Skip content
Are you looking for?

How to build a strategic cyber security plan

Ben Turner SVP, Consulting & Advisory Services & UK&I Regional Cyber Lead, LRQA View profile

Key steps to building a robust cybersecurity plan

If you think you don’t need a cybersecurity plan, think again. According to the former Director of NDA and CIA Michael Hayden, "Fundamentally, if somebody wants to get in, they're getting in... accept that. What we tell clients is: number one, you're in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated."

Embracing an 'already breached' mindset rather than taking the view that you can prevent all attacks forever, means you’re already a step ahead of your peers. From protecting your company against cyber criminals or other likely bad actors, a cybersecurity plan is your organisation’s commitment to managing the realities of risk and ever-evolving cyber threats.

 

What is a cybersecurity plan?

A cybersecurity plan is a fundamental pillar of your organisation and should be seen as a dynamic, continuous journey rather than an end state. Maintained as a live document, a cybersecurity plan reflects the current state of threats and business needs.

“Cybercrime is the greatest threat to every company in the world.”

Ginni Rommety, the CEO and President of IBM stated the criticality of cybercrime to all businesses at the IBM Security Summit in New York City in 2015. (Forbes)

 

The top ten ways to implement a cybersecurity plan 

  1. Comprehensive assessment: Begin with a thorough review of your IT assets, business plans, and stakeholder input. Conduct risk assessments aligned with established frameworks like ISO 27001 or NIST CSF. Include a Minimum Business Operating Requirement (MBOR) to identify which systems and processes must remain operational during a cyber incident. Tools like Attack Surface Management (ASM) can help automate asset discovery and risk visibility across modern, dynamic environments.
  2. Understand the threat landscape: Recognise the nature of cyber threats and the critical need for a strategic plan. Cybercrime poses a significant risk to every company, as highlighted by industry leaders.
  3. Create a dynamic and evolving plan: Maintain a live security document that reflects current threats and business needs. Regularly update the plan under the guidance of senior information security professionals.
  4. Board-level priority: Elevate cybersecurity to a board-level concern. Engage senior leadership in regular reviews and updates to align cybersecurity with business objectives.
  5. Regular review and long-term planning: Conduct regular reviews of cybersecurity goals and establish a three to five-year roadmap. Address immediate vulnerabilities, refine incident response protocols, and incorporate cutting-edge technologies.
  6. Secure communication protocols: Ensure sensitive information is distributed effectively and only to authorised personnel. Combine technical controls (e.g., secure messaging tools) with clear governance policies to reduce the risk of internal leaks or breaches.
  7. Strategic objectives and Governance: Define clear mission and vision statements, outline governance structures, and set strategic objectives to improve cybersecurity maturity. 
  8. Understand the types of cybersecurity: This includes critical domains such as cloud security, application security, AI security, and network security. (See the last section of this article for more details).
  9. Create specialised cybersecurity roles: Recruit skilled personnel for key roles like security analysts, architects, engineers, and CISOs. Ensure preparedness for advanced threats through red teaming, penetration testing, and cyber resilience exercises such as tabletop simulations. These activities prepare your organisation for real-world threats and improve response readiness.
  10. Make informed decisions and prioritise resource: Effective threat intelligence should sit at the heart of your strategy – empowering you to detect, prioritise, and respond to risk. By integrating AI-driven tools with expert analysis, you can stay one step ahead of emerging threats.

 

Key components of a strategic cybersecurity plan

A solid cybersecurity plan should contain the following key sections:

  • Mission statement: A clear goal that reflects your company’s commitment to cybersecurity.
  • Vision statement: Defines what your company aims to achieve with its cybersecurity strategy.
  • Introduction: An overview of your company and its security posture, highlighting the current security initiatives and the strategic importance of a security-first culture.
  • Governance: Outlines how cybersecurity will be managed, maintained, and periodically reviewed. Includes the roles of different stakeholders and how the security program will be audited.
  • Strategic objectives: The heart of your plan, listing key projects, risk assessments, and remediation steps to improve cybersecurity maturity.

 

The 3-year cybersecurity plan

Companies should look ahead using a three to five-year cybersecurity roadmap. This reflects both the immediate cybersecurity posture and long-term strategic goals. 

Key objectives should cover:

  • Short-term goals (0-12 months): Making immediate improvements to address vulnerabilities and enhance basic cybersecurity hygiene.
  • Mid-term goals (12-18 months): Introducing stronger preventative measures, refine incident response protocols, and enhance data protection frameworks.
  • Long-term goals (36 months and longer): Maturing the company’s cybersecurity resilience by incorporating cutting-edge technologies and ensuring regulatory compliance with standards.

 

Types of cybersecurity

Advanced resilience testing: Threat Intelligence Led Penetration Testing (Red Teaming) or Adversary Simulation which covers your entire organisation, including subsidiaries, critical third parties and your critical assets. 

Cloud security: Safeguarding data and applications hosted on public or private clouds, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS).

Application security: Securing software applications through regular penetration testing, vulnerability scanning, code reviews, and patch management.

AI security: As AI becomes more embedded in cybersecurity, organisations must secure AI models and protect against adversarial attacks.

AI challenges: AI can also be exploited by attackers, including data poisoning, model evasion, and deepfake social engineering attacks.

Infrastructure security: Protecting the essential systems that underpin your business by implemented continuous assurance, penetration testing and configuration management practises. 

Internet of Things (IoT) Security: With the rise of connected devices, securing IoT networks has become a priority to prevent remote exploitation.

Network security: Protecting your company’s data networks from unauthorised access and cyberattacks, including management planes, voice networks, VPN infrastructure and switching.

Security awareness training: Empowering employees to recognise and avoid common security threats like phishing, vishing, smishing, social engineering, and malware attacks.

Ready to develop or enhance your cybersecurity strategy? Get in touch  with our experts to ensure your organisation is prepared for the ever-evolving threat landscape.