In cyber security, the “Small Target Strategy” is gaining traction as a proactive approach to defence. This strategy focuses on making an organisation a less appealing target for hackers by strategically adjusting various aspects of its operations. The core idea is to “shrink” in ways that reduce risk and cost.
What is the Small Target Strategy?
The Small Target Strategy is about implementing changes that make your organisation less attractive to cyber attackers. This can be achieved through a combination of approaches, including reducing the attack surface, the perceived value of assets, the actual value of data, and compliance obligations. Ultimately, it’s a method to improve your risk posture while also saving money.
Benefits of a Small Target Strategy
Implementing a Small Target Strategy offers several key advantages:
- Reducing your threat surface: Organisations should aim to minimise the amount of data they store, and simplify their systems to reduce their vulnerability to cyberattacks.
- Cybersecurity is a team sport: Everyone in an organisation is responsible for cybersecurity, not just the IT department.
- Moving beyond fear-based messaging: While important, fear is not a sustainable motivator for long-term cybersecurity compliance. Regulations, and a cultural shift that views security as a necessary cost of doing business, are also crucial.
- Improve board awareness: Boards need greater cybersecurity awareness to allocate appropriate budgets. This can be achieved through education, specialised board members, and better communication from CIOs and CISOs.
How to Implement a Small Target Strategy
Held across two days in early September, 2024, the Governance Institute of Australia’s International Governance Leadership Conference brought together a global community of governance and risk management professionals to explore the theme of “the human condition” in a rapidly changing world. Over multiple sessions, attendees unpacked the pressing governance and risk management challenges of our time, from socio-economic and geopolitical factors to technological advancements and AI.
Sessions delved into critical questions facing modern boards, the evolving role of technology and AI, and the increasing importance of sustainability. Attendees also gained insights into board effectiveness, crisis response strategies, workforce productivity, and the skills needed for professionals to thrive in a rapidly changing world. The program highlighted the evolving role of governance in navigating the complexities of the future of work.
Mantel Group’s own Nick Ellsmore was a keynote speaker, diving deeper into the topic of how to successfully implement cyber strategies, and the key work that people need to undertake, alongside fellow speaker Katherine Robins of IBM.
Key takeaways from Nick and Katherine’s talk include:
- Reducing your threat surface: Organisations should aim to minimise the amount of data they store, and simplify their systems to reduce their vulnerability to cyberattacks.
- Cybersecurity is a team sport: Everyone in an organisation is responsible for cybersecurity, not just the IT department.
- Moving beyond fear-based messaging: While important, fear is not a sustainable motivator for long-term cybersecurity compliance. Regulations, and a cultural shift that views security as a necessary cost of doing business, are also crucial.
- Improve board awareness: Boards need greater cybersecurity awareness to allocate appropriate budgets. This can be achieved through education, specialised board members, and better communication from CIOs and CISOs.
Asking the Important Questions
A crucial element of the Small Target Strategy is to frequently ask “why” a security control is required and “why not” change a strategic direction that has a material impact on security requirements. Challenge the necessity of storing certain data or continuing a minor business line that results in specific regulatory burden.
Security needs to be involved early in business decisions to ensure these questions are addressed proactively – we’ve argued the case for “shifting left” in the development pipeline; we now need to “shift left” to get security involved earlier in business strategy.
By embracing the Small Target Strategy, organisations can proactively enhance their security posture, reduce costs, and become a less desirable target for cyberattacks.
