All articles

Security Transformation: Part 3 – Security Strategy


Greg Van Der Gaast


•  Nov 27, 2023

In this series, I want to share my holistic view of cybersecurity, not just as a series of technologies, but a business strategy. 

'Security Transformation' is a move away from 'doing cybersecurity' to 'doing business securely'. 

Put simply, I want organisations to move away from perceiving security as being an IT function - where it has limited impact with regards to business process - to one that allows all parts of the business to work securely.  

In the last article we talked about a mouse infestation caused by leaving vulnerable bags of grain out. This is an analogy about how combatting vulnerabilities (the symptoms IT and business issues elsewhere) instead of rectifying their fundamental causes is indirectly fuelling the growth of the very threats we want to defend against. 

We also touched on the fact that the security response is usually to get thousands of mousetraps to fend off the threats, rather than working to systematically take away the reasons for that vulnerability in the first place. We highlighted that this behaviour on our part indirectly attracted and enabled the threat actors in the first place.  

Looking at Root Causes

Today we look at the root cause of this behaviour on our part in security: a lack of strategy. I think the lack of strategy in information security is one of our biggest challenges. 

While many organisations speak of security strategies, my experience has been that they typically refer mostly to how they are going to set up the reactive capacity to deal with the symptoms of lack of good process elsewhere, and not how to address the reasons behind them in a more permanent and cumulatively beneficial way.  

I sometimes joke that, while searching for an image to illustrate the mouse analogy we discussed before, I came across a short guide on how to deal with mouse infestations on the website of pest control firm Terminix. The joke? Their seven simple steps for fixing a mouse problem would make a better cybersecurity strategy than many of the ones I’ve seen during my 25-year career!  

It's not a perfect analogy, but their tips include having visibility and control over the environment, removing opportunities from easy access, covering egress and ingress, using traps to determine where the issues are coming from, ensuring the hygiene so you’re not attracting the pests and vulnerable to them in the first place, and only then resorting to pest control.   

The Holistic Approach

At CDW, I’m routinely forwarded customers’ security strategies and asked if we can deliver on them. And the answer from me is often that we could, but we’d rather have a chat first.     

The reality is, as much as the security team or the procurement department would like to buy a bunch of technologies, I can often see that what they are asking for will not necessarily provide effective outcomes for their business.  

I consider our customer to be the entire business, not just the person or department making the purchase them. Selling to an individual or department works for most functional requirements, but selling the outcome of security, with many invisible dependencies across many areas of the business, requires a more holistic approach.  

What Should the Strategy Be?

Well in my mind it is first and foremost a journey, and a journey means having a start point and a desired finish point. It’s all about planning the route to get there. 

As such, it’s critical to know your starting point (your status quo, your challenges, why you have them, etc.) as well as where you want to get.  

Your finishing point should, in terms of your overall security effort anyway, reflect the principles of Security Transformation whereby we influence more of the business and IT process to produce less risk to begin with, resulting in us needing to dedicate less effort to today’s security operations.  

What that means and what that requires for your specific organisation is something only you can answer. But to answer that question we must understand our capabilities, our obstacles, what support we will need, who will obtain it, what we need to change and how, and much more. 

Only once all these items are understood, can we create the strategy that defines our journey from today’s status quo to tomorrow’s desired state. 

And to be clear, this strategy is about the entire organisation, not the security function, and will involve everything from executive support, organisational structure, business and IT processes, and technical implementations as required.  

It’s only at this point that we can define and articulate the necessary technologies, how to implement them, and to ensure they will bring measurable value. 

That said, there is a slight ‘chicken and egg’ problem here, which legitimises the tactical implementation of some security technologies: we need them to understand our starting point. It can be very difficult to know our starting point without any visibility. 

Some security tools and managed solutions like vulnerability scanners or MDRs can give us insights on what vulnerabilities we have. While most security functions then try to prioritise and remediate or mitigate the most critical ones, the real strategic value is looking at what’s causing them in the first place. By which I mean identifying the business or IT processes behind them (such as a lack of security consideration in process, poor asset management, low patching or update success rates, architectural standards, onboarding and offboarding issues, shadow IT, etc.) which our strategy should be addressing. 

It is only by addressing these root issues that we will make strategic cumulative reductions in the number of vulnerabilities that need to be managed operationally and leave us exposed. 

My advice is, therefore, to always think strategically about what tactical tooling tells us. 

Read between the lines of the symptoms and find the real causes that are causing your issues. You will quickly start realising what issues a truly effective security strategy should be addressing in your organisation. 

Join us next for the next instalment where we focus on why process quality (inside IT and throughout the wider organisation) isn’t just more sustainable but also a key factor in preventing more of today’s breaches.

Subscribe to email updates

Related insights

Building Effective Security Programmes Part 1 Introduction
  • Security

Building Effective Security Programmes: Part 1 – Introduction

Greg Van Der Gaast, Security Advisor to CDW, looks at how to build effective security programmes, and identifies common issues organisation face when designing and building their own security programmes.

Read article
  • Security

Security Transformation: Part 2 – Root Causes and the Quality Approach

In this multi-part series, Greg van der Gaast, CDW’s Chief Technologist – Security, presents his forward-thinking, quality-driven approach to organisation wide cybersecurity.

Read article
  • Security

Security Transformation: Part 1 – Why Transformation Is Needed

Explore Security Transformation at CDW. Strategy over tech in safeguarding organisations. Redefine security thinking.

Read article