Word Crimes Part 3 – Developing Cybersecurity Vision, Mission & Strategy Statements

As we introduced in part 1 and part 2 of this “word crimes” series, cybersecurity terminology is important, especially when representing our profession. In this final installment, we have broadened the scope as it relates to business terminology. It is vitally important for cybersecurity professionals, including current and future leaders, to understand the nuances between common business planning terminology, such as mission, vision and strategy statements. Cybersecurity is crucial to business, and it is time that our profession speaks the same language as the business units we support. In the end, it is all about aligning cybersecurity initiatives to be in the best interests of the organization.

Why Should You Care?

The purpose of this article is to help cybersecurity leaders up their game. All too often, unprincipled cybersecurity leaders manipulate the business through Fear, Uncertainty and Doubt (FUD) to scare other technology and business leaders into supporting cybersecurity initiatives. These bad actors maintain the illusion of a strong cybersecurity program, when in reality the cybersecurity department is an array of disjointed capabilities that lacks a unifying plan. These individuals stay in the job long enough to claim small victories, implement some cool technology, and then jump ship for larger roles in other organizations to extend their path of disorder. In these cases, a common theme is the lack of viable business planning beyond a shopping list of technologies and headcount targets to further their career goals. Cybersecurity is a cost center, not a revenue-generating business function. That means cybersecurity competes with all other departments for budget, and it necessitates a compelling business case to justify needed technology and staffing. Business leaders are getting smarter on the topic of cybersecurity, so cybersecurity leadership needs to rise above the FUD mentality and deliver value that is commensurate with the needs of the business. With compliance deadlines looming in the near future, such as EU GDPR and NIST 800-171, there is a strong need for cybersecurity leaders who can develop and implement strategic plans to protect systems and data in order to keep their company both secure and compliant. The act of implementing cybersecurity strategic plans does not happen overnight since it requires funding for proper staffing and resources. All of this requires a plan. Having a hierarchical business plan is a logical step to operationalize the business’ requirements. Understanding the hierarchy of business planning documentation can lead to well-informed risk decisions, which influences technology purchases, staffing resources, and management involvement. This is your opportunity to step up by designing and implementing a cohesive cybersecurity strategy that will be an asset to your company and enable you to be the cybersecurity leader that your organization needs you to be.

Would you like to reward exceptional behavior and at the same time hold people accountable for substandard performance? Business planning goals provide quantifiable targets for both individual contributors and management to objectively gauge performance.
Would you like to know what your priorities are for day-to-day work or initiatives? Business planning goals prioritize efforts that can help reduce confusion and focus efforts.

Understanding Context

Some of the most-abused business planning statements are strategy, operations, and tactics. While these terms are used by organizations across the globe, the terms have their origins in military planning where the terms have very unique scopes that are important to understand. Hierarchically, tactics support operations and operations support strategy.

STRATEGY > OPERATIONS > TACTICS

In a real-world scenario, look at the historical event of the Allied invasion of Normandy during the Second World War:

Strategy. The Allies’ high-level plan in Europe was to wage a multi-pronged effort to pressure the Axis powers into an unconditional surrender. This involved the coordination of several heads of state to agree upon a combined goal.
Operations. One of these multi-pronged efforts of the Allied strategy involved opening a new front in western Europe by landing Allied forces in France. Operation Overlord was the effort to invade France via multiple beach landings throughout Normandy in June 1944. This involved the coordination of multiple divisions and military services to deliver the appropriate personnel, equipment, and supplies at the right time and locations.
Tactics. The actions taken by individual soldiers and small units were designed to support the larger effort of Operation Overlord. Each soldier had a role in his unit, and each unit had a role in the beach landings.

The same concept applies to businesses in every industry. The actions of individual contributors at the tactical level stack up to support broader operational goals, which in turn are designed to support a strategy that is aligned with the company’s success.

What Right Looks Like

An indicator of a well-run cybersecurity program is where staff at all levels clearly know their role in making the organization successful because the leadership implemented a mission, vision, and strategy to drive its operations. This is leadership in its purest form, since it involves providing appropriate direction and then empowering staff to make the right things happen. A picture is sometimes worth 1,000 words. The following concepts can be seen here in a downloadable poster you can print out as a handy reference. Mission

Mission statements answer the question of why your department exists. These statements are outcome-oriented and determine the what and why in a straightforward, concise manner.
Missions are directive in nature by a higher authority to a lower authority (e.g., CIO or board of directors issues a mission to the CISO).
The results of mission execution determine performance ratings for executive management.
EXAMPLE: “To deliver high‐quality, innovative cybersecurity services and solutions that reduce risk across ACME.

Vision

Vision statements communicate the concept of what ideal conditions look like in a perfect world for the execution of the mission.
Vision statements are meant to appeal to every staff member and should be easily understood by everyone. Quite simply, if you must explain it, it is a poorly constructed vision statement!
This is an executive function performed by the CISO to uplift & inspire across the broader organization - internal and external to the cybersecurity department.
EXAMPLE: “We exist to create an environment where security, collaboration and creativity are seamless. In doing so, we will unlock ACME’s unmeasurable potential to innovate at the speed of inspiration.”

Strategy

Strategy statements are high-level actions that are coherently arranged to achieve your mission.
The CISO establishes the big picture of how the department will accomplish its mission.
Strategies allow for the development of a thoughtfully-constructed course of action and the establishment of realistic objectives.
Business plans are the in-depth documents to implement a strategy through the detailed definition of objectives, resourcing needs, and assigning responsibilities.
The results of strategy execution determine performance ratings for senior cybersecurity leadership (e.g., CISO).
EXAMPLE: We will drive our initiatives by influencing key stakeholders throughout ACME to enable the implementation of high‐quality, innovative cybersecurity services and solutions that reduce risk to ACME, our partners and our customers.

Objectives

Objectives are the short and mid-range goals that are arranged and prioritized to achieve the strategy.
Objectives are merely the stepping stones that are needed to achieve success in accomplishing the strategy.
Objectives can be as simple as a bullet point list that documents components necessary to achieve the strategy.
While this list of objectives is “owned” by the CISO, the cybersecurity department heads are responsible for achieving these objectives through formulating and executing the plans for how their unique operations are conducted and resources are prioritized.
A responsibility assignment matrix (also known as RACI diagram) is a great tool to assign stakeholder roles and responsibilities to ensure objectives are proactively managed.
EXAMPLES:
- “Develop, implement and manage Continuous Monitoring (CM) capabilities to enable the timely identification and response to potential cybersecurity events.”
- “Achieve an ISMS maturity level of CMM 3 by 2019 and CMM 4 by 2021.”

Operations

Operations are mid-level actions that directly link to strategy and objectives – it clarifies how both will actually be accomplished.
Operations transform strategy and objectives into actionable projects or initiatives that define the required resources for tactics to successfully execute.
Operations are “owned” by department heads, and team leads are responsible for achieving these department-level objectives in how work is prioritized, resourced, and managed.
Poor execution of operations will prevent or inhibit the successful execution of a strategy.
The results of operations execution determine performance ratings for mid-level management (e.g., GRC, Engineering, Operations, Incident Response, etc.).

Tactics

Tactics are low-level actions that directly link to operations – they specify how department-level objectives will be achieved on a day-to-day basis through staff assignments, processes, and procedures.
Tactics bring together the people, processes, & technology to successfully accomplish tasks to achieve assigned objectives.
Poor execution of tactics will prevent or inhibit the successful execution of operations.
The results of tactics execution determine performance ratings for individual contributors (e.g., risk analysts, engineers, architects, forensic analysts, etc.).

While slightly off-topic from the “word crimes” concept, if you want to make a difference but are not sure where to start your planning efforts, make a pot of coffee and do the below steps. The results will identify a path forward.

Map out your applicable statutory, regulatory, and contractual obligations;
Align with a leading framework of controls (e.g., ISO 27002, NIST 800-53, or NIST Cybersecurity Framework) that best fits those cybersecurity and privacy obligations for your company;
Identify the target maturity that is right for your organization (e.g., CMM3 vs CMM4);
Perform an honest gap assessment from your current state to your target maturity state; and
Backwards-plan the steps needed to achieve your target maturity by identifying the necessary people, processes, and technology to make it happen.

About the Author: Tom Cornelius, CISSP, CISA, CIPP/US, CRISC, PCIP, MCITP, MBA, is the senior partner at ComplianceForge. He is a graduate of the United States Military Academy (USMA) and a former military officer, who has worked across multiple industries to help build cybersecurity programs at Fortune 500 companies. ComplianceForge is a specialty cybersecurity firm that focuses on governance, risk, compliance and privacy-related documentation. Their unique solutions help companies document their cybersecurity governance programs to comply with specialized requirements, such as NIST 800-171, FAR, and EU GDPR. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.