How to build a cybersecurity strategy that aligns with business goals

Cybersecurity threats continue to grow, creating risks that affect every part of an organisation’s operations. A new set of vulnerabilities, barely imaginable 25 years ago, is now an unavoidable part of running any business, even one that only uses email and the internet. 

Companies without a well-defined cybersecurity strategy often address threats on an ad hoc basis. They might deploy a firewall for network protection, add malware detection tools, and run antivirus scans. Yet this piecemeal approach can leave critical gaps that put business assets at risk, disrupt operations, weaken customer trust, and reduce revenue. It may also create governance and compliance challenges that are harder to resolve later. The unavoidable bottom line is that organisations need a holistic cybersecurity risk management strategy that is woven into the very fabric of operations at every level. It should not be treated as a separate technical domain. As with any security system throughout history, the human factor remains crucial. An all-encompassing cybersecurity strategy roadmap is needed to embed security into both organisational culture and employee mindset. Like any other business strategy, it requires continuous monitoring, evaluation, and optimisation.

Why every business needs a cybersecurity strategy

Data from the past five years shows a steady rise in cybersecurity threats across several fronts. Among the most common are distributed denial-of-service (DDoS) attacks that can disrupt entire networks, malware infections, and personal data breaches.

Rising cybersecurity risks in Europe

The extent of the threat is evident in the statistics. At the end of 2021, a Eurostat study found that 22% of EU enterprises had suffered cybersecurity incidents that year. These caused information and communication technology (ICT) services to become unavailable, data corruption and the exposure of confidential information. 

By 2023, a SecurityScorecard report revealed that 98% of Europe’s leading companies had to defend against third-party breaches. Supporting this trend, the European DIGITAL SME Alliance reported a 57% increase in cyberattacks across Europe between 2022 and 2023. Phishing and ransomware were the most prevalent.

Types of cybersecurity attacks

Looking more closely, ENISA identified the five most common types of cyber threats in 2024:

• Ransomware: Malicious actors take control of a company’s network and demand a ransom in exchange for not publicly releasing compromising information.
• DDoS attacks: Large-scale assaults that overwhelm systems, making them unavailable to companies and their clients.
• Malware: Malicious code hidden in software or files that performs unauthorised actions once installed.
• Social engineering: Tactics such as phishing emails that manipulate people into revealing access credentials or sensitive information.
• Direct attacks: Targeted hacking attempts aimed at weak points in an organisation’s security perimeter.

Consequences of poor cybersecurity posture

The case for a well-planned cybersecurity strategy becomes even stronger when you consider what happens in its absence.

First, there is the risk of major operational disruption and the costs that come with it. Systems can be halted, productivity lost, and the financial impact can be severe. In 2024, for example, German authorities reported that cybercrime was costing the national economy about €148 billion. 

Reputational damage and breach of trust are a second consequence, especially when confidential data is leaked or published. Such breaches deeply erode confidence in an organisation and are notoriously difficult to recover from, often leading to customer attrition and revenue decline.

Non-compliance with GDPR or other country-specific regulations adds another layer of risk. If a breach exposes regulatory gaps, the resulting fines and penalties can be significant.A striking example came in 2020, when hackers breached the European Medicines Agency (EMA) and accessed a large amount of personal data. Investigations into the full extent of the attack are still ongoing.

What is a cybersecurity strategy?

A cybersecurity strategy is a formal, organisation-wide documented plan that lays out how a company intends to protect its systems and assets. It needs to include all the measures required to create a secure perimeter around these. It must cover an organisation’s entire “attack surface”, in IT security parlance. This can include in-house networks, cloud platforms, application security and more. The goal is to cover the complex and hybrid environments most modern enterprises now rely on.A comprehensive cybersecurity strategy must consider many different factors. It needs to align with the company’s broader business objectives, operational realities, risk appetite, and regulatory obligations. It also has to reach beyond technology to address areas such as incident response, governance, and, crucially, people and culture.

Top-down vs bottom-up approaches

An organisation can follow a top-down or bottom-up approach to its cybersecurity strategy, although in reality, successful implementation is usually a hybrid of the two approaches.

Top-down cybersecurity strategy

In this cybersecurity strategy, company leadership defines the cybersecurity parameters and feeds them down for implementation. Executives outline things like risk appetite, compliance requirements, acceptable loss thresholds, and the overall strategic vision and guardrails. Then security teams translate these into tangibles like budgets, security programmes and controls, and project metrics.

Bottom-up cybersecurity strategy

In this approach, lower-level personnel, like technical, security and operations teams, complete a full assessment of threats, vulnerabilities, cybersecurity gaps and proposed control measures. These then feed into higher-level executive decisions on cybersecurity strategy and budget. This ensures that the strategy is grounded in operational reality. That said, the most effective cybersecurity strategy roadmap usually results from a pragmatic combination of the two approaches in collaboration.

Role in governance and business continuity

A cybersecurity strategy isn’t only about securing business assets and customer information. It plays a much wider role, especially in governance and regulatory compliance.

• Governance: A cybersecurity strategy must define roles and responsibilities, create escalation procedures, and conform to oversight and accountability requirements.
• Risk management: A proper strategy prioritises threat likelihood and potential impact, and aligns security controls to meet acceptable residual risk levels.
• Business resilience and continuity: This includes incident response, backup systems, disaster recovery plans and restoration procedures.

7 essential steps to build a strong cybersecurity strategy

Creating a robust cybersecurity strategy roadmap can be broken down into distinct phases, each building on the one before it. The ultimate aim is to balance preparation with incident response.

Cybersecurity strategy roadmap:

• Step 1: Conduct a comprehensive risk assessment
• Step 2: Align cybersecurity risk management strategy with business objectives
• Step 3: Review and upgrade your technology stack
• Step 4: Choose a cybersecurity framework that fits
• Step 5: Review and enforce security policies
• Step 6: Plan for risk management and incident response
• Step 7: Monitor, measure, and continuously improve

Step 1: Conduct a comprehensive risk assessment

This step lays the foundation for your cybersecurity strategy and becomes the bedrock on which everything else is built. The key questions to answer are: what are you protecting, what a potential attack might look like, and what impact it could have.

Mapping threats and vulnerabilities

Start by identifying the cyber threats most common in your industry. Research the most active cybercriminal groups and the techniques they have used in the past. It is also important to assess insider risks. Examine the attack methods most frequently seen, such as phishing, malware, or DDoS, and evaluate your own potential weak points. These might include outdated or unpatched software, system misconfigurations, or weak identity verification and access controls.

Conduct a thorough asset inventory

Here, you should catalogue all the digital assets that could be directly compromised or affected by an intrusion. Examples include:

• Software
• Databases
• Network nodes
• Cloud infrastructure
• APIs
• Third-party interfaces
• Physical office devices
• Employee-owned (BYOD) devices
• Remote access connections

Step 2: Align cybersecurity risk management strategy with business objectives

Your cybersecurity strategy should actively support your business goals, so it is essential to keep the two closely aligned. Quantifying those goals goes a long way towards creating the right security strategy. 

Quantifying business aims goes a long way towards creating the right security strategy. There are countless variations, but consider this example: a business aim to enhance website reliability in order to build customer trust. That goal could translate into a security metric that defines the required uptime percentage for customer-facing servers..

Another example could be a company aiming to strengthen its regulatory compliance. The corresponding security metric might define the specific requirements needed to meet regulations such as the NIS2 EU directive.This exercise should also include discussions about risk appetite and the level of tolerance the business is comfortable with. For example, would a 15-minute downtime due to identifying and rectifying a localised, isolated threat be acceptable? What potential revenue loss could that create, and is it a risk the organisation can absorb? Defining these kinds of guard rails helps guide the final cybersecurity strategy roadmap.

Step 3: Review and upgrade your technology stack

The next step is to take a close look at the technology your organisation relies on and upgrade it where needed to meet cybersecurity requirements. Depending on your company’s specific stack, this could include any or all of the following:

Review your existing system architecture

This will vary from one company to another, but it can involve a wide range of cybersecurity technologies. Start by assessing your internal network segmentation and how access is controlled across different areas and databases. This falls under identity and access management (IAM).

Next, take a detailed look at your endpoint defences, often referred to as endpoint detection and response (EDR). These are the measures that protect the devices employees use to access company resources, such as desktops, laptops, and smartphones.Then there are your firewalls, log files, and intrusion detection and prevention systems (IDS/IPS). Security information and event management (SIEM) tools are another important consideration.

Emerging tools evaluation

While you’re reviewing your system architecture, it’s always recommended that you look ahead and attempt to future-proof your cybersecurity strategy. This is an especially pressing need as AI becomes part of the cybercriminal’s arsenal. Many AI-enabled cybersecurity tools are now available, but they should be carefully assessed and introduced with caution, ideally after rigorous pilot testing and fine-tuning. Examples include AI-assisted anomaly detection and behavioural analysis.

Don’t forget third-party and cloud services

Vulnerable third-party software can pose a risk both within your organisation and across your supply chain. It is important to assess the security posture of your vendors and replace any software you are not confident in. For software-as-a-service (SaaS) and cloud platforms, consider implementing API security controls to protect data transfers, along with workload protection. This includes managing account privileges securely and using cloud security posture management (CSPM). CSPM provides transparency and visibility into your cloud environment and helps ensure compliance with cloud storage regulations and standards.

Step 4: Choose a cybersecurity framework that fits

Several recognised cybersecurity frameworks can help you implement best practices and the right technology. They also support regulatory compliance, reducing the risk of future penalties.

• ISO/IEC 27001 and 27002: These complementary frameworks work together. ISO/IEC 27001 defines the requirements for an information security management system, essentially outlining what you need. ISO/IEC 27002 provides guidance on best practices and controls, explaining how to implement them effectively.
  
• Digital Operational Resilience Act (DORA): This establishes uniform guidelines and standards for ICT and financial companies, covering risk management, resilience testing, incident reporting and information sharing.

When designing a cybersecurity strategy, it is often necessary to combine multiple frameworks. This helps cover all potential vulnerabilities and ensures compliance with the full range of regulations that apply to your organisation.

Step 5: Review and enforce security policies

Security policies are essential to the success of any cybersecurity strategy. Technology alone can only go so far, and many threat entry points exist at the user level, as noted earlier. This makes policy enforcement a key factor in keeping the organisation secure. At the same time, the goal should be to gain employee buy-in and cooperation rather than rely on heavy-handed enforcement.

Creating successful cybersecurity policies

It is best and often easiest to follow a clear process when creating cybersecurity policies. Start by drafting a concise document that links each security measure directly to business risks and company goals. Once prepared, have it reviewed by all key stakeholders, including IT, operations, legal, and HR. HR plays a vital role in embedding the company’s security culture across the workforce.

The next step is communication. Ensure that every employee understands the role they play in the overall cybersecurity strategy.Once awareness is established, put in place controls to enforce the policies. These might include blocking the installation of unapproved software, restricting access to certain websites, or applying hardware protections such as disabling USB ports on company laptops.

Step 6: Plan for risk management and incident response

It is important to recognise that no security system is flawless, especially as new threats continue to emerge. Organisations should therefore have both a cybersecurity risk management strategy and a well-defined incident response plan. 

The risk management programme should be highly detailed. It needs a live risk tracker that tracks each risk and its mitigation status, along with defined risk treatment procedures. Thresholds should be set to determine which risks require escalation to the executive level. Incident response planning begins by defining roles and responsibilities in the event of a security incident. It then outlines how to triage alerts, the decision and communication paths to follow, and when to escalate issues. The plan should also include clear procedures for containment and recovery. Ideally, there should be a specific procedure for each type of threat, such as malware or a DDoS attack.

Step 7: Monitor, measure, and continuously improve

A successful cybersecurity strategy should be monitored continuously and designed with room for ongoing development and improvement. Progress can be tracked using predefined key metrics. Some of the most common include:

• Mean time to detect (MTTD)
• Mean time to respond (MTTR)
• Number of security incidents defended
• Vulnerability scan results

Monitoring results should feed into post-incident feedback and review sessions, where lessons learned can be used to refine and upgrade the strategy.  Metrics can also show how well the organisation is complying with relevant regulatory frameworks. Periodically refreshing the strategy helps it stay aligned with new business developments, emerging technologies, and the risks that come with them.

Embedding a security-conscious culture

Every strong cybersecurity strategy depends on people as much as on technology. From the earliest days of espionage to today’s connected workplaces, human behaviour has often shaped the outcome of security efforts. Many modern breaches begin with an ordinary action: clicking a phishing link, choosing an easy password, or installing unverified software on a personal device that is also used for work. 

Even the world’s largest companies remain vulnerable to this kind of breach. In May 2023, two former Tesla employees leaked confidential company data to the German news outlet, Handelsblad. This risked exposing the personal data of over 75,000 employees.  At the time, Tesla was reported to be facing potential penalties of around $3.3 billion, although the details of any settlement remain undisclosed.. 

Company leadership should lead by example and foster an open, non-punitive culture where everyone feels responsible for security and confident about reporting incidents they encounter. Executives can strengthen this by sharing their own experiences, showing that no one is completely immune and that honest mistakes should not cause guilt or fear. When leaders visibly champion cybersecurity, it has a powerful positive impact across the organisation. 

Awareness and training programmes play a crucial role in building a resilient security culture. Because the cybersecurity landscape is constantly evolving, it is valuable to offer periodic refresher sessions to keep knowledge up to date. Simulated attacks can also help reinforce procedures by giving employees a safe space to practise the right responses. In some organisations, security-related criteria are included in performance indicators to help identify where additional support or refresher training might be needed.

Conclusion: Cybersecurity strategy is all-encompassing

It is clear that businesses across Europe are facing a growing wave of cyber threats. These range from hobbyist hackers seeking attention to organised cybercriminal networks and even state-sponsored attacks, such as those targeting power utilities. The reality is that any organisation can be vulnerable, whether it is an ambitious SME or a well-established corporate brand.

Cybersecurity vulnerabilities have expanded as companies adopt remotely delivered technologies such as cloud services and SaaS. A comprehensive cybersecurity risk management strategy must protect the entire attack surface, whether it is in-house, part of the supply chain, or online. But cybersecurity is about more than technical controls. It must also align with business objectives and comply with the regulatory frameworks that govern the organisation.

Security is as much about human behaviour as it is about technology. A security-conscious culture, where everyone feels responsible and unafraid to report issues, is invaluable.

Finally, we should remember that cybersecurity is a continuous cycle. As new threats emerge, new countermeasures are needed. Your cybersecurity strategy should also evolve alongside your business, adapting to new technologies you adopt and to regulatory changes that affect your industry.To dive deeper into putting these principles into practice, watch this Masterclass with Stefano Ferrara and Niklas Tausend. They explore how to make cybersecurity work in your organisation by effectively embedding strategy and tools into daily operations and culture.