What is the number one thing your security team can do for your organization? Take a minute. It’s hard to pick just one amidst the never-ending salvo of competing objectives that security teams are mandated to meet.

Day-to-day tasks, project management, ad-hoc assignments, side projects, departmental red tape, people who flat out ignore the security group – they all have the potential to derail the fundamental “raison d’être” of your security team.

Defining and communicating a mission statement for your cybersecurity program centers your team’s focus on what matters most to help prioritize competing objectives, manage stakeholder expectations, and, ultimately, better secure the enterprise.

Like an organizational mission statement, your cybersecurity mission statement should reflect the purpose of your team and what you’ve set out to achieve. In other words – why do you exist?

Don’t worry, this isn’t as existential as it sounds, and we’ve put together a straightforward set of guidelines to help you get there.

First, a good mission statement will contain the following components:

  • The team’s main function – what is it that your team does for the company?
  • Your primary customers – who is it that your team primarily serves?
  • Protecting the products and services that make up the revenue of your business
  • The geographic location in which you operate

The one thing your mission statement should not be: generic. Make it specific to your business and how your team fits within it. Otherwise, you risk developing a statement that is unused, stale, and ultimately ignored.

Reaching a business-specific statement requires alignment with overarching business objectives. Best case scenario: your executive team has clearly laid these out, making it easy (or easier) to build upon. Worst case scenario: your probing forces the issue to define these business objectives.

If the organization does not have their objectives set and well-communicated, each department is pulling in a different direction, chasing the next new thing rather than operating strategically. This lack of direction makes it difficult in tracking your teams progress towards any business relevant goals.

Here are few questions that can help you identify and align with business objectives:

  • What are the largest cyber threats to your business?
  • What does your company do that could be a target?
  • How does your business generate revenue?
  • What are the crown jewels of your business?
  • How big of a role does compliance play for your business?

For your team specifically, it’s important to ask:

  • How do you make security an enabler of business?
  • What is the culture you are trying to invoke within your team?
  • Who are the customers you are trying to protect? What of assets are you protecting?
  • What are the limitations and capabilities of your cybersecurity program? How is that reflected within your current team?

With a mission statement in place, you will be able to create a set of objectives that help you achieve your cybersecurity goals. For example, the mission statement “Protecting ABC Inc. and securing their assets from brand damaging cyber-attacks,” might have the following set of objectives:

  • Enable secure communications standards that protect our client’s interests.
  • Ensure an agile vulnerability mitigation process.
  • Hire and/or retain world-class resources to defend and respond to cyber threats.
  • Identify and respond with swift clarity to immediate threats to the business.
  • Be innovate in protecting and enabling our core business.

Each of these objectives provides clear direction for your security team – a north star to guide you when competing priorities, pressure from other groups in the organization, or the next “new thing” threatens to sidetrack you from success.

When evaluating Companies overall Incident Response maturity, a common theme has emerged.  Those who adopt a weak Mission Statement, often have similarly under developed cyber capabilities.  While I’m not stating a direct correlation, I have observed that this lack of specific focus translates to a company’s ability to response to Cyber Incident.

If you currently have a generic cyber security mission statement; we encourage you to develop a more meaningful and directionally engaging mission statement to drive your security program forward. If not, and you’d like guidance in moving forward, please do not hesitate to reach out to us at request@kudelskisecurity.com

Coming up next in the Cyber Resilience Primer series: defining what constitutes a security incident and the related risks they impose.  

David O'Neil

David O'Neil

Director of Incident Response & Cyber Resilience at Kudelski Security
David O’Neil leads the Cyber Resilience suite of services for the Kudelski Security Incident Response & Cyber Resilience teams.The Cyber Resilience Suite of Services includes Cyber Resilience Readiness Reviews, Tabletop and Threat Simulation Exercises, Cyber Threat Hunting and Cyber Resilience program development engagements focusing on delivering exceptional services. Most recently David was the Global Deputy Director of the Cyber Security Operation Center which included Incident Response, Threat Intel, and SOC operations. David is a recognized expert on Incident Response Strategy, Threat Intelligence, Cyber Security Operations and Cyber Resilience program enhancement.
David O'Neil