Three components of a cybersecurity strategy

As organizations develop their cybersecurity strategies, they should consider 3 critical elements to gain maximum impact, namely, governance, technology, and operations.

What is cybersecurity, and why is it so important?

Cybersecurity is still a relatively new field. However, its importance and global impact cannot be ignored. According to the Pew Research Center, Internet use in the US has grown from 50% of adults in 2000 to 95% today.1 It is not just for individual use; many industries rely on the Internet to function including financial services, retail, telecommunications, education, technology, healthcare, media, and entertainment, amongst others. Use is not just limited to commercial firms either, as public sector entities have a heavy reliance as well. Critical infrastructure is considered a high-value target for threat actors and a priority for national security.

In the 2023 National Cybersecurity Strategy, President Biden speaks about the priorities of strengthening cyberspace. He states that “cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.”

So, what exactly is cybersecurity? This has been my chosen profession since about 2005. Many people have thought that I must be a penetration tester, digital analyst, controls specialist, or some other IT-related role. But the field of cybersecurity is so much more than that. It is a vast career field requiring a variety of skill sets; it is a consideration that organizations need to keep in mind when developing their overall strategy.

Cybersecurity is about risk and risk management, even more so than it is about IT (though IT plays a key role). There are several other myths about cybersecurity that exist today that can create a sense of false security amongst business leaders, including many of the responsibilities of cyber to the IT department. According to Forbes, “cyber risk is no longer just an IT problem—it’s a critical vulnerability that directly influences the health of the collective enterprise.”2

Cybersecurity is seeing steady growth as a profession. According to Fortune Business Insights, the industry is expected to grow globally from $153.6B in 2022 to $424.9B by 2030.3 With that, there has been growth in new cybersecurity companies, organizations offering new cybersecurity services as part of their portfolio, as well as mergers and acquisitions in the market.

Develop a holistic cybersecurity strategy to protect your organization

With all this growth, the misconceptions, and the increased need, it can be very overwhelming when trying to put together a cybersecurity strategy. To help, here are three critical elements to consider as part of an effective cybersecurity program:

Governance or Governance Risk and Compliance (GRC) is how an organization directs and controls IT security. Having GRC structure is a key component in any cybersecurity program. It ensures that information security policies and procedures align with business goals while managing risks and complying with regulations. This includes framework(s) that support the environment, such as National Institute of Standards and Technology (NIST), ISO, and Center for Internet Security, amongst others. GRC specialists, control testers, and compliance analysts are the types of resources supporting this area of cybersecurity.

Technology refers to the organization’s infrastructure put in place to withstand cybersecurity threats over time as users interact with it. This includes the network, logical, and physical environment that protects an organization’s data and assets. Key skills supporting this area include penetration testers, access control analysts, digital forensics, and physical security assessments.

Operations are how an organization exercises security by putting the governance and technical elements into action. For example, an organization may have a well-written incident response (IR) plan with great detection technology. However, if the IR plan is not exercised by the organization, then it’s still at a higher risk. Or take a company that conducts a periodic network penetration test but doesn’t have a way to address the vulnerabilities identified from that test. The threats remain or could even increase. Companies can address the operational element in their strategy by implementing security awareness, vulnerability management, detection, and intrusion prevention. They can also conduct periodic assessments to ensure they address existing and new cyber threats. Many organizations are finding they may need to enlist the help of a trusted partner to provide operational support.

When planning a cybersecurity strategy, have conversations with key business and IT stakeholders about the governance, technical, and operational elements. While it may seem daunting, organizations do not have to go it alone. Finding a good cybersecurity partner can pay dividends in developing an effective strategy to address and mitigate risks as well as increase cyber resilience. This is what it takes to withstand, respond, and recover from a cyberattack.


  1. “Internet, Broadband Fact Sheet.” Pew Research Center: Internet, Science & Tech, January 31, 2024.
  2. Raissipour, David. “Council Post: Assessing the Correlation between Cyber Risk and Business Risk.” Forbes, June 7, 2023.
  3. Coker, James. “Top 5 Cybersecurity Mergers and Acquisitions 2023.” Infosecurity Magazine, December 26, 2023.

Let's talk!

Interested in learning more? We'd love to connect and discuss the impact CAI could have on your organization.

All fields marked with * are required.

Please correct all errors below.
Please agree to our terms and conditions to continue.

For information about our collection and use of your personal information, our privacy and security practices and your data protection rights, please see our privacy policy and corresponding cookie policy.