The Commonwealth Telecommunications Organisation held its 2015 Cybersecurity Forum on 22nd-24th April at the BT Centre in London. During this, several of us thought it would be an interesting idea to draft a set of ten “not-to-do” things relating to various aspects of cybersecurity, and the first to be prepared (by Stuart Aston, Mike St. John-Green, Martin Koyabe and myself) is on ten things not to do when developing cybersecurity strategies.
We have deliberately focused on the “not-to-do” approach because we feel that such lists can serve as very useful simple reminders to people. As a check-list of negatives, they act as salient caviats for all those involved in developing cybersecurity strategies.
Our “don’ts” should be easy to remember:
- Don’t blindly copy another’s Cybersecurity strategy
- Don’t expect everything in your strategy to be under your control
- Don’t expect to remove all risks
- Don’t delegate your strategy to the IT experts
- Don’t focus your team only on the threats and the technology
- Don’t develop your strategy in a security bubble
- Don’t develop your strategy in a government bubble
- Don’t overlook the needs of your diverse stakeholders, particularly your citizens
- Don’t cover just the easier, tactical quick wins
- Don’t expect to finish after the first year
The full version of the recommendations, which includes the positive things that need to be done alongside the negatives, can be downloaded by clicking on the image below: