Cybersecurity 101: A Plan is Not a Strategy, and a Strategy is Not a Plan

Cybersecurity 101: Some Basic Definitions

When I started this blog series, I introduced some essential terms related to cybersecurity. In today’s installment, I would like to delve into two of these pivotal terms – Plan and Strategy.

In my capacity as a vCISO, I consistently engage in conversations aimed at clarifying the distinctions between a plan and a strategy. Though often used interchangeably, these terms, I’ll postulate, bear nuanced differences.

In fact, in the realm of cybersecurity, a failure to distinctly separate your cybersecurity strategy from your cybersecurity plan can leave you navigating the unpredictable waters of cyber uncertainty in perpetuity. To avoid this volatile state, an organization needs to have both a good plan, a great strategy, and the know-how to differentiate between the two.

The Terms Get Confused a Lot

In the course of my extensive tenure as a security practitioner, I have consistently encountered varying interpretations of strategy and plan. That’s why to have success in the field of information security, Step 1 is to establish the differences between a cybersecurity plan and a cybersecurity strategy. Having said that, I want to make it clear that both share common attributes and play a vital role in ensuring leadership awareness and fostering a robust security posture.

Both cybersecurity plans and strategies are logically written blueprints that address blind spots, gap closures, and discuss differentiators such as scope, timeframe, level of detail, flexibility, and focus. As far as frequency of updates are concerned, however, cybersecurity plans undergo revisions and adjustments based on emerging cybersecurity themes. For mature organizations, this means yearly, quarterly, or sometimes monthly reviews. On the other hand, cybersecurity strategies usually require amendments every couple of years unless major shifts occur in the business or threat landscape.

AI as a Disruptive Force in Cybersecurity

In 2023, we had a very palpable example of a major shift and an urgent need for revisiting both your cybersecurity plan and strategy. I’m aware I’m not making an earth-shattering revelation by mentioning that Artificial Intelligence (AI) will inevitably affect your approach to cybersecurity.

However, after recently attending a cybersecurity conference, “The Rise of AI,” hosted by my former colleague John Johnson*, and listening to thought leaders in the space such as Jeff Man, Kate Kuehn, and Shawn Anderson, I recognized the imperative to incorporate AI elements into my clients’ strategies and plans sooner rather than later. This out-of-cycle modification aimed to acknowledge and harness the accelerating influence of AI within organizations and its impact on evolving threats.

Here is what I did to safeguard the security posture of a client I was working with at that point:

• In their Cybersecurity Plan I created new policies regarding the use of AI.
• We conducted a several educational sessions for the organization’s leadership and Board members focusing on why understanding the influence of AI on data and everyday work is important.
• The Strategy documents had already acknowledged AI. However, they needed fine-tuning that specifically highlighted the influence of AI on the speed to market of quality and quantity of emerging threats.

Closely Interconnected but Not the Same

Cybersecurity Strategy:

• Focuses on the “what” and “why” of achieving goals and offers guidance on the overall approach.
• Outlines the overall direction and purpose of cybersecurity across the organization.
• It defines the order of priority of threat types for the organization to address.
• Provides a framework for decision-making.

Cybersecurity Plan:

• Focuses on the “how” of achieving specific cybersecurity objectives.
• Outlines specific steps, tasks, personnel requirements, financial aspects, and actions needed to implement the strategy.
• Concrete, operational, and focuses on providing deliverables and the sequencing of the work required.
• The domain of Project and Program Managers who are tactical, focused on delivering desired outcomes across timelines identified in the cybersecurity strategy. Rarely do you see project managers concerning themselves with strategies.

A Real-Life Illustration from the Financial Sector

In practical terms, a cybersecurity strategy serves as a comprehensive guide that traces a far-reaching course rooted in the current state and envisioned future trajectory. It takes into account market dynamics, leadership’s risk thresholds, emerging threats, and how the fabric of cybersecurity will weave in and out across the organization based on specific priorities.

To delve into our concrete Financial Sector scenario, let’s focus on a critical aspect that a cybersecurity strategy must address—threat actors. Understanding the nature of threat actors and the risks they pose for a given industry is pivotal.

First off, your cybersecurity strategy needs to educate and inform on the known Threat Actors for your industry. The five typical threat actor categories are:

• Insider,
• Criminal,
• Hacktivist,
• Nation State,
• Terrorist.

The next step is to identify in priority order which threat actors are most concerning and then address the reasons they have been deemed a concern for your specific organization. This is necessary to ensure any plans that are developed actually target the primary threat actors’ tactics.

Thus, a Credit Union or Regional Bank would need to primarily address Insider and Criminal threat actors. Less time (not zero) should be devoted to counterintelligence strategies for Hacktivist, Nation State and Terrorist threats. The financial institution’s strategy would define and explore the characteristics and behaviors of the two primary threat actors, assess the organization’s current maturity level, and then identify the future state maturity level desired. This step is necessary so plans identifying the required resources, costs, and timelines can be detailed out.

The Significance of a Maturity Curve

By employing the concept of a maturity curve, an organization’s security strategy identifies the organization’s current standing and envisions where it aims to be in 1, 2, and 3 years. This cybersecurity direction should articulate how the organization will move from a reactive approach in cybersecurity to a proactive cybersecurity. It should identify a vision for the organization, by category, and is intended to guide the organization over an extended period of several years.

Plans, in contrast, are more focused and operate within shorter timeframes within budgeting cycles. Plan outline the how: specific actions, tasks, and milestones that need to be accomplished within a defined period, whether it be days, weeks, or months. They are detailed and specific. They include specific tasks, timelines, resource allocations, and responsibilities. In addition, plans provide a roadmap for the implementation of the broader strategy.

At a minimum, a semi-formal step-by-step outline would exist for each of the efforts identified in the Plan. Moreover, the Plan should align with the strategic intent outlined in the Security Strategy. When the Strategy aligns with the Plans, the Board, the Executive team, senior leadership, funding, and everyone in the trenches doing the work can clearly communicate and prioritize their work across the organization. In a future post, I will identify how an effective cybersecurity strategy requires both sides of your brain.

Summary

Cybersecurity Strategy:

• What and Why: It focuses on the broader vision and direction for cybersecurity.
• Long-Term Approach: It’s like a big picture plan, outlining where we want to go in the future.
• Decision-Making Framework: It helps us make choices on where to allocate resources and what areas of cybersecurity need attention.
• General Guidance: It doesn’t dive into specific details but guides the overall approach to achieving cybersecurity objectives.

Cybersecurity Plan:

• How: It details the specific steps to achieve short-term cybersecurity goals.
• Concrete Steps: It’s like a detailed roadmap, specifying tasks, timelines, resources, and responsibilities.
• Short-Term Focus: It concentrates on implementing specific actions to move forward.
• Operational: While the strategy guides, the plan puts things into action, dealing with the nitty-gritty details.

In essence, the strategy is the big vision, guiding our direction, while the plan is the detailed set of actions to make that vision a reality in the shorter term.

____________________

* Every fall, Dr. Johnson hosts a somewhat obscure regional cybersecurity conference and kids hacker camp in Davenport, IA. If you’ve never attended, you should. It’s worth the trip, even if you have to fly in and stay in the “Quad City” area (that is really comprised of about 7 cities). Attending CornCon is a great opportunity if you are looking to enhance your cybersecurity knowledge, meet with security professionals, and stay current on digital resilience.

About Rich

Rich Dussliere is an accomplished cybersecurity expert who heads the Office of the CISO and vCISO services at iShift. Rich relies on his real-world experiences as a cybersecurity practitioner to help organizations address the friction points that emerge within as cyberthreats evolve and cybersecurity challenges gain visibility. His experience spans diverse sectors, including financial services, manufacturing, and healthcare. Follow Rich on LinkedIn or contact him directly at [email protected].

Share this article on: