Our company's name is based on our founder Chirag's books that provided thoughts, ideas and actionable advice that have helped organisations and leaders all over the world find a smarter way to be cyber secure. This thought leadership has led to the creation of the 7 Rules Cyber framework.
The 7 Rules Cyber Framework can be summarised as below:
Rule 1: Develop a Business-Aligned Mindset
Cyber Security exists to enable business. After all, without the business of an organisation, there is no need for a security function. Therefore, understanding your business is the key to developing appropriate context and prioritisation for your security efforts. Effectively understanding key business processes, products and objectives are vital to building and validating critical asset list of crown jewels for the organisation. These then help to scope security controls and implement proportionate and reasonable measures. Practical advice is to follow the money. Understand what brings in the revenue and constitute critical services for your organisation. Engaging with business stakeholders effectively will enable you to accomplish this.
The nature of the business can also help inform the relative importance of the confidentiality, integrity, and availability triad. For example, confidentiality might be a higher priority for IT and digital systems, while availability might be a greater priority for operational technology, OT, systems.
Rule 2: Recognise that Cyber Security is a Risk Management Exercise
Cyber Security is fundamentally about managing risks. Furthermore, Cyber Security is not just a technical risk, it is a business risk and the approach to any control – technical, operational or policy needs to reflect the business risk appetite and context clearly. The language of risk and finances is what resonates with senior business stakeholders. Developing an understanding of key assets through Rule 1 serves as input for effective risk analysis through appropriate threat and impact consideration. The goal is to build a defensible cyber risk program, and decisions. Sensible adoption of cyber risk quantification techniques can also play a key role in informed decision-making.
Rule 3: Measure It
Effective metrics and measurements are key to demonstrating progress and challenges to ensure adequate management. However, metrics must be tailored to the right audience. Highly operational metrics such as number of vulnerabilities do not resonate with boards and senior leadership. They need to be aligned to critical business applications with clarity of impact and maturity. For example, a good strategic metric could be a percentage of critical internet-facing applications that have critical patches applied in a timely manner. If this critical application is a key payments platform, there is a material implication on cash flow, which, when quantified, can offer useful insights to leadership. Approach to good measurements should account for both leading and lagging indicators.
Rule 4: Address the Human Factor
With majority of incidents and breaches exploiting the human factor, it is clear that cyber security is a human issue at its core. Furthermore, technology exists for and by humans. Relying on the fear to influence human behaviour and embed secure practices is not an effective strategy. We need to align our cyber message and controls to aspirational aspects such as business goals and personal safety. Leveraging effective gamification, humour, and positive competition e.g., leaderboards can be really useful to influence secure behaviours. It is useful to recognise that human instinct is to resist change because change introduces the unknown. Effective engagement and change management can address this resistance and promote adoption of security controls.
Rule 5: Understand the Design and Execution of Cyber Security
Cyber Security controls need to be applied with consideration of business and technology strategies along with relevant threats and compliance obligations. Security domains such as network security, endpoint protection, identity and access management, etc. do not exist in isolation. They need to be accounted for in the overall enterprise security architecture and control framework that informs their design and applicability. Defined security architecture principles can also guide the selection and implementation of the right tools and technologies to manage risks. Factors such as clarity of sourcing and operating models (including roles and responsibilities), along with sequencing and prioritisation of initiatives, enable ongoing efficacy of security controls.
Rule 6: Master the Art of Differentiating Skills
Differentiating skills such as emotional intelligence, presenting actionable options succinctly, effective communication and storytelling play a vital role in building trust within an organisation and enabling professional excellence. Emotional intelligence plays an effective role where you can read the room and empathise with stakeholders regarding their concerns. Just presenting technical reports to a business audience will not get sufficient buy-in. This is where contextualising information in simple terms with a mindset of active listening can really help achieve the right outcome.
Rule 7: Build an Authentic Brand
Your security function should build a brand that is grounded in being a trusted advisor to the business. Ongoing effective engagement through various organisational channels and a pragmatic mindset will solidify your team’s brand. This will also help achieve executive buy-in and support for your initiatives to improve the security posture. Purposeful networking and actions to inform, educate and enable your organisation on various aspects of security considerations will put you in good stead. Ensure you celebrate and promote wins – no matter how small. Every win inspires confidence and is a step on the ongoing journey of cyber security improvement.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.