Implementing a cyber security transformation programme

25 February 2021 6 min. read
More news on

Cyber security is one of the key priorities for executives and Chief Information Officers in 2021. Sara Ng, Director of Technology and Security at The 324 Consultancy, discusses how they can effectively deliver their cyber security transformation programmes.

The Covid-19 lockdown saw public and private organisations become more reliant on decentralised digital operation systems than ever before. While this came with benefits such as improved employee work-life balance, and boosted productivity, it also opened them up to cyber-attacks in a way never before seen. A recent study found that 65% of organisations in the UK had either been breached or exposed to an attack last year. In spite of this, however, with many organisations watching the size of their budget amid the current economic turbulence, some businesses remain slow to invest heavily in boosting their cyber security capabilities.

A recent report from Atlas VPN claimed that more than $1 trillion – or approximately 1% of the world’s GDP – was spent on cyber security, or given up as a result of a cyberattack over the course of 2020. Illustrating just how important investing in cyber security is, only $145 billion of that huge figure was spent on putting protections in place, with the remaining $945 billion being lost in the wake of cyber security breaches.

According to Sara Ng, a cyber security expert from The 324 Consultancy, firms will need to start evolving their cyber security efforts sooner, rather than later, if they are to avoid taking similar hits in the future. Speaking to, Ng explained that many firms will now be expecting their cyber security team to improve things within just 24 months – a daunting prospect, but one which is doable provided they can succeed through four key phases of development.

“Those working in the security industry know that implementing transformation programmes takes time,” the consultancy’s Director of Technology and Security explained. “But there are still real changes you can make within a 12-24-month period. If you’re looking for guidance on where to start with a cyber security transformation programme, 324 Consultancy has managed a number of programmes and helped our clients make positive transformational changes to their organisations’ cyber security posture.”

Phase 1: Planning and ‘No-Regrets’ Activities

“Once you’ve got a solid understanding of your current state, write a cyber security strategy and plan,” Ng advised. “This should articulate your recommended target position and how to get there. The strategy needs to be business-led, and it’s important to communicate security gaps to executives in terms of impacts on their business.”

Such a strategy will likely need a few drafts before it strikes the right balance between aspiration and deliverability – however the key is always to look to define success criteria that are both ambitious and achievable. Trying to fix too much and too quickly could prove a fatal mistake, with any failures meaning updated plans will also feel like an uphill struggle to those implementing them. Similarly, firms must be realistic about the budget available for their projects: implementing cyber change involves people and processes too, so ensure there is enough budget for documentation, communications, training, and operational cost uplift.

“During the planning phase, you can kick off some ‘no-regrets’ activities in parallel,” the cyber expert went on. “For example, start fixing the highest-risk issues from any red team exercises that you have conducted (“act like you’ve been hacked”). You’ll also want to start recruiting for key positions in your team.”

In parallel, organisations can kick off a threat scenario analysis exercise. Scenario analysis is the process of analysing possible future events by considering alternative possible outcomes. The analysis will allow leaders to better understand scenarios that would incur the greatest loss and or negative customer experience impact, allowing improved decision-making by considering the outcomes and their implications more fully.

Phase 2: Mobilise

Having used the planning stage to secure a budget and executive buy-in, firms should look to build solid foundations from which to begin mobilising the programme. This phase involves activities such as standing up steering committees and defining Key Performance Indicators (KPIs).

“This is also where you can use ‘accelerators’ to give your programme a kick-start,” Ng added. “For example, some governance setup activities can be fast-tracked if you have access to terms of reference and charter templates. Don’t reinvent the wheel.”

Phase 3: Execute

Following this step, measuring successes along the way through KPIs will keep project sponsors engaged throughout the plan’s execution. For example, Ng suggested that a phishing awareness project could measure success “by the reduction in the number of users falling for test phishing emails over a period of time,” while a Security Information and Event Management implementation could measure success by the number of Tactics, Techniques and Procedures (TTPs) the organisation is able to detect. Executing a communications plan to build up awareness of the programme across the whole business will also help build momentum from these successes.

“This is where the fun begins… You’ll be in the throes of product and service selections, solution design, testing, and implementation,” Ng said. However, care should also be taken by cyber teams to remain adaptable to the situation. “Your programme will likely experience scope changes along the way. For example, the organisation may discover new threats or uncover more issues. Because of this you must ensure that your programme has a change request process that assesses the impact on the existing projects.”

Phase 4: Transition 

Finally, most technology projects install tools well, but it can all fall apart after handing over to the production teams. Cultural matters tend to be where many transformations falter, as employees are either not engaged with the changes being made, or are not adequately supported to upgrade their skill set in correspondence with the alterations.

Ng stated to this end, “Production teams must receive appropriate training, documentation as part of the project. The organisation’s service transition process should also ensure that there are enough resources to support a new service.”

Moving forward

Once the transformation is building momentum, these four stages will have helped provide a high level view of the overall organisation. At this point, entities may look to start diving into creating “high level project plans,” which can help provide a view on timelines to stakeholders.

“You’ll also need to provide budget forecasts including CAPEX and OPEX,” added Ng. In order to get the most from such complex steps, she concluded engaging with (external) experts can be one way of ensuring the best results.