In my last post, we established the first principle of cybersecurity. It is the foundation for everything we do. But how do we move from a high-level idea to the actual work of protecting an organization?
Many IT teams start by picking tools. We buy a new firewall or install endpoint protection. These are important actions, but they are often done in the wrong order. To build a strong defense, you must understand the difference between a strategy and a tactic.
Strategy vs. Tactic: What’s the difference?
If our first principle is our destination (even though in security we can never reach it; it’s a continuous journey), think of a strategy as your map while tactics are the steps you take to follow the path.
Strategy is a long-term plan. It defines your goals and the general path you will take to reach them. It answers the question, "What are we trying to achieve?"
Tactics are the specific actions you take to support the strategy. They are the tools, settings, and daily tasks. Tactics answer the question, "How will we do this right now?"
Why strategy must come first
At this point you might be saying “Aaron - you promised me actionable guidance, why are you on a soapbox about strategy?”
It is tempting to focus on tactics first. Tactics are visible. You can check them off a list. However, using tactics without a strategy is like building a house without a blueprint. You might end up with a great kitchen but no front door.
Here are three reasons why strategy must lead the way:
It prevents "Tool Fatigue." IT teams are busy. If you buy tools based on the latest trend instead of a strategy, you end up with too many systems to manage. A strategy helps you choose only the tools you actually need.
It closes the gaps. Attackers look for the gaps in your defenses. A strategy looks at the whole picture to make sure nothing is missed.
It saves money and time. Changing a tactic is easy. Changing a strategy is hard. When you start with a clear plan, you spend your budget on solutions that work together for the long term.
The five strategies to pursue our security first principle
There are five strategies (the “what”) that stem from our security first principle, which is to “Reduce the probability of material impact due to a cyber event over the next three years.”
These strategies are:
Prioritized cybersecurity hygiene (passive preventative controls).
Threat informed controls (preventative and detection controls which disrupt known attack patterns).
Resilience (cybersecurity event detection, containment, response, and recovery).
Risk forecasting.
Automation.
In my next post, we’ll dig into the first strategy, prioritized cybersecurity hygiene.
Thanks for reading,
Aaron