Building an effective cybersecurity strategy using the five D’s

By Dr. Fene Osakwe

Effectiveness and cybersecurity. These are two words you rarely find together in the same sentence. When you read about cybersecurity and see most titles, they always seem to contain words like ‘threats’, ‘breaches’ and ‘data loss’.

The purpose of this article is to demonstrate how cyber professionals and CISOs can achieve an effective cybersecurity strategy by combining or mixing various cyber defense ingredients to come up with an effective and wholistic approach to managing cyber threats.

The purpose of this article is to highlight from practical experience five ingredients you will need to combine in order to achieve an effective and wholistic approach to cyber security. I call them the five D’s.

Define your objective – Every business has its own unique objective. A clear statement of what the organization intends to achieve. In the same vein, the cybersecurity team should have its objective clearly articulated, in alignment with the overarching business objective. Your objective should answer questions like - What are we trying to achieve? What value does the organization derive from having this cyber or IT security Function and what do they stand to lose by not having a security Function? What is most critical for this business? Investment funds? Legal documents? Customer accounts? For some organizations, confidentiality is more important than availability. For some others, it’s the reverse. Your objective needs to be very specific. An objective like ‘to protect the business’ is too generic. What is the business in your context? This objective must also be agreed with executive management and senior management.

Develop your strategy and corresponding initiatives – After successfully defining your objective, the next step is to develop a strategy on how the objective will be achieved. Your security strategy should answer at least four basic questions. Firstly, how do we ensure visibility of and protect all our information assets? How do we ensure access to these assets are governed and restricted appropriately? Do we have capabilities to detect any potential or successful breach? In the event that we unfortunately suffer a breach, do we have the ability to respond and recover with minimal financial or reputational damage? This is in line with the NIST Framework for cybersecurity.

When the strategy is all done, there have to be initiatives drawn up in order to achieve each of the strategic pillars. This is what begins to drive the operational and day-to-day activities in the team. For example, one of my strategic pillars when I was Head of IT Security & CISO at IHS Towers was ‘operational resilience’, where I started driving technology and processes. This included a review of the network architecture for redundancy, having an effective Disaster Recovery (DR) plan, incident response playbook, crisis management procedure, DR testing schedule, ransomware simulation and so on. These were initiatives in line with one of my strategic objectives.

Develop your team – One of the reasons why strategy is not effectively implemented is because the human resources required to execute it are lacking in capacity. It is almost impossible to build a 200-floor skyscraper when the team in question have only developed bungalows. I always advise that after developing your security strategy and initiatives, one should conduct a thorough analysis of team skills and extrapolate if the team has the ability to successfully execute the initiatives, then identify where help is needed. Will training solve the skill gaps? Should there be a recruitment drive? Or do you simply outsource some of the initiatives that require niche skills? This leads me to my next point about partnerships.

Discover strategic partners – There is an African proverb that says if you want to go far but slowly, go alone. But if you seek to go far with speed, you go with others. This is true in cyber security today. It is important to identify strategic third-party providers with solutions ready to help achieve your strategy. For example, I worked with a multinational with operations in four continents and nearly 3,000 staff. It was practically impossible to have an in-house security operations team keeping watch 24/7. I therefore had to identify a strategic partner for security operations center activities. The reason I use the word discover is because not all partners who come knocking are the most effective. Sometimes, you need to do some research and discover for yourself what works best for you.

Deploy technology in achieving initiatives – In today’s world, you need to leverage and deploy technology in achieving specific security controls and ensuring defense in depth. This technology must be in line with your strategic initiatives in order to manage specific business risk. For example, if you are a leader in the crypto industry, one of the risks you have to manage is having an effective login and wallet protection system, especially one that does not collect personal data. An effective technology solution for this can be seen with SafeMoon’s Orbital Shield which anonymizes user data via 256-bit encryption all built into the SafeMoon product ecosystem. This means that personal information will remain secure even in the event of a breach.

SafeMoon CEO John Karony has previously said that many existing security measures in place across both traditional and decentralized finance are insufficient to deal with the cyber threats we face today.

‘Data should be anonymously decrypted and unknown other than to the customer with a virtual access key. Developers must continue breaking ground to ensure data stays in the hands of the user only’ Karony has explained.

One must remember that deploying technology without an overarching strategy is like putting the cart before the horse. Neither the cart nor the horse is the problem, the order is simply wrong. The last D therefore concerns deploying technology across the spectrum of identity, protect, detect, respond and recover.

Security professionals need to be strategic, intentional, methodical and consistent with their approach to managing cyber security risk in an age where the cyber threat continues to increase. By following the above blueprint, an effective cyber strategy can be achieved.

Bio:

Dr. Fene Osakwe is a multiple award-winning Technology professional, speaker and author. His core competence is in Cyber security, IT Governance, IT Strategy, Risk Management, and Sarbanes–Oxley implementations. Dr. Fene has consulted for several Financial Institutions, Telecoms and FinTech companies, state governments and several universities, holding over 10 internationally recognized professional IT Certifications. He has spoken at over 43 international conferences and has won several awards locally and internationally. He was recently recognized by Hiedens International Magazine as the most sought-after cybersecurity and tech governance advisor in Africa.

In 2021, Dr Fene was awarded an honorary Doctor of Business Administration (Leadership and innovation) from the Swiss School of Business Geneva for his exceptional leadership skills and continuous innovation.

In June 2022, Dr. Fene was invited into the exclusive Forbes Technology council – an invitation-only community for world-class CIOs, CTOs, and technology executives.

This article does not necessarily reflect the opinions of the editors or management of EconoTimes.