The Commonwealth Telecommunications Organisation held its 2015 Cybersecurity Forum on 22nd-24th April at the BT Centre in London.  During this, several of us thought it would be an interesting idea to draft a set of ten “not-to-do” things relating to various aspects of cybersecurity, and the first to be prepared (by Stuart Aston, Mike St. John-Green, Martin Koyabe and myself) is on ten things not to do when developing cybersecurity strategies.

We have deliberately focused on the “not-to-do” approach because we feel that such lists can serve as very useful simple reminders to people. As a check-list of negatives, they act as salient caviats for all those involved in developing cybersecurity strategies.

Our “don’ts” should be easy to remember:

Don’t blindly copy another’s Cybersecurity strategy
Don’t expect everything in your strategy to be under your control
Don’t expect to remove all risks
Don’t delegate your strategy to the IT experts
Don’t focus your team only on the threats and the technology
Don’t develop your strategy in a security bubble
Don’t develop your strategy in a government bubble
Don’t overlook the needs of your diverse stakeholders, particularly your citizens
Don’t cover just the easier, tactical quick wins
Don’t expect to finish after the first year

The full version of the recommendations, which includes the positive things that need to be done alongside the negatives, can be downloaded by clicking on the image below:

Do print this off and share with colleagues you know!  I very much hope that it will act as a useful checklist for all those involved in cybersecurity policy making.