Cybersecurity Strategy
A strategy is required to help senior leadership effectively manage the organization’s cybersecurity. To not use a cybersecurity strategy is to not prioritise cybersecurity appropriately (or at all). Stated positively?
To use a cybersecurity strategy is to lead cybersecurity with a responsive presence rather than a reactive one. This means the organisation:
(1) Anticipates threats before they manifest, using intelligence, monitoring, and foresight rather than waiting for incidents to occur,
(2) Emphasizes awareness over reaction to ensure decisions are made from understanding and context, not panic or habit.
(3) Adapts continuously, treating each change in the threat landscape as information to refine posture and improve resilience.
(4) Integrates narrative security and technical security into a single, cohesive response. We will uncover a great deal more about this in future articles.
A Cybersecurity Strategy Is Not A Plan
Planning is essential, plans are useless. “Everyone has a plan,” heavyweight boxing champion Mike Tyson asserts, “until he gets slugged in the face.”
Cybersecurity strategy is a map, not a plan.
Several people are (or should be) involved in successfully drafting a cybersecurity strategy. The ultimate responsibility to own and execute it lies with the organization’s oversight community, whether the Board or an operating committee of the Board.
Technical and procedural controls are important to an organisation’s cybersecurity strategy. But in modern offices they aren’t enough — no firewall can protect a confused mind. This attack vector is called mind hacking. Many attacks now try to trick people, not just machines.
Security of Thought helps protect how people think and make decisions, so they don’t get misled, panicked, or divided when something goes wrong.
The organisation’s narrative environment as central to cybersecurity. An organisation acts on perceived risks based on the SKEW Principle:
|
Story |
Knowledge |
Ethics |
Wholeness |
The stories we tell ourselves, in whatever context, becomes the basis of what we think we know. What we think we know informs our ethics (or lack thereof), and our ethics shape how we see ourselves and our purpose within the organisation (our sense of wholeness).
When the SKEW chain is healthy, people act with clarity and confidence.
When the SKEW is distorted? Stories twist knowledge, ethics weakens, and wholeness breaks. This creates confusion, mistrust, and vulnerability.
SKEW becomes especially important in the context of Schneider’s idea of presilience. Digital disruption and disinformation can alter both technical systems and collective perception at once.
|
Volatility |
Uncertainty |
Complexity |
Ambiguity |
Digitisation |
His VUCAD paradigm is shaped in an environment where both technology and perception change faster than most organisations can adapt.
To recover from disruption is to stay stable within it. Presilience — Schneider’s key idea — is the ability to respond with awareness instead of alarm.
When we combine VUCAD with SKEW we see that resilience depends on meaning more than it depends on data or devices. If an organisation’s stories stay clear, its knowledge honest, its ethics strong, and its sense of wholeness intact, then it can think clearly even when the world around it is volatile and uncertain.
CJCS 