Cyberattacks on higher education are increasingly frequent and damaging. Meeting the challenge, especially in higher education, requires strategic thinking, and that strategy must come from cybersecurity-specific strategic thinking.
Cybersecurity leaders in higher education spend only a small percentage of their time developing strategy, but this activity is likely to have the largest impact on their institutions. Having a strategy that evolves to adapt to a changing environment can make a good security team into a great one. A well-thought-out strategy empowers the institution to act in alignment with itself, efficiently moving toward common goals.
Most of us don't know how to create an effective cybersecurity strategy. I certainly didn't. After many years of trying to fit cybersecurity strategy (square peg) into either an IT strategy or a business strategy approach (round holes), I realized that cybersecurity differs enough from both IT strategy and business strategy that the traditional approach won't work.
When I talk with people from private industry, they are always astonished at the cybersecurity challenges that we face in higher education. Generally, they don't realize that we face nation-state actors and that colleges and universities are essentially small cities with almost every kind of critical and sensitive data there is. Mixing in higher education's core values of autonomy, privacy, and experimentation presents significant challenges in cybersecurity.
The first step in facing these challenges is developing and executing a workable strategy. Many approaches that people call strategies really are not. These include "risk-based security programs" or even "risk-based strategies." Risk is just one component of a strategy. Focusing only on risk leads to tactical decisions. Other components include increased regulation and compliance standards. Meeting regulatory and compliance requirements should be a strategic goal, but again, this should not be the strategy itself.
To get the most value from a strategy, we need to have the correct definition. Strategy started as a military term in the eighteenth century but has been in use as a concept since organized warfare began. Generally, strategy involves allocating a nation-state's resources toward winning a war as opposed to winning a battle. In the late twentieth century, business began to adopt the term. Even though the environments are vastly different (of course), the concept does translate well to the business environment.
Below are three common definitions of strategy from a business perspective. Though all three are valid, they all are also incomplete. Therefore, I'll combine them into a single definition that best fits cybersecurity. First, the most-recent Wikipedia definition of strategy is: "A high-level plan to achieve one or more goals under conditions of uncertainty." 1 This is a good start. Cybersecurity is the poster child for conditions of uncertainty. However, we need more from a strategy. Second, Henry Mintzberg calls strategy "a pattern in a stream of decisions." 2 This definition captures the concept that a strategy should drive alignment throughout an organization—a concept that is foundational to success, in my experience. Third, Business Dictionary defines strategy as "planning and marshalling resources for their most efficient and effective use." 3 This idea of allocation or prioritization of resources is a critical component. Thus, I combine all three of these and define strategy as follows: "A long-term plan that allocates resources and sets a framework for decision-making to achieve long-term goals under conditions of uncertainty."
Business strategies are slightly more straightforward than higher education strategies because almost every activity that a business performs can be traced back to dollars. An activity is either a cost or a revenue, and businesses aim to maximize profits. Colleges and universities are different. They must have more revenue than expenses, but in higher education, surplus dollars do not necessarily mean that an institution is performing better. The definition of success is stakeholder value, making the success of a college or university much more difficult to track.
Michael Treacy and Fred Wiersema talk about three types of business strategy: customer intimacy; product leadership; and operational excellence. 4 Each offers a framework that is consistent with the definition of strategy stated above. Businesses executing a customer intimacy strategy focus their resources on the customer experience. Nordstrom was famous for this approach; a resurgence of this line of thought is evident in retail today. To compete with online shopping, many retail companies are focusing on a customer experience that online sellers can't provide. Second, businesses that execute a product leadership strategy are providing a product or service that is better for some segment of the market than that of any competitor. Apple under Steve Jobs is an example. Apple invested a great deal into R&D, and accounts of Jobs's attention to detail and the focus of the Apple design teams illustrate the company's slavish devotion to this strategy. As a result, those who believe the iPhone is the best smartphone will pay a premium. Finally, companies that focus on an operational excellence strategy deliver products or services at prices lower than those of their competitors. Walmart is a classic example.
If you squint your eyes, you might be able to see how a cybersecurity strategy could be devised to fit one of these patterns. But doing so would not be intuitive.
The Wikipedia definition of technology (IT) strategy is: "the overall plan which consists of objectives, principles and tactics relating to the use of technologies within a particular organization." TechTarget states that IT strategy is a "comprehensive plan that outlines how technology should be used to meet IT and business goals." 5 The main concept to note is that IT strategy is not adversarial or competitive per se. In business strategy, by contrast, companies are striving to succeed over competitors. IT strategy must support the company strategies and deliver what the company needs.
Many IT strategies are simply tactical checklists of best practices. This represents an operational efficiency approach. IT strategies generally involve the prioritization of resources both within the organization and within the IT department. The long-term goals usually fall into two categories: those that enable a business goal, and those that free resources for business efforts. For example, a retail business may have a customer intimacy strategy. To execute this strategy, it may choose to collect and analyze data. The company may decide to increase the investment in information technology in order to increase the delivery and quality of information as a business goal. An example of a strategy to free resources would be IT consolidation that might trade a decrease in responsiveness for resources that can be spent elsewhere.
Risk must be part of the IT strategy. Risks include obvious ones such as disaster recovery and business continuity. Risk management involves determining how much risk the business can tolerate versus the costs required to address those risks. Availability is also a central tenant of cybersecurity. Confidentiality, integrity, and availability risks are the core of cybersecurity, so this is the obvious place where the IT strategy and the cybersecurity strategy overlap and must be aligned. However, making the cybersecurity strategy part of the IT strategy is a mistake. The two functions are too different to be fully integrated.
Strategic analysis in business is usually organized into strengths, weaknesses, opportunity, and threats—aka SWOT analysis. SWOT analysis will work for cybersecurity, but it feels forced to me. There are three characteristics of cybersecurity that suggest a different approach. First, cybersecurity will always be a function of the organization's strategy. Second, cybersecurity is reactive and not proactive. Finally, cybersecurity is asymmetrical.
Cybersecurity will always be a function of the organization's strategy. The purpose of cybersecurity is to protect the information assets of the organization. An organization owns information assets so that it can accomplish its mission and give it an advantage over its competitors. According to Bill Stewart and his co-authors, two questions are the key to developing a strategy: (1) "How does cybersecurity enable the business?" and (2) "How does cyber risk affect the business?" 6 Like IT strategy, a standalone cybersecurity strategy would not make sense. The accusation "security for security's sake" would ring true. A cybersecurity strategy must complement the overall strategy as well as the IT strategy.
Cybersecurity is reactive and not proactive. Many experts have encouraged us to think proactively about cybersecurity and have called their strategic approaches proactive. Maybe it's semantics, but for me there is a difference between acting proactively in a tactical sense and having a proactive strategy. We can't seek out bad guys and arrest them or destroy their capability before they attack us. To me, a proactive strategy means acting before our adversaries do—either to beat them to a goal or to degrade their ability to obtain their goals. We can prepare for attacks before they happen, but we can't act until they occur. Our adversaries still pick the time, the place, and the method of attack.
Cybersecurity is asymmetrical. This is because our adversaries have options that we do not. We must operate within a legal framework that limits what we can do. Our goal is to defend our information. Our adversaries' goals are to steal or change our information or to stop us from having access to it. An analogy is a guerrilla war where the conventional forces are trying to defend territory and population while the guerrilla force is trying to gain political advantage by attacking the conventional force and civilian infrastructure.
Rather than considering SWOT, cybersecurity strategic analysis should look at threats and constraints. Essentially, the purpose of a cybersecurity program is to mitigate the threats it faces while operating within its constraints.
Whereas others might use the term risks, I'll use the term threats. This implies that there is a thinking and reactive adversary on the other side. We are looking at adversaries and what they might try to do to our college or university. We must know what it is that adversaries want to attack. What is valuable to them? How valuable is that information to them, and how much effort is required? The answers to those questions determine the likelihood that an attacker will go after that information. We must also look at the impact of a successful attack on our institution. If our adversaries succeed, what will be the impact?
Threat = Impact X (Value / Effort). This formula is actually a qualitative analysis. Of course, we all would love to have data that could be used to quantify risk. However, when we rely too much on metrics to calculate risk in cybersecurity, we get precision but not accuracy. We get numbers that we can measure, calculate, and compare, but these numbers might lead us to the wrong conclusions. Take the number of compromises, for example. If the number of compromises per month is dropping by 5 percent, does this mean that our security is getting better? Or does it instead mean that our adversaries have adapted, and we aren't detecting compromises? Or does it mean that our adversaries have moved to different activities but will be back in the future? Also, the data that we gather is usually based on assumptions. Too many events in cybersecurity are "black swans"—unpredicted by previous events. Metrics can be useful and helpful, but they must be incorporated into reasoned qualitative judgment. Table 1 shows another way to view this formula/analysis.