A cybersecurity plan is an essential tool for any organisation that seeks to protect its customers, employees and corporate information. By defining the current and future state of a cybersecurity landscape, it provides the clarity and assurance about cybersecurity that senior executives crave. A cybersecurity plan also enables IT to communicate effectively about how cybersecurity capability is positioned within an organisation.
The first step in developing a cybersecurity roadmap is understanding where your organisation is at present, and where you’d like it to be in the future. To do this, you need to define the characteristics of your cybersecurity approach as well as its specific enabling functions.
Good cybersecurity has the following characteristics:
Security is proactive, not reactive. In many organisations, IT and security teams are purely reactive and have limited ability to plan ahead. An effective cybersecurity proactively identifies upgrades and changes. IT and security teams have more time to focus on strategic activities that support the detection and mitigation of potential threats, instead of putting out fires.
Security is unobtrusive. Cybersecurity teams exist to enable the operations of the broader organisation and allow business objectives to be achieved in a secure manner. Security that is in-your-face or over-the-top can generate obstacles, especially if it gets in the way of employees as they try to do their jobs.
Security processes are repeatable and documented. Whatever steps an organisation takes to achieve cybersecurity, they need to be repeatable – solve the problem once and then move along. This approach allows IT teams to focus on high-value work rather than fixing the same issue over and over.
There is a risk management mindset. Good security is premised on having a strong understanding of what the risks or threats are, how they will be addressed and how they can be avoided.
Get an Information Security Review and put your organisation steps ahead.
An Information Security Review is an essential first step to help you proritise your security initiatives and develop your cybersecurity plan. Skip the guesswork and get actionable recommendations from our security experts.
The first step in developing a cybersecurity roadmap is understanding where your organisation is at present, and where you’d like it to be in the future. To do this, you need to define the characteristics of your cybersecurity approach as well as its specific enabling functions. These functions include:
Risk and compliance: An effective risk and compliance or governance function will help your organisation to identify what needs to be protected and how best to go about it. To do this well you need to identify your assets, know your risks, choose your controls, agree your metrics and have the right policies in place.
Security administration: This is a fairly standard function, but nonetheless an important one. Security administration covers tasks such as adding and deleting users, managing access and conducting reviews.
Security architecture and design: This function liaises closely with the business to better understand their requirements, identify products that are needed and manage the impacts. In other words, it identifies what needs to be protected and how you will be sure it’s protected well. Early engagement with the business is key to success here.
Security operations: This function detects, identifies and responds to the workloads that come your way. The main objectives are to achieve visibility on networks, servers and endpoints, and ensure that all tools are working to deliver their intended purpose.
Before developing your roadmap it’s sensible to assess your organisation’s cybersecurity maturity. This simple activity is valuable because it helps to determine where to start strengthening cybersecurity in your organisation.
We have used a simple five-point scale, shown in the table below, which broadly aligns to the Cobit 4 Model1.
To assess your organisation’s maturity, read through the characteristics below and identify the level that best resonates with your current cybersecurity environment. If you need more guidance, you can review our list of questions for assessing cybersecurity maturity – available in the Guide to Developing a Cybersecurity Roadmap ebook.
| Maturity level | Characteristics |
| 0 – Non-existent |
|
| 1 – Immature |
|
| 2 – Doing our best |
|
| 3 – Getting there |
|
| 4 – Mature |
|
| 5 – Very mature |
|
1 0 – Non-Existent, 1 – Initial/Ad Hoc, 2 – Repeatable, 3 – Defined, 4 – Managed and Monitored, 5 – Optimised.
Your organisation may have different maturity levels for each security function. Overlaying maturity scores with security components functions in a structured framework, such as the NIST cybersecurity framework, will help to clearly identify areas for improvement.
Once you understand best practices in cybersecurity and have assessed your organisation’s maturity, you’re ready to start building your cybersecurity roadmap.
1- Identify key assets and threats
The first step in developing a cybersecurity roadmap is to identify the assets you’re protecting. What are your crown jewels? Where are they located? From what do they need protection? This step involves active consideration of the business context, combined with straightforward asset management, risk assessment and threat management processes.
2- Prioritise risks and threats
There are many ways to prioritise risks and threats, with the right approach depending on the context of your organisation. In any case, there are three questions that will help you to identify top priority risks and threats:
What are the active and current risks or threats that could hurt your organisation?
From a security perspective, what are the main concerns of senior executives?
Which risks and threats would hurt your organisation the most?
Next, identify the treatments for each risk or threat. Classify them as ‘easy wins’, ‘high cost’, ‘biggest impact’ and ‘hardest to achieve.’
Think about changes that will have the most impact on improving your maturity scores. For example, there may be more benefit investing in moving from a 0 to a 2 than from a 3 to a 5.
3- Set achievable goals
While a cybersecurity roadmap should identify all activities that you’d like to undertake, you need to identify those goals that will be truly achievable. Few people have said, “We’ll finish this identify and access management program in less than six months,” and still believed it was possible half a year later.
Start with the basics. If you don’t have policies, focus on publishing key documents – acceptable use and cybersecurity policies are a strong foundation that will drive the rest of your efforts.
Focus on high-risk areas first. This one speaks for itself, but it’s worth reiterating that you should address exposed high-risk areas as a matter of priority.
Leverage what you have. Review the tools you already have in place and identify opportunities to improve or extend their capability. Many people are surprised when you remind them that, for example, their antivirus tool can also perform intrusion detection.
Link goals to business objectives. Identify the business reason for each goal or activity. For example, management is unlikely to be convinced by “We need a new firewall.” It’s far more compelling to argue that “We need a new firewall so that staff can easily access the data they need to do their jobs.” Your communication approach is essential to securing the endorsement of senior executives.
Building a cybersecurity roadmap doesn’t have to be laborious or overly theoretical. By beginning with high-level objectives and adding details as you progress and mature, you’ll be well on your way to success. To get started developing a cybersecurity roadmap for your organisation, contact Shearwater Solutions today.
Get an Information Security Review and put your organisation steps ahead.
An Information Security Review is an essential first step to help you proritise your security initiatives and develop your cybersecurity plan. Skip the guesswork and get actionable recommendations from our security experts.