7 Rules Cyber Framework for Holistic and Effective Cyber Security
Adoption of the 7 Rules Cyber Framework enables organisations to holistically build, implement and continuously improve their cyber security programs. It helps move the focus beyond just technical controls, check-list compliance activities, and chasing the latest news story or shiny tools. Leveraging the 7 Rules Cyber framework promotes trust between business and cyber security teams by bridging the divide and improves value delivery through cyber security.
Rule 1: Develop a Business-Aligned Mindset
Cyber Security exists to enable business. After all, without the business of an organisation, there is no need for a security function. Therefore, understanding your business is the key to developing appropriate context and prioritisation for your security efforts. Effectively understanding key business processes, products and objectives are vital to building and validating critical asset list of crown jewels for the organisation. These then help to scope security controls and implement proportionate and reasonable measures. Practical advice is to follow the money. Understand what brings in the revenue and constitute critical services for your organisation. Engaging with business stakeholders effectively will enable you to accomplish this.
The nature of the business can also help inform the relative importance of the confidentiality, integrity, and availability triad. For example, confidentiality might be a higher priority for IT and digital systems, while availability might be a greater priority for operational technology, OT, systems.
Rule 2: Recognise that Cyber Security is a Risk Management Exercise
Cyber Security is fundamentally about managing risks. Furthermore, Cyber Security is not just a technical risk, it is a business risk and the approach to any control – technical, operational or policy needs to reflect the business risk appetite and context clearly. The language of risk and finances is what resonates with senior business stakeholders. Developing an understanding of key assets through Rule 1 serves as input for effective risk analysis through appropriate threat and impact consideration. The goal is to build a defensible cyber risk program, and decisions. Sensible adoption of cyber risk quantification techniques can also play a key role in informed decision-making.
Rule 3: Measure It
Effective metrics and measurements are key to demonstrating progress and challenges to ensure adequate management. However, metrics must be tailored to the right audience. Highly operational metrics such as number of vulnerabilities do not resonate with boards and senior leadership. They need to be aligned to critical business applications with clarity of impact and maturity. For example, a good strategic metric could be a percentage of critical internet-facing applications that have critical patches applied in a timely manner. If this critical application is a key payments platform, there is a material implication on cash flow, which, when quantified, can offer useful insights to leadership. Approach to good measurements should account for both leading and lagging indicators.
Rule 4: Address the Human Factor
With majority of incidents and breaches exploiting the human factor, it is clear that cyber security is a human issue at its core. Furthermore, technology exists for and by humans. Relying on the fear to influence human behaviour and embed secure practices is not an effective strategy. We need to align our cyber message and controls to aspirational aspects such as business goals and personal safety. Leveraging effective gamification, humour, and positive competition e.g., leaderboards can be really useful to influence secure behaviours. It is useful to recognise that human instinct is to resist change because change introduces the unknown. Effective engagement and change management can address this resistance and promote adoption of security controls.
Rule 5: Understand the Design and Execution of Cyber Security
Cyber Security controls need to be applied with consideration of business and technology strategies along with relevant threats and compliance obligations. Security domains such as network security, endpoint protection, identity and access management, etc. do not exist in isolation. They need to be accounted for in the overall enterprise security architecture and control framework that informs their design and applicability. Defined security architecture principles can also guide the selection and implementation of the right tools and technologies to manage risks. Factors such as clarity of sourcing and operating models (including roles and responsibilities), along with sequencing and prioritisation of initiatives, enable ongoing efficacy of security controls.
Rule 6: Master the Art of Differentiating Skills
Differentiating skills such as emotional intelligence, presenting actionable options succinctly, effective communication and storytelling play a vital role in building trust within an organisation and enabling professional excellence. Emotional intelligence plays an effective role where you can read the room and empathise with stakeholders regarding their concerns. Just presenting technical reports to a business audience will not get sufficient buy-in. This is where contextualising information in simple terms with a mindset of active listening can really help achieve the right outcome.
Rule 7: Build an Authentic Brand
Your security function should build a brand that is grounded in being a trusted advisor to the business. Ongoing effective engagement through various organisational channels and a pragmatic mindset will solidify your team’s brand. This will also help achieve executive buy-in and support for your initiatives to improve the security posture. Purposeful networking and actions to inform, educate and enable your organisation on various aspects of security considerations will put you in good stead. Ensure you celebrate and promote wins – no matter how small. Every win inspires confidence and is a step on the ongoing journey of cyber security improvement.
About the Author:
Chirag Joshi (https://www.linkedin.com/in/chiragdjoshi/)
Chirag is a seasoned cyber security executive with extensive experience building and leading cyber security and risk management programs in multiple countries across various industries. He is the Founder and Chief Executive of 7 Rules Cyber – a cyber security company focused on enabling businesses to be secure in a cost-effective and efficient manner. He has built the company on the key pillars of strategy, architecture, and culture. Chirag is the architect of the 7 Rules Cyber Framework.
He is the author of the two bestselling books – “7 Rules to Become Exceptional at Cyber Security” and “7 Rules to Influence Behaviour and Win at Cyber Security Awareness.” Chirag is featured in the prestigious CSO30 list of top 30 cyber security executives in Australia.
Chirag is a well-known keynote speaker and has presented at numerous leading international and regional conferences and forums on topics such as cyber threat landscape, cyber security strategies and architecture, cyber regulations, security culture, and the importance of human factor.
He is also a Director for the ISACA Sydney chapter and has conducted several successful cyber security education sessions for executives and non-technical audiences in industries such as financial services, energy, healthcare, government, and higher education. He has led teams and multi-million-dollar cyber transformation initiatives. He has experience in both IT and OT environments and has managed cyber security through demergers and divestments.
Chirag’s academic qualifications include Master’s degree in Telecommunications Management and Bachelor’s degree in Electronics and Telecommunications Engineering. He holds multiple certifications including CISA, CISM, CRISC and CDPSE.
