Is there any tool or template out there to create and manage a Cybersecurity Strategy?
That’s a tricky question to approach with no context, but some of these comments might help. Maybe we should have a coffee and talk in more detail @CybersecurityGuard
Creating your strategy is very different to managing its delivery (and I’m assuming that by ‘manage’ you mean the implementation, not maintaining the strategy itself).
To begin with creation:
- Your strategy should be mostly unique to your organisation, its maturity, and its risks. A template might help but there is a LOT of work to populate it. A tool has great potential to force you down the wrong path.
- Basic tools can help gather information - surveys, word/excel, brainstorming apps etc
- Online resources for templates etc are many and varied (SANS perhaps to start with)
- Strategy beyond three years is probably unrealistic
- A simple set of questions that can guide the answers you will need to form a strategy:
- What is the cybersecurity threat environment in which you operate?
- What is your current cybersecurity and technology maturity?
- What critical and high risks have you already identified?
- What is broken in your operating model and resourcing?
- What is the purpose of this strategy (eg build a business case for funding or guide an uplift project)?
- What does cybersecurity need to do in the next ‘n’ years to support and/or drive technology and business strategic objectives?
Ask these questions and more to business leaders, teams, the board, and industry peers. Then draft it all up and get it approved. Sounds simple but it might take months, and a business analyst is valuable in these steps.
Out of your strategy you probably want to build a more detailed implementation plan, and that’s what you probably mean by ‘manage’. Past experience shows that standing it up as a project, or as a program of smaller projects for a larger org, is effective. You will learn and adapt throughout the project, and the external threat environment will evolve, suppliers will have incidents, your team and leadership views will change, your org might shift its focus, but hopefully your plan can adapt and still meet your strategic cybersecurity objectives. Any project management tool is good at this stage. A dashboard that demonstrates progress (maturity uplift, gap closure, risk buy-down etc) is also a useful tool here.
NoHax’s answer is a good one. So, I’ll try to answer the question in a supplementary way.
Generically speaking, your cybersecurity strategy will describe what are the risks you want to address, why they need to be addressed, how you’ll address them, the timeline/milestones, where geographically, and who’ll execute the strategy. You may need to specify how much ($) it’ll cost, too.
To describe the risks, I use risk modelling frameworks like SEI SERA, risk quantification frameworks like FAIR, and controls maturity frameworks like CIS Controls to provide a list or heatmap of risks to be addressed. The process is one of identifying the key/ most valuable business processes that you need to protect, how they are currently protected, the insufficiency of this protection, and what needs to be done to cost-effectively protect the business processes. The FAIR method can be used to provide a $ value for return on investment, to argue that risk will be disproportionately reduced when money is spent on 1 or more controls. The CIS Controls will provide a robust and relatively complete list of controls to consider in terms of maturity/immaturity. In the end, the goals of the strategy have to be to reduce risk by implementing or making more mature a set of controls.
In terms of people, policies, processes and systems needed to constitute a security strategy, then NIST CSF is good. You’ll need to consider key processes like asset and identity management, threat detection and prevention, incident response and recovery. You can use it to derive a gap analysis. These processes will need to be in place in order to reach the goals of the strategy, that is, to address the risks.
You’ll need to gather lots of empirical data from within and outside the company via interviews with key people (business, data, apps, technology, security, audit, etc.) Your whole strategy and data underpinning it should be vetted by key people to ensure that any false assumptions are eliminated.
A template I’ve used over the years for cybersecurity strategy documents is as follows:
- a summary of the drivers to be addressed, how to address them, and how the strategy aligns with frameworks, policies, etc.
- a summary of the end state (3–5 years in the future) you are aiming for
- the purpose of the entity that will realise the strategy. Usually, the CISO office
- the high-level aims of the strategy
- how the strategy aligns with frameworks, policies, and regulations
— Assumptions and method
- (an optional section…sometimes I’ve been asked to state the conditions under which I believe the strategy will become invalid).
— Current state
- the baseline state of whatever the strategy is about.
- the factors (internal, external, organizational, commercial, technological, etc.) acting on the current state to precipitate change.
- threats and risks to be addressed.
— Future state
- the target state of whatever the strategy is about. I think 5 years out is reasonable.
— Prioritised list of initiatives.
- you’ll also want to include a high-level roadmap to show the milestones for these initiatives. This roadmap will act as the basis for a program Gantt chart when you get to project planning.
- some statements about acting consistently with company culture, ethos, etc.
- a promise that, if the strategy is executed, goals will be reached.
Now, I’d try to keep the strategy doc concise, and you could scrunch the above sections together so that there are only maybe 5 “chapters”. The shorter and simpler the doc, the more likely it’ll be read and understood!
In terms of managing the delivery of the strategy, that is about program management. Your program will be a more specific instance of the strategy roadmap. You’ll want to decompose your list of initiatives into projects, with each project ending with something (people, policies, processes, technology) becoming operational. And derive SMART objectives for each project. A general program or project management approach from, say, the PMI, is good here.