- What are you protecting?
- What is the value of what you are protecting?
- How should it be protected?
- What does winning look like?
- How do you build the team?
- How do you know what skills you need?
- How can you leverage your existing staff?
- When are third parties a good option?
- What tools do you need?
- How do you minimize technical debt?
- How to avoid security “snake oil”?
To compete, leadership must incorporate cybersecurity into their corporate strategies and make sure they are managing the 3 T’s: Tactics, Talent, and Toolsets.
1. Tactics: Build a Plan for Success
When discussing cybersecurity strategy, leadership must start with tactics.
Many businesses buy toolsets without knowing how to use them or knowing what they need. Tactics and planning will help you identify your cybersecurity needs and create a plan.
Know Your Business Needs
Every business has unique needs that should inform its approach to cybersecurity.
Establishing a process for completing a Business Impact Analysis (BIA) assessment will help define mission-critical processes and systems that must be protected from compromise first. This helps security teams use their finite resources more effectively and gain the maximum amount of protection.
Know Your Systems and Data
Every time a company adds a new system to their environment, they add another target for hackers.
Establishing a formal Enterprise Architecture (EA) process to create and enforce system standards will allow the Information Technology (IT) team to understand the capabilities of the systems they manage. The EA team should also complete a Confidentiality, Integrity, or Availability analysis for each system.
In case of an incident, this categorization tells the team what the priority is. The EA will help keep data secure, ensure data is not lost, or keep systems available.
Know Your Rules of Engagement
Every business needs to know the rules of engagement for their industry, including applicable laws and regulations.
Does your business perform work for the government?
Does your company work for the Department of Defense?
Do you work in healthcare?
Do you store and process personal information for your customers?
Are you a publicly listed company?
The list can go on and on.
To handle regulatory and legal requirements, companies should create and manage a formal Privacy Impact Analysis (PIA) process. This process identifies any system that may contain sensitive or protected information related to an individual and calls out the mandatory protections required for that data by law.
Build Your Plan
Begin your plan with an assessment that focuses on:
- Existing protections.
- Missing protections.
- Biggest areas of risk.
- Competitive benchmarking for your industry.
- Analysis of existing cybersecurity-related costs and how likely they are to shift.
Based on the assessment, company leadership can build a cybersecurity framework that includes plans for talent and toolsets.
2. Talent: Proactive, Reactive, and Compliance
When strategizing talent, you must identify a Red team, a Blue team, and a Compliance team.
Of the three groups, team size is variable, depending on the size and complexity of the company and its IT infrastructure. At a minimum, each team would require three people. In some cases, those employees wear multiple hats within the organization and may not be dedicated 100% to security.
Red Team: Proactive Experts
The Red Team is a proactive group of cybersecurity experts that identify vulnerabilities in your systems. Plus, they also provide expert guidance on regulatory items and emerging threats.
Many larger organizations will build out an internal Red Team, but smaller organizations will often contract with a third party. Outsourcing will eliminate the staffing overhead, thereby reducing the total budget of the project, while still receiving the service they need.
Common Red Team activities include:
- Security Assessments
- Penetration Testing
- Vulnerability Scanning
- V-CISO
- Incident Management
Blue Team: Reactive Experts
The Blue Team is a reactive group of system and security experts that focus on eliminating the risks and vulnerabilities the Red Team identifies. Blue teams need to ensure they can manage security operations across the technology stack of an entire business. Often, Blue Team remediation activities are added to existing IT staff responsibilities.
This can create challenges when existing IT resources are scarce, and systems for testing and QA are often difficult to build organically.
Common Blue Team activities include:
- Vulnerability Remediation
- Proactive Patching
- System Upgrades
- System Standard Creation
- Managed Change Control Processes
Compliance Team: The Auditors
The Compliance Team formalizes the policies, procedures, standards, and reporting for your program.
This is a team of experts that know how to look at a business process and determine if the protections in place are adequate and being used appropriately. The Compliance Team resources work with the Red and Blue Teams to document formal policies and procedures for cybersecurity programs. They are also used as independent auditors and serve as an accountability and validation authority for the cyber program.
Good cybersecurity means never grading your own papers, so a trusted and thorough Compliance Team is invaluable.
Common Compliance Team activities include:
- Policy / Procedure Documentation
- Cybersecurity Audits
- Compliance Reporting and Escalation
- Coordination of Third Party Audits
Outsourced Team: A Fractional Approach
Hiring three full-time teams can be costly, and many businesses do not need all of these resources in a full-time capacity to support their cybersecurity initiatives. For example, take the minimum of three employees per team, and let’s assume this team is made up of a Security Analyst, Security Engineer, and Security Architect.
The average U.S. annual salary of a Security Analyst is $69,230* per year, a Security Engineer is $94,041* per year, and Security Architect is $125,649* per year. Based on these figures, each team would be $288,920* per year, and multiplied by three, totals $886,760.
Factor in a Compliance Manager at $70,531* per year, and Chief Information Security Officer (CISO) at $166,257* per year, and your company could see a total cybersecurity expenditure of $1,123,548* per year—strictly for the talent. (*All figures are generalized dollar amounts.)
By outsourcing to a third party with a fractional approach, your company can have access to the resources you need without the cost burden created by adding full-time staff.
3. Toolsets: Increase Efficiency and Output
A common cybersecurity mistake is buying toolsets too early in the cybersecurity journey. Tools are important but it is critical to define tactics and bring on your talent before investing in tools. This approach will helps avoid unnecessary technical debt and ensure your budget is being used wisely.
At a minimum, your company should have these cybersecurity tools:
- Vulnerability Scanning
- Virtual Private Network (VPN)
- Antivirus Software
- Modern Firewalls
- Multi-Factor Authentication (MFA)
- Security Information and Event Monitoring (SIEM)
- Backup and Recovery
- Mobile Device Management (MDM)
- Advanced Email Filtering
- Encryption
After addressing your basic toolset needs, engage with your Red team and Blue team to create a ranked list of additional tools required to protect your business. This will reduce your risk of cyber threats and mitigate the chance of a data breach.
Additionally, onboarding and managing any cybersecurity tools your company purchases should become a part of your Corporate IT roadmap.
Develop a Cybersecurity Strategy to Fit Your Company
Not sure where to start? Don’t sweat it.
Developing a cybersecurity plan can be a daunting task in the ever-changing world of cybersecurity. Headlines emerge every week from media outlets highlighting the latest hack, breach, or data leak. So, it’s important to be proactive and protected. Consulting with a team of experts makes sense for many companies.
As leaders within the cybersecurity industry, Guide Star and its partners can help you evaluate your security program, build a roadmap for eliminating your risk, and ensure you have the resources you need to succeed.
Guide Star can bring you the tactics, talent, and toolsets with the services you need to protect your company without breaking the bank.
If a fractional approach is something your company may be interested in exploring, connect with our experts and start your plan today.
We’re Here to Help
Ask the Experts