How to Create an Enduring and Flexible Cybersecurity Strategy

  • 11 March 2020

At Tessian Human Layer Security Summit on March 5, four of Tessian’s customers engaged in an in-depth panel discussion about cybersecurity trends for 2020, the importance of creating a positive security culture in an organization, and the impact of human error. 

All of the panelists, including Timor Ahmad from Lloyds of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance offered incredible and diverse insights and, in pulling these insights together, we’ve created a mini-guide for other cybersecurity professionals.

Here are five things to consider when creating and implementing a cybersecurity strategy according to Tessian’s customers.

Cybersecurity strategies must constantly evolve

While cybersecurity strategies are long-term and take time to both implement and iterate, they must also be mutable. Why? Because in addition to the ever-evolving threat landscape,  there are plenty of other internal and external factors to consider.

For example, privacy laws, regulations, compliance standards, company size, board members, budgets, and individual employees all affect an organizations’ security posture and should, therefore, influence strategies. Even a global health crisis like Coronavirus, which Mark Parr from HFW referenced, is something that impacts security strategies, especially with more and more organizations implementing remote working policies due of the outbreak.

While, yes, It’s a minefield, organizations have to consider and reconsider these moving parts and, in doing so, constantly evaluate and re-evaluate their strategies and frameworks to keep data, networks, devices, and people secure. 

Privacy laws and regulations are top-of-mind

With the two-year anniversary of GDPR just around the corner, other nations and even individual states in America are adopting their own data privacy laws. These, of course, are in addition to those already enforced by government agencies like the FCC and the ICO.

“Cybersecurity professionals have this absolute obligation to maintain security and respond to threats appropriately, all whilst respecting privacy rights and obligations. That’s a challenge.”
Emily Fisher Clifford Chance

The growing number of regulations are especially pertinent for organizations that handle customer or client data. And, while the fines for a breach are hefty under these new compliance standards, organizations have a lot to gain by keeping internal and external data secure. Being transparent and secure about data protection bolsters credibility and trust.

Security can (and should) fuel overall business objectives

As data becomes more and more of an asset to protect, cybersecurity is becoming a less siloed department and more integrated into overall business functions. Again, this is especially the case for organizations that handle customer or client data.

In fact, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself.

“You have to be aligned with the business. ...You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.”
Mark Parr HFW

For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge. 

Engaging with employees about security is tough, but not impossible

As the Human Element continues to be one of the biggest risk factors in data breaches, it’s absolutely essential that those in cybersecurity leadership positions make a pointed effort to engage with their employees to communicate risks and responsibilities.

“The biggest investment we make is giving our employees the right knowledge to be able to make the right decisions at the right time.”
Jamie Travis Herbert Smith Freehills

Of course, anyone in a cybersecurity leadership position knows this is no easy task. 

According to our panelists, though, the key is to find new ways to tell the same story. Some use gamification and positive reinforcement while others rely on more interactive content like videos and podcasts. 

Whatever the method or medium, the most important thing is that risks and responsibility – which the entire organization bears the burden of – are translated so that everyone across departments and levels of seniority can understand.

Accountability is required company-wide

As we’ve said, cybersecurity is no longer siloed. That means that accountability is required company-wide in order to make policies, procedures, and tech solutions effective. But, according to our panelists, employees and even board members are becoming less passive in their roles as they relate to cybersecurity. 

This is a big relief for IT and security teams, especially when the threat of human error is one of the biggest challenges we’re up against. 

Learn more

Keen to watch the full Human Layer Security Summit and see what our other guest speakers – including a hacker – had to say? Watch the video on our YouTube channel.

You can also read key takeaways from the day here.

#HumanLayerSecuritySummit20