Understanding security strategy is crucial for your career

👋 Good morning!

Each week I provide an in-depth response to your questions about careers, building security teams, AI security, cloud security, and anything else you need support with. Send me your questions and I’ll do my best to provide actionable advice.

Let’s dive in!

Understanding cyber security strategy is a huge benefit to any security professional and I don’t believe it’s spoken about enough.

Building a strategy is an exercise of critical thinking. Being able to write a good one will increase your value in the market. But the real unlock is being able to use it as a means to evaluate if a role is the best next step for you. As I’ll explain in this post, a strategy indicates the direction of a team, its priorities and the types of work you’ll be involved in, if you join the mission.

I will cover:

• Why strategy is important

• What it consists of

• What good looks like

• How it helps you

But before that, you may be wondering why you should listen to me on this topic…

I’ve been fortunate enough to write and support the development and implementation of security strategies for multiple organisations, from Global Financial Institutions to Airport Groups. I’ve benefited from working with these organisation’s over many years, watching them achieve their target states, witnessing the good, the bad and the ugly.

Why is a strategy important?

Put simply, a strategy tells you where you’re going and teams with written plans grow 30% faster (Journal of Management Studies). This is due to many factors including the improved allocation of resources. A strategic document is an effective way to tell a story and justify budget allocation, especially when the function is not money generating.

Harvard Business School stated that a staggering 95% of employees don’t understand their company’s strategy, causing high turnover, low fulfilment and poor work quality. This highlights another key benefit of a well-crafted security strategy - increasing employee buy in. A strategy can be a source of inspiration to encourage the commitment of the team in pursuit of a shared goal.

What does it consist of?

• Where you are (current state): maturity and controls across different security domains - access control, network security, logging and monitoring, etc.

• Where you’re going (target state): what maturity level you want to reach for each of these domains, detailing the required controls, tools and people required to get there. It must align with the overarching business strategy, address gaps from audits, testing reports and self-evaluations, and account for future technological investments.

What makes a good security strategy?

What makes a cyber security unique compared to other business areas? The security threat landscape. The best strategies are threat-led to ensure an effective prioritisation of investment. Essentially, investing in the areas that will contribute to the greatest risk reduction. This involves mapping security controls to threat types, evaluating maturity against these areas and seeing where the greatest gaps are. Simple, right?

Every security leader is in a battle to secure as much budget as they can, then allocate that spend to get the ‘best bang for their buck’.

Considerations:

• Gap analysis: Following an internal or external audit, evaluate maturity across security domains and controls.

• Context: Consider business context, what’s most critical in service of the org’s wider objectives. There are often opportunities to piggy back on larger, org-wide programmes of work.

• Impact: Attempt to raise the floor. No point having top tier controls for one domain, if you have basic, weak controls in another domain.

• Threat alignment: Reverse engineer common threat types for the business you’re serving e.g. widespread ransomware, malicious insiders, phishing campaigns etc.

How does this help you in your career?

Firstly, you now have a basic framework for writing a security strategy. You can even apply the same logic to your specific security team and develop a mini-strategy for your service line.

Secondly, you now know what a good one looks like. This means that you can ask probing questions when interviewing for a job to better understand the organisation's priorities before accepting a job offer.

Examples:

• You may want to work with Microsoft Azure, but the organisation is primarily AWS focused with some GCP.

• You may want to get more cloud exposure but the organisation is mostly on-prem.

• You may want to work on the latest and greater advancements in the industry, but the organisation is a very low maturity.

• You may want to join a large team to build your network and increase the potential of learning, but you’ll essentially be a team of one in your domain.

Checklist of things to determine before accepting an offer:

• Direction of travel for the security team

• Current state and target state maturity

• Board buy-in / investment

• Resourcing / team size

• Development opportunities

• Career growth opportunities

Example questions you can ask your interviewer:

Opening line - “I’d love to learn more about the strategic direction of the team and how it impacts this role.”

• Can you tell me about the key focus areas over the next 6-12 months?

• What is the relationship like between security and the rest of the business?

• Is cyber security viewed as a strategic priority by the board?

• How big is the team I will be joining? Has this changed over the last 12 months, or are there any planned changes in the future?

• I’m keen to make an impact in this role and continue to improve my skillset, will there be any development opportunities?

• Is there a culture of career progression within the team? I’d love to know any success stories of how members of the team have advanced in their career at your company.

That’s a wrap! 

www.cyberproclub.com