Skip to main content

«  View All Posts

Security | Cybercrime | Consulting

The 3 T’s of Cybersecurity Strategy: Tactics, Talent, and Toolsets

August 13th, 2021 | 7 min. read

The 3 T’s of Cybersecurity Strategy: Tactics, Talent, and Toolsets
Evan Rice

Evan Rice

Evan has been building, deploying, managing, and protecting enterprise IT solutions for the last 15 years. His "strategy first" approaches to cybersecurity deliver the right amount of protection without breaking the bank and ensure operations stay efficient.

Print/Save as PDF

Cybersecurity is recognized as one of the fastest-growing technology markets globally. According to Gartner, enterprise spending on cloud security solutions is predicted to increase from $636M in 2020 to $1.63B in 2023, attaining a 26.5% compound annual growth rate (CAGR).

As cybercrime continues to increase, business and IT leaders are having to rethink traditional approaches to security. This is further complicated by an evolving global privacy landscape where laws seem to change every day.

Companies should be asking these 12 questions before adopting cybersecurity.

  1. Why do you need cybersecurity?
  2. What are you protecting?
  3. What is the value of what you are protecting?
  4. How should it be protected?
  5. What does winning look like?
  6. How do you build the team?
  7. How do you know what skills you need?
  8. How can you leverage your existing staff?
  9. When are third parties a good option?
  10. What tools do you need?
  11. How do you minimize technical debt?
  12. How to avoid security “snake oil”?

To compete, leadership must incorporate cybersecurity into their corporate strategies and make sure they are managing the 3 T’s: Tactics, Talent, and Toolsets.

Tactics: Build a Plan for Success

When discussing cybersecurity strategy, leadership must start with tactics.

Many businesses buy toolsets without knowing how to use them or knowing what they need. Remember not to put the cart in front of the horse.

digital-chessboard-blueprint

Tactics will help you identify your plan of attack for cybersecurity.

1. Know Your Business Needs 

Every business has unique needs that should inform its approach to cybersecurity.

Establishing a process for completing a Business Impact Analysis (BIA) assessment will help define mission-critical processes and systems that must be protected from compromise first.

This helps security teams use their finite resources more effectively and gain the maximum amount of protection.

2. Know Your Systems and Data 

Every time a company adds a new system to their environment, they add another target for hackers.

Establishing a formal Enterprise Architecture (EA) process to create and enforce system standards will allow the information technology (IT) team to understand the capabilities of the systems they manage. The EA team should also complete a Confidentiality, Integrity, or Availability analysis for each system.

In case of an incident, this categorization tells the team what the priority is. The EA will help keep data secure, ensure data is not lost, or keep systems available.

3. Know Your Rules of Engagement

Every business needs to know the rules of engagement for their industry, including applicable laws and regulations.

Does your business perform work for the government?
Does your company work for the Department of Defense?
Do you work in healthcare?
Do you store and process personal information for your customers?
Are you a publicly listed company?

The list can go on and on.

To handle regulatory and legal requirements, companies should create and manage a formal Privacy Impact Analysis (PIA) process. This process identifies any system that may contain sensitive or protected information related to an individual and calls out the mandatory protections required for that data by law.

4. Build Your Plan

When building your plan, make it fluid. You can’t predict all scenarios and the evolving landscape of cybersecurity requires you to adapt quickly.

Begin your plan with an assessment that focuses on:

  1. Existing protections.
  2. Missing protections.
  3. Biggest areas of risk.
  4. Competitive benchmarking for your industry.
  5. Analysis of existing cybersecurity-related costs and how likely they are to shift.

Based on the assessment, company leadership can build a cybersecurity framework that includes plans for talent and toolsets.

Talent: Proactive, Reactive, and Compliancesecurity-team-illustration

When strategizing talent, you must identify a Red team, a Blue team, and a Compliance team.

Of the three groups, team size is variable, depending on the size and complexity of the company and its IT infrastructure. At a minimum, each team would require three people.

In some cases, those employees wear multiple hats within the organization and may not be dedicated 100% to security. 

Red Team: Proactive Experts

The Red team is a proactive group of cybersecurity experts that identify vulnerabilities in your systems. Plus, they also provide expert guidance on regulatory items and emerging threats.

Many larger organizations will build out an internal Red team, but smaller organizations will often contract with a third party. Outsourcing will eliminate the staffing overhead, thereby reducing the total budget of the project, while still receiving the service they need.

Common Red Team activities include:

  • Security Assessments
  • Penetration Testing
  • Vulnerability Scanning
  • V-CISO
  • Incident Management

Blue Team: Reactive Experts

The Blue team is a reactive group of system and security experts that focus on eliminating the risks and vulnerabilities the Red team identifies.

Blue teams need to ensure they can manage security operations across the technology stack of an entire business. Oftentimes, the Blue team remediation activities are added to existing IT staff responsibilities.

This can create challenges when existing IT resources are scarce, and systems for testing and QA are often difficult to build organically.

Common Blue Team activities include:

  • Vulnerability Remediation
  • Proactive Patching
  • System Upgrades
  • System Standard Creation
  • Managed Change Control Processes

Compliance Team: The Auditors

The Compliance team formalizes the policies, procedures, standards, and reporting for your program.

This is a team of experts that know how to look at a business process and determine if the protections in place are adequate and being used appropriately.

The Compliance team resources work with the Red and Blue teams to document formal policies and procedures for cybersecurity programs. They are also used as independent auditors and serve as an accountability and validation authority for the cyber program.

Good cybersecurity means never grading your own papers, so a trusted and thorough Compliance team is invaluable.

Common Compliance Team activities include:

  • Policy / Procedure Documentation
  • Cybersecurity Audits
  • Compliance Reporting and Escalation
  • Coordination of Third Party Audits

Outsourced Team: A Fractional Approach

Hiring three full-time teams can be costly, and many businesses do not need all of these resources in a full-time capacity to support their cybersecurity initiatives.

For example, take the minimum of three employees per team, and let’s assume this team is made up of a Security Analyst, Security Engineer, and Security Architect.

The average U.S. annual salary of a Security Analyst is $69,230 per year, a Security Engineer is $94,041 per year, and Security Architect is $125,649 per year. Based on these figures, each team would be $288,920 per year, and multiplied by three, totals $886,760.

Factor in a Compliance Manager at $70,531 per year, and Chief Information Security Officer (CISO) at $166,257 per year, and your company could see a total cybersecurity expenditure of $1,123,548 per year—strictly for the talent.

By outsourcing to a third party with a fractional approach, your company can have access to the resources you need without the cost burden created by adding full-time staff.

Toolsets: Increase Efficiency and Output

cybersecurity-locked-laptop

A common cybersecurity mistake is buying toolsets too early in the cybersecurity journey.

Tools are important but it is critical to define your tactics and bring on your talent before investing in tools. This approach will help you to avoid unnecessary technical debt and ensure you are using your budget dollars wisely.

At a minimum, your company should have these cybersecurity tools:

  • Vulnerability Scanning
  • Virtual Private Network (VPN)
  • Antivirus Software
  • Modern Firewalls
  • Multi-Factor Authentication (MFA)
  • Security Information and Event Monitoring (SIEM)
  • Backup and Recovery
  • Mobile Device Management (MDM)
  • Advanced Email Filtering
  • Encryption

After addressing your basic toolset needs, engage with your Red team and Blue team to create a ranked list of additional tools required to protect your business. This will reduce your risk of cyber threats and mitigate the chance of a data breach.

Additionally, onboarding and managing any cybersecurity tools your company purchases should become a part of your corporate IT roadmap.

Develop a Cybersecurity Strategy to Fit Your Company

Not sure where to start? Don’t sweat it.

Developing a cybersecurity plan can be a daunting task in the ever-changing world of cybersecurity. Headlines emerge every week from media outlets highlighting the latest hack, breach, or data leak. So, it’s important to be proactive and protected.

Thus, consulting with a team of experts makes sense for many companies. 

As leaders within the cybersecurity industry, CCI Systems and its partners can help you evaluate your security program, build a roadmap for eliminating your risk, and ensure you have the resources you need to succeed.

CCI can bring you the tactics, talent, and toolsets with the services you need to protect your company without breaking the bank.

If a fractional approach is something your company may be interested in exploring, connect with our experts and start your plan today.

Download eBook