The document discusses developing an effective cybersecurity strategy. It recommends first analyzing risks, constraints, adversaries and assets. The presentation then provides definitions of strategy and outlines developing a strategic framework that involves analyzing coverage across people, processes, technologies and the cybersecurity pillars of identify, protect, detect, respond and recover. It suggests communicating the final written strategy in one-page, 10-page or full document formats.

1. Be CyberSMART.
Get CyberSECURE.
Strategy: If you don’t know
where you’re going, you’ll
never get there
Don Welch, Ph.D.
CISO

2. Be CyberSMART.
Get CyberSECURE.

3. Be CyberSMART.
Get CyberSECURE.
Agenda
• Introduction
• Risk
• Strategy Basics
• IT and Business Strategy
• Strategic Analysis
• Design Framework
• Communicating the Strategy

4. Be CyberSMART.
Get CyberSECURE.
Introduction

5. Be CyberSMART.
Get CyberSECURE.
Why listen to me?

6. Be CyberSMART.
Get CyberSECURE.
Cyber Security Environment

7. Be CyberSMART.
Get CyberSECURE.

8. Be CyberSMART.
Get CyberSECURE.

9. Be CyberSMART.
Get CyberSECURE.
Foreign Intelligence

10. Be CyberSMART.
Get CyberSECURE.
Criminals

11. Be CyberSMART.
Get CyberSECURE.
Hacktivists

12. Be CyberSMART.
Get CyberSECURE.
C-Level Leaders

13. Be CyberSMART.
Get CyberSECURE.
Risk

14. Be CyberSMART.
Get CyberSECURE.

15. Be CyberSMART.
Get CyberSECURE.

16. Be CyberSMART.
Get CyberSECURE.
Strategy 101

17. Be CyberSMART.
Get CyberSECURE.
Strategy: Definition
High level plan to achieve
one or more goals under
conditions of uncertainty
• WikiPedia

18. Be CyberSMART.
Get CyberSECURE.
Strategy: Definitions
A pattern in a stream of
decisions
• Henry Mintzberg, McGill
University

19. Be CyberSMART.
Get CyberSECURE.
Strategy: Definitions
Planning and marshalling
resources for their most
efficient and effective use
• Business Dictionary

20. Be CyberSMART.
Get CyberSECURE.
Strategy: Definitions
•Plan to achieve long-term
goals
•Guide for decisions at all
levels
•Efficient and effective
resource allocation

21. Be CyberSMART.
Get CyberSECURE.

22. Be CyberSMART.
Get CyberSECURE.

23. Be CyberSMART.
Get CyberSECURE.
Asymmetry and Adversaries

24. Be CyberSMART.
Get CyberSECURE.

25. Be CyberSMART.
Get CyberSECURE.
Strategic Environment Analysis
Asset Impact Attacker Payoff Capability
Threat

26. Be CyberSMART.
Get CyberSECURE.

27. Be CyberSMART.
Get CyberSECURE.
Constraints
• Funding
• Regulations and Laws
• Staff Time and Talent
• Business Overhead
• Political Capital
• Accountability
• Calendar Time

28. Be CyberSMART.
Get CyberSECURE.

29. Be CyberSMART.
Get CyberSECURE.

30. Be CyberSMART.
Get CyberSECURE.
Coverage Matrix
People Process Technology
Identify
Protect
Detect
Respond
Recover

31. Be CyberSMART.
Get CyberSECURE.
Example Nested Matrix
Detect/Technology Near Real-Time Post Compromise
Network
Payload
Endpoint

32. Be CyberSMART.
Get CyberSECURE.
Example Nested Matrix
Protect/People Users IT Staff Security
Mandatory
Optional

33. Be CyberSMART.
Get CyberSECURE.

34. Be CyberSMART.
Get CyberSECURE.
Written Plan
•One Pager
•< 10 Pages
•Full Document

35. Be CyberSMART.
Get CyberSECURE.

36. Be CyberSMART.
Get CyberSECURE.

37. Be CyberSMART.
Get CyberSECURE.

38. Be CyberSMART.
Get CyberSECURE.

39. Be CyberSMART.
Get CyberSECURE.

40. Be CyberSMART.
Get CyberSECURE.
Information Security Strategy
Low
Moderate
High
High +
(Restricted)
Identify Protect
Watch
Respond Recover

41. Be CyberSMART.
Get CyberSECURE.

42. Be CyberSMART.
Get CyberSECURE.