Cyber Risk Advisory

A strategy for cybersecurity strategy

John Hellickson 70px png

John Hellickson

Field CISO, Coalfire

Blog Images 2022 06 09 Tile

Let's start with an assumption:  Having a cybersecurity strategy is best practice.  So, what makes a good cybersecurity strategy?  You'd be surprised how this answer varies across the security industry, especially from seasoned CISOs of Fortune 500 companies.

I've been fascinated with – and practicing in – the topic of cybersecurity strategy for more than a decade.  During this time, I've seen some good strategies, but I’ve also seen many that were quite embarrassing.  Is this the fault of the CISO or security leader? Not necessarily.  The one consistent theme many CISOs have struggled with is developing a business-aligned security strategy, for many understandable reasons. I particularly struggled when I became a Global CISO of a 400-person security program, and wished I had a better grasp and solid approach to cyber strategy at that time.

We as an industry have focused primarily on the nuts and bolts of security programs, from compliance and security frameworks to industry best practices and technology solutions, and using those as the basis to formulate our cybersecurity strategies.  However, our industry has not done a great job of moving beyond security frameworks to develop strategies that are truly aligned to our businesses.

The purpose of this blog post is to spur some thought on how we can elevate the effectiveness of cybersecurity strategies.  This is the first of several posts over the next few weeks, that will tackle different elements of what makes a more advanced and compelling business aligned strategy. 

/* Sales Pitch Warning: Here at Coalfire, we recently brought together a team of former CISOs and industry experts in various topics of information security, along with the input of dozens of CISOs, to solve the problem of developing business aligned security strategies.  We call the outcome of this effort, Strategy+. End Sales Pitch */

I already mentioned a few challenges to the industry's general approach to cybersecurity strategy, and I could create a long list of additional ones that security leaders run into, let alone how security service providers contribute to that list.  The process of strategy development should also be considered when putting together your overall security plan.  I will dedicate a blog to this topic in the coming weeks.

More than 80% of the cyber program strategies we've seen were centered on a specific framework, maybe with an added category or two to address the areas where the frameworks fall short when leveraged as the foundation for their strategy. This might include strategic and budget planning, leadership, etc.  Similarly, most products that focus on strategic risk management do the same bolting on a few categories to the top of an existing controls-based framework.

We believe in a completely different approach – one that’s specific to strategy.  Essentially, there are additional lenses that should be applied, when looking at different areas of an overall cybersecurity program.  Multiple dimensions that allow one to take off their technical controls hat (that a majority of CISOs are so familiar with) and reassess those complete set of controls from a business value perspective.  It doesn’t matter whether an organization has the best set of controls if those controls impede business growth or fail to retain profitable customers.

Ultimately, it's time for security leaders across the industry to build upon their controls-based programs (what we call 'Controls Discipline') by applying two additional dimensions: called 'Business Alignment' and 'Performance Management'.  Controls Discipline is the one dimension where most Security Programs excel as it has been the lifeblood of security practitioners for decades.  By adding these two additional dimensions, cybersecurity professionals will now be able to pinpoint where a gap may be when it comes to doing the right things right at the right times with the desired outcomes.

The next post will explore more details on the application of a 'Controls Discipline' lens for a given cybersecurity program strategy.  In the meantime, it would be great to hear from you on strategy development approaches that you’ve found to be useful.  Please send your thoughts to me on LinkedIn or via email at