Develop Cybersecurity Policies and Plans

Learning Objectives

After completing this unit, you’ll be able to:

Describe how to develop and maintain strategic cybersecurity plans.
Explain how to interpret and apply laws, regulations, policies, and guidance relevant to your organization’s cyber objectives.
Identify how to advocate for cybersecurity internally and externally.

Develop Strategic Cybersecurity Plans

Pablo Picasso famously said, “Our goals can only be reached through the vehicle of a plan. There is no other route to success.” Similarly, your first task as an executive cyber leader is to develop a strategic cybersecurity plan to set your organization on the road to cyber success. Without a plan, your organization is left guessing where to prioritize time and resources.

Threats to cybersecurity are some of the biggest obstacles to your organization in the 21st century. Hackers and other electronic criminals relentlessly pursue data and sensitive information, which leads to record levels of attacks and compromises of systems and data. Any organization that possesses a significant amount of data and lacks the level of preventative controls and staffing necessary to secure it, is vulnerable. With cyberattacks becoming more frequent and sophisticated, now is the time to push for greater security awareness and budgetary support to establish your organization’s security-first mindset.

As an executive cyber leader, it’s your job to develop policies, plans, and strategies in compliance with laws, regulations, and standards in support of your organization’s cyber activities. A robust cybersecurity strategy can provide a solid security posture against malicious attacks designed to access, alter, delete, destroy, or extort an organization’s systems and sensitive data.

Start by developing a security-first awareness strategy that shifts the organization’s mindset from reactive to proactive. As an example, prepare your organization to focus on how to prevent cyber incidents from happening rather than purely focusing on reacting after an incident. Identify threats and attack vectors before they happen using threat modeling, and design your organization’s systems to prevent such attacks. Getting out of the reactive cybersecurity loop requires organizations to reimagine their security and their strategies.

If your business doesn’t have cybersecurity policies in place, you could be leaving yourself open to cyberattacks. Cybersecurity policies outline technology and information assets that you need to protect, threats to those assets, and rules and controls for protecting them and your organization. The policies help your employees understand their role in protecting the technology and information assets of your business.

Cybersecurity policies guide employees about the type of business information that they can share and where, the actions that are allowed or acceptable on the organization’s systems, and the handling and storage of sensitive material. These types of policies are especially critical in public companies or organizations that operate in regulated industries such as healthcare, finance, or insurance.

Your cybersecurity policies should include access management requirements such as complex passwords, multi-factor authentication (MFA), acceptable use or rules of behavior for users, email security measures, data handling procedures, and more. You also need to develop and maintain strategic plans, which govern how to put your policies into action through implementation.

Putting time and effort into establishing policies and creating the structures for complying with secure best practices will pay off down the line. Like washing your hands during a pandemic, an ounce of prevention can make all the difference. Cyber hygiene is like personal hygiene, only for your devices, systems, and applications. You brush your teeth, wash your hair, and take care of yourself. Now it’s time to take care of the systems that you use to run your business. You must serve as your organization’s mission control. The goal is more than cybersecurity—it’s a long-term, strategic approach to cyber resilience.

Interpret Cybersecurity Laws, Regulations, Policies, and Guidance

Before you decide which direction to take, you need to be familiar with the rules that govern the journey. A host of laws and regulations directly and indirectly govern the various cybersecurity requirements for any given organization. Understanding how these laws and regulations impact your organization’s need for security will help you avoid costly lawsuits, loss of public trust and reputation, and unnecessary downtime. While legal compliance alone is not enough to make most organizations truly secure, laws and regulations can serve as a solid starting point for establishing your organization’s cybersecurity objectives.

Assessing which rules and regulations apply to your organization is no easy feat. Often, organizations need to comply with multiple frameworks and regulations, many of which have overlapping qualities. As an executive cyber leader, it’s your job to interpret and apply laws, regulations, policies, and guidance relevant to your organization’s cyberobjectives.

You should keep in mind federal, state, and international laws, regulations, and guidance that may apply to your industry. You should also refer to cybersecurity frameworks, such as the National Institute for Standards and Technology (NIST)’s Framework for Improving Critical Infrastructure Cybersecurity and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 Information Security Management standards. Though not codified in law, these standards represent best practices that you may need to comply with due to industry dynamics or partnerships.

Other examples of regulations and cybersecurity frameworks include the Center for Internet Security (CIS) Controls, and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

A person at a desk with a stack of books and a justice scale—one book says laws and the other says regulations.

Advocate for Cybersecurity

Now you have a solid idea of how to develop a cybersecurity strategy and what to consider when it comes to laws, regulations, and frameworks. Next, it’s time to put on the hat of a salesperson and advocate for cybersecurity.

When it comes to change in the world of cybersecurity, you can manage that change in a way that can have a positive impact on your business, by setting priorities and modeling desired behavior. To ensure your cybersecurity program is fully integrated with your organization’s overall strategy and that it’s operationalized, you must first communicate and model its value. A strategy that lacks execution leads nowhere. To execute, you must articulate the strategy’s benefits to your stakeholders, including the organization’s board of directors (BOD), other leadership, and all your employees. Just like a spacecraft on a voyage of discovery needs direction from mission control on Earth, your organization needs you—the executive leaders and board of directors—to set objectives, maintain oversight of the big picture, and appreciate the details.

Advocate Internally

Meet Ross, an executive cybersecurity leader at a globally diversified conglomerate that designs, manufactures, and markets professional, medical, industrial, and commercial products and services. Part of Ross’s job is to set the cybersecurity strategy for the company and its various lines of business, and then to advocate for that strategy internally.

For example, based on recent threat data, Ross believes that the top priority for his organization should be to implement MFA for network logins for all employees. He advocates this position internally to the CEO, BOD, and various technology and business leaders in order to obtain their buy-in, financial support, and the people and technology resources to execute his plan. He then communicates the benefits of MFA to company employees, and implements the requirement so that employees are required to use MFA for network logins moving forward.

Advocate Externally

Ross also needs to advocate his position externally to auditors, regulators, and potential business partners and customers. For example, an auditor may want to understand why Ross chose to use a certain MFA technology over another. Ross needs to be prepared to explain the costs, benefits, and reasoning behind his decision. He also needs to demonstrate that his strategy not only puts the organization in compliance with any applicable laws and regulations, but also is fundamentally more secure than its current authentication technology.

Further, Ross advocates his organization’s official position in legal and legislative proceedings. For example, a legislative body may be considering a new rule that would require businesses in the medical industry to enforce MFA for customer logins to any patient portals containing health data. And Ross’s company has a line of business that would be affected by this new legislation. He helps inform lawmakers about the costs and benefits of the proposed legislation, and works with lawmakers to come up with the best solution that both protects patients’ privacy and is feasible for businesses to implement.

Additionally, Ross advocates for his cybersecurity strategy when it comes to managing third-party service providers. For example, he ensures that any vendor contracts include a stipulation that third-party users who log in to the company’s network must use MFA to do so.

Finally, in the event of a breach, Ross has an important role to play in advocating for the organization’s response strategy. He needs to help prepare briefs and declarations, and assist other senior leaders, customers, and regulators to understand why the breach occurred, how the cybersecurity strategy will adapt to ensure it doesn’t happen again, and what remediations the organization will put in place moving forward.

Sum It Up

In this unit, you’ve learned more about how to develop and maintain strategic cybersecurity plans.

In the next unit, let’s dive deeper into how to acquire and manage the necessary resources to support your cybersecurity goals.