Strategy

Business Strategy Services


Comprehensive strategy solutions for every business

Strategy defines your Path. Goals on that path define your Success


Reinvent your Strategy

We are experts at designing strategies that redefine what's possible


The key to sustained success lies in understanding where to play and how to win—identifying the right opportunities, markets, and strategies to achieve a lasting competitive edge. This requires a strategic shift towards innovation and reinvention, supported by visionary leadership and a reimagining of your organisation's role in the global landscape.


Today's executives face the dual challenge of navigating successive digital transformations while also building a clear strategy that aligns culture, purpose, and execution. Success in this demanding environment requires a profound alignment in strategy and vision across your leadership teams and a disciplined focus on the opportunities that will position your organisation to thrive in the future.

“The competitor to be feared is one who never bothers about you at all, but goes on making his own business better all the time.”

Henry Ford

95%


Number of employees who say they don't understand their company's strategy

48%


Of organisations fail to meet half of their strategic actions

60%


Of organisations do not tie financial budgets to strategic priorities

Speak to one of our experts


How we help our clients

Our team of experts has decades of experience providing sustainable strategies to both private and public companies

Corporate Strategy

Using data-driven insights and market research, we align our approach with your unique corporate vision and objectives, ensuring a strategic pathway that is both ambitious and achievable. 

M&A Strategy

Designed to guide organisations through the complexities of mergers and acquisitions. We understand that successful M&A transactions require meticulous due diligence, strategic alignment, and agile PMaaS to unlock value and drive growth.

Go-to-Market Strategy

Designed to help businesses effectively launch their products and services in competitive markets. We understand that a successful GTM strategy is crucial for maximising market penetration and achieving sustainable growth.

Mauro Mortali
Mauro Mortali

Our Strategy practice is led by Mauro Mortali

Senior Partner - Strategy

With over 25 years of experience in both leadership and governance positions across the corporate, education, and charity sectors, Mauro Mortali is a Senior Partner for Cambridge Management Consulting within our Strategy Practice. Having held senior strategy and innovation positions, Mauro blends traditional strategy capabilities such as deep insight, analysis and critical thinking with the collaboration, creative and co-creation skills of Design Thinking. One of Mauro’s passions is narrative development and storytelling, and he brings this into his strategy work in order to enable his clients to win the hearts and minds of their stakeholders and customers.


Mauro’s role with Cambridge MC is to help organisations design, develop, and deliver strategies with an emphasis on activation to achieve their goals. Mauro is also an executive coach with a focus on performance and wellbeing, working with both individuals and teams to identify and maximise their strengths. This also enables him to bring a human-centred approach to strategy development.


As an Associate Certified Coach with the International Coaching Federation, and an accredited Strengthscope Practitioner, Mauro combines deep insight and creative thinking to drive individual and team excellence.

Our team can be your team


Our team of experts have multiple decades  of experience across many different business environments and across various geographies.


We can build you a specialised team with the skillset and expertise required to meet the demands of your industry.


Our combination of expertise and an intelligent methodology is what realises tangible financial benefits for clients.

SPEAK TO THE TEAM

Our Strategy Experts

Strategy Case Study

ELIXIR


We were contacted by ELIXIR, an inter-governmental life sciences research network, to help with a strategy and leadership challenge.


ELIXIR was in the middle of an organisational transformation, following a period of intense and rapid growth over the preceding 6-month period.


Dr Blomberg, ELIXIR's CEO, recognised the need for clarity in ELIXIR’s mission and that help was required to define their values. Following initial discovery discussions with members of the Cambridge MC Management team, a bespoke plan was created. We delivered a mission workshop for the 8-person Senior Leadership Team, which would be the first in a series of workshops and coaching relationships that ran into the following year. On the basis of our success and a growing relationship, further team-building sessions were requested and conducted by Ben Clarke.

READ CASE STUDY

"Cambridge MC’s role was to provide comprehensive analysis of the market landscape, competitive environment, key trends, potential opportunities, and ideal target customers."


VETRO Case Study

Strategy

Case Studies


by Mauro Mortali 10 September 2024
Staying ahead of the curve in a fierce market Our client, a renowned global services provider, approached Cambridge Management Consulting (Cambridge MC) with a critical mission: to benchmark their data connectivity services against industry best practices, identify growth opportunities, and develop an innovative growth strategy. Their objective was to stay ahead of the curve in a rapidly evolving market and solidify their position as a leader in data connectivity solutions globally. The Challenge The client faced significant challenges: Decline in Traditional Voice Services: As the market shifted towards IP-based solutions, traditional voice services were becoming less profitable. Revenue vs. Margin Dilemma: Although data connectivity services were growing in revenue, they yielded lower margins compared to voice services. This trend was impacting overall profitability negatively. Future-readiness of Existing Offerings: The client's current portfolio, while performing adequately, required evaluation to ensure alignment with modern standards and preparedness for future market demands. The client sought actionable insights to enhance their portfolio and capitalise on emerging market opportunities. Cambridge MC was tasked with: Diagnosing the data connectivity services business to benchmark against industry best practices Identifying and prioritising growth opportunities Developing a comprehensive growth strategy aimed at achieving revenue and margin targets Building a set of initiatives with detailed programs and supporting action plans to deliver the growth strategy Our Approach - Diagnostic Phase In the diagnostic phase, Cambridge MC applied its comprehensive Diagnostic Framework to assess the client's organisation across several key parameters: Portfolio Analysis: Evaluating the range and performance of existing products and services Go-to-Market Strategy: Reviewing current market entry strategies and sales approaches Systems & Processes: Assessing internal systems for efficiency and scalability Network Technologies: Analysing the technological infrastructure supporting data connectivity services Product Margins: Examining financial performance metrics for each product line. This involved: Conducting in-depth interviews with key team members Reviewing essential documentation, strategic plans, market reports, and financial statements Performing detailed market, customer, and competitor analysis Utilising Cambridge Subject Matter Experts (SMEs) to benchmark the client against industry Best-in-Class standards Our Approach - Growth Opportunity Phase In this phase, Cambridge MC facilitated: Co-Creation Workshops: Collaborative sessions with the client team to identify and prioritise potential growth opportunities Stress Testing: Rigorous financial analysis involving SMEs and customer feedback to validate identified opportunities Initiative Scoping: Detailed workshops to scope out, quantify, and agree on key initiatives necessary for realising growth opportunities. The culmination of this phase was the development of an agreed-upon growth strategy underpinned by robust financial projections and a detailed delivery plan. Outcomes & Results Through this structured approach, Cambridge MC successfully identified several key improvement areas resulting in: 1. Gross Margin A project ed 66% increase in gross margin. 2. Recurring Revenue An incremental annual recurring revenue of $90 million by year five. These results provided the client with a clear roadmap for enhanced profitability and sustained competitive advantage in the dynamic data connectivity market. 
Aerial view of the beach.
by Aki Uljas 22 July 2024
Replacing microwave connectivity with fibre optic links to provide reliable internet during adverse weather as well as laying the foundations for a digital future In April 2023, the Turks and Caicos Telecommunications Commission (TCITC) completed a Request for Proposals for a study on the feasibility of a domestic submarine telecommunications cable system for the Turks & Caicos Islands (TCI). Originating from a 2016 Turks and Caicos Islands Government mandate to enhance inter-island communication, the initiative aimed to establish a national fibre ring, ensuring robust connectivity—especially during natural disasters—as well as facilitating a secondary international broadband link. In 2023, Cambridge Management Consulting Limited was awarded a contract to prepare the final Strategic Outline Business Case (SOBC), involving consultations and with local stakeholders. The Challenge T he primary objectives of the project include replacing the current microwave links with high-capacity fibre optic cables, ensuring resilient connectivity in adverse weather, offering low latency digital access to underserved TCI communities, and laying the groundwork for further digital investments. Subsea cables, being the internet's backbone, are crucial for island nations, offering superior capacity and latency compared to alternatives like satellite or microwave connections. High-speed internet is crucially important to economic growth across the islands. Tourism and local businesses require reliable and fast service to meet the growing needs of users. Hospitals, ports, and emergency services will also benefit greatly from new digital services—for example, 20% of patients in TCI already use remote doctor appointments. Our Approach The project started by analysing the telecommunications market in the Turks and Caicos Islands. As with many of the other Caribbean Islands, the market data is not readily available. Market information was gathered from a wide range of sources, including official statistics, third-party databases, market data sources, and by conducting meetings with the local stakeholders, including cruise lines, telecom operators and others. Our legal partner in the project, Baker Botts, also conducted a legal review of the regulatory framework, procurement framework, and government financing framework. Ensuring open access to the new subsea cable system and related facilities was emphasised in carrying out this legal review and recommendations from that review. Our technical partner in the project, Pelagian, conducted a desktop study, which is always the basis of any subsea cable system, assessing cable landings, environmental aspects, developing a cable route that would be used to perform marine survey activities and further into the project, the cable installation. This was done by following recommendations from the International Cable Protection Committee to ensure the quality of the study. After the reviews and studies, we created a financial plan for the cable system, including estimated investments, profit and loss calculations, cashflow analysis, and balance sheets. This was followed by writing a Strategic Outline Business Case report, which was based on the UK Government’s Green Book guidelines. The Team Our Senior Partner for Subsea, Aki Uljas, led our contribution to the project, providing his subsea expertise and understanding of government-led projects, based on his previous work—including work with the Finnish Government-owned company Cinia, which he has been advising for the Baltic Sea and Arctic cable projects. Julian Rawle has two decades of experience in the subsea and telecommunications industry, specialising in market analysis, market forecasts and due diligence work. The Cambridge MC team worked alongside the Turks & Caicos Islands Telecommunications Commission (TCITC), specifically with Kenva Williams, Director General, to ensure an effective outcome that benefits all TCI citizens. Outcomes & Results After we completed the Strategic Outline Business Case report, we presented it to the Turks and Caicos Islands Cabinet and the UK Governor of the Turks and Caicos Islands. 1. Strategic Outline Business Report The Strategic Outline Business Case report was delivered in Autumn 2023. Cambridge MC presented the business case to the Cabinet in December 2023, after which the Cabinet approved the project to move forward. 2. Procurement Package Cambridge MC and Pelagian started to work on the Procurement Package and the upcoming tender process in April 2024, after budget allocation for the project was completed. 3. Cable System Extensions We also identified a few possible new international cable systems passing close to the Turks and Caicos Islands, which could have the potential to be extended into the islands: Several potential planned cable systems were identified Cambridge MC reached out to these parties and facilitated discussion and negotiations on behalf of the Turks and Caicos Telecommunications Commission Cambridge MC revised the Strategic Outline Business Case to also include these potential new cable systems to be connected to the islands. 
Satellite going into the sky.
by Steve Tunnicliffe 28 June 2024
Analysing the business to provide recommendations and enhancements The satellite industry is going through an intense period of transformation at every level of the value chain. The status quo within the satellite communications industry has been largely unchanged and unchallenged since its inception over 60 years ago. This is all about to significantly change, and it will force many established businesses to look afresh at how they operate. Many will adapt but many will fail. The two key factors driving this transformation are a) the emergence of Non-Geostationary Satellite Operators (NGSO) and b) the technology drive to digitisation, standardisation, and virtualisation. New market entrants such as Starlink are hugely disruptive and have contributed to a 77% reduction in satellite capacity pricing over the last 5 years. Other new entrants will soon emerge, creating further disruption to the norm and downward price pressure. The Challenge A leading satellite communications service provider had already anticipated this market shift and transformation, but wanted to undertake a brief study to validate their assumptions and to review their Go-To-Market strategy. Spanning operations in the US and Europe, Steve Tunnicliffe was tasked with undertaking this strategic business review that included: Stakeholder Mapping and Engagement Corporate Governance Review Change Management and Communication Revenue Review Performance Management Review Our Approach Steve provided critical insights and enabling methodologies to support the service provider in anticipating where to invest next and what resources to align where. Steve also identified areas of weakness within the company’s corporate governance and identified where changes needed to be made to ensure the service provider seized the opportunity for its next phase of growth. He was able to engage key stakeholders in the identification of business issues and make recommendations on how and what to implement from a change management perspective. His experience in leading a global sales organisation and strategy for a leading player within the satellite industry helped provide critical insights to empower the service provider to achieve its stated objectives. Out comes & Results 1. Go-to-Market Strategy The client refocused its efforts on Defence and Government, which accounted for over 50% of its business but an event greater percentage of its profit. 2. Corporate Governance The client put in place a charter and clear definitions around the role of the Board of Directors and the Executive Management Team defining what matters were reserved for each. 3. Efficiency All of this provided not only the necessary clarity but an efficient plan to implement.
An image of underground cables with a blue and purple tint.
by Tim Passingham 30 April 2024
Creating a detailed report for towns in the South East on behalf of a regional-focused alternative network provider Foresight Group is a sustainability-led alternative assets and SME investment manager. They commissioned Cambridge Management Consulting to conduct a detailed Due Diligence report for one of their fibre portfolio assets in the South of England. This report would recommend strategic towns in the South East that are potential targets for their growth strategy. The Request The challenge from Foresight Group was to quickly mobilise a survey team and create a detailed Due Diligence assessment on a number of key expansion areas. The report had to establish the following: The current deployment of BT Openreach in the area, including signs of recent activity. The current deployment and connectivity status of other altnets, including signs of recent activity and an estimation of current live customers. The proportion of overhead to underground fibre build, with approximate split between underground ducts and armoured buried cable (direct in ground). Availability of PIA infrastructure, including DP poles, splitters, ducts, swept tee, chambers/nodes/CBTs etc. Potential problems in the network, e.g., blockages, gaps between poles that have not been spanned and cannot be serviced by the underground network etc. The Approach Foresight Group and the alt-net's leadership teams required thorough technical due diligence, but accurate information on network condition, existing infrastructure, and presence of competing networks (including signs of recent activity) could only be gathered by cross-referencing public data and on-the-ground visual observations at the site. The survey team established a visual topology and methodology that could be used to analyse and answer the points above. The survey team comprised of specialists from Cambridge MC spent a number of days on-site, conducting a thorough sweep of the area while recording the visual topology in real-time using the ArcGIS app. Our team in the office used PIA data from the Openreach portal to guide the survey, and they were able to corroborate observations made on the ground. Advantages of this Approach An on-the-ground survey team can verify and investigate network inconsistencies and establish how active an ISP is in a particular area, i.e., the team can determine when a ‘homes passed’ strategy has been accelerated to show network presence in an area despite the fact there are large gaps that do not have light and/or few live customers. The team gathers information in real-time via the ArcGIS app. The findings and visual observation record are presented to senior management and leadership in a detailed report that makes a final ‘go/no go’ recommendation based on a set of justifications and a timeframe. The report includes photos and examples, as well as a background on the location and a summary of PIA data. Foresight Group said: "Working with the Cambridge MC team was a huge pleasure. The Due Diligence team were fast and delivered what we needed to help shape our strategic planning." Outcomes & Results 1. Cambridge MC provided clear recommendations based on a strong justification from the evidence and data gathered. 2. The client received a full, detailed report to discuss with the senior leadership team and the Board. 3. The decision was presented with a timeframe based on the activity of other fibre providers. The timeframe was essential for a final decision by the leadership teams.
SEE MORE CASE STUDIES

Strategy insights


Silhouette of 737 plane in a neon sky
by Tom Burton 9 April 2025
What Problem do Too Many SaaS Providers Have in Common? Many SaaS security providers have a history of treating important safety and security features as something to upsell. This raises the important question of whether a software vendor has a moral responsibility for the secure operation of their solution. In this article, we explore the implications of treating important security and safety features as an upsell, using Boeing as a test case of where this can go wrong. The Case of Boeing and the Aviation Industry The case against Boeing is emblematic of a more systemic issue across the aviation industry, and many other industries. The public became aware of this issue under tragic circumstances when the Lion Air and Ethiopian Air Boeing 737 Max airliners crashed in 2018 and 2019 respectively. According to the widely quoted New York Times article , the crash could have been avoided if the pilots had access to two safety features that were sold by Boeing as optional extras. According to the incident reports, at the root of the incident were the angle-of-attack sensors. These mechanical sensors operate in a similar fashion to a weathervane to measure whether the aircraft’s nose is pointing above or below the direction of airflow. Being mechanical, they may be prone to malfunction, perhaps jamming after having been installed incorrectly — as was believed to be the case for the Lion Air aircraft . The system that led to the aircraft’s demise, which identifies the risk of the aircraft stalling, only listened to one of the sensors. A difference in the signal being sent by the two sensors was not recognised by the anti-stall system; and the instruments that would have alerted the pilots to the conflicting signals were upsell items. This wasn’t a fancy, nice-to-have bell or whistle that makes the flight more comfortable, efficient, or profitable. It is an underlying safety feature of the aircraft. If there was no safety requirement for the redundancy of two sensors, it is difficult to see why there would ever be more than one. Boeing has now addressed the issue, and the anti-stall system listens to both sensors, responding safely in the event of conflicting signals. It should also be noted that the investigation identified pilot error and deficiencies in the training that contributed to the disasters (and this will be relevant to our points regarding many SaaS product decisions as well). The SaaS Parallels Cloud-delivered Software as a Service (SaaS) has revolutionised the tech industry, and catalysed a phenomenal level of innovation and growth. It has enabled new software capabilities to be brought to market faster than ever before, and facilitated the ability to reach a scale with costs defrayed across multiple customers that would have been unimaginable 30 years ago. However, the benefits of being able to access a service from anywhere, at any time, by anyone also presents significant risks. The ‘anyone’ can be a malicious party operating outside of the reach of law enforcement or extradition. As a result, there are clear commercial responsibilities placed on SaaS providers to secure their infrastructure from attack, and those that do not are unlikely to last long in the marketplace. But just like the aviation industry, there are different flavours of security, and different perceptions of what is considered essential. Taking due care and applying due diligence to ensure that the platform itself is adequately secured from a direct attack is clearly the vendor’s responsibility – but what about those elements of security that relate to risk owned by their customers? One key element of customer risk relates to the security of a user’s password. It is their responsibility to make sure they choose a long and random string drawn from upper case, lower case, numerical, and special characters (if allowed). It is also their responsibility to ensure that they do not ever use the same password for multiple applications or services. But, we know that compromised credentials is a common failure mode. Just because it is the user’s responsibility to mitigate this risk, this doesn’t mean that system developers do not also have some mutual responsibility to make it easier for the user to exercise that responsibility; controls have been developed specifically for that purpose. The most obvious ones are Multi Factor Authentication (MFA, or 2FA), and Single Sign On (SSO). With MFA, we improve the security of the credentials by also verifying that the user is in possession of their trusted device before we trust them at sign in. With SSO, we minimise the number of credentials and accounts to manage by federating with a single corporate account; we can then concentrate our effort to secure that corporate account rather than spreading our resources thinly. Both are relatively easily implemented these days, particularly in the case of SSO where the OAuth protocols are widely offered by Identity Providers. Once implemented, both are essentially free to operate, particularly if MFA uses an Authenticator app rather than SMS text messages. SaaS providers recognise that this security is important, and they will frequently implement MFA and SSO controls into their applications to meet that customer demand. But, too frequently, we see them only offered as part of the more expensive subscription options. This element of security is not enhancing the vendor’s core proposition; it is not making their offering more functional, better looking, or more efficient for their users. It is just making it more secure, and therefore to treat it as an item to upsell comes across as price-gouging rather than the responsible application of good security practice. It is almost as though these vendors have run out of innovative bells and whistles that their clients would value in their core product, so they have had to resort to undermining the security of their cheaper options in order to encourage their customers to pay for their more expensive ones. It is equivalent to a bank only using the CSC code on a card to secure transactions for customers who pay for their premium banking services, because, after all, it is the customer’s responsibility to protect their card details. Conclusion What we have described here is not universal, and probably is not even representative of the majority of SaaS providers. But, when you are reviewing a new service, we urge you to take a closer look at what security your provider is charging extra for. If low cost, high value security controls are being upsold, then you may want to consider what other security good practices are not being considered essential. For more information about our cyber security consulting services and Secure by Design principles in action, please contact Tom Burton, Partner for Cyber Security, using the form below.
by Daniel Fitzsimmons 13 January 2025
Peter Drucker wrote in his book The Practice of Management (1954) that ‘it is the customer who determines what a business is’. This sentiment still firmly holds true today, as consumers increasingly expect personalised shopping experiences from aspirational businesses that desire to have a positive impact on the community, country, or world in some way. Across this series of articles, Daniel Fitzsimmons explores the role of customer-centricity as a mechanism to support the delivery of superior customer experience and business profitability. Following from the first article in this series, in which Daniel covered the basics of customer centricity and initial ways to implement it into your organisation, this article applies these premises to the development of actionable customer satisfaction. Purposeful Value Creation Purposeful value creation involves the increased alignment of an organisation to a broader societal cause to secure a positive association with potential customers. As ethical consumption becomes increasingly important to consumers, brands must be increasingly sensitive to not only profit generation, but also the nature of the profit being generated. A customer-centric business purpose statement helps to project a company’s motives to prospective customers, and provides an impetus or bias with which to engage with your products or services. However, failure to fulfil a stated purpose can negatively impact brand equity, share prices, and future revenue generation, highlighting the need to embed purpose messaging within the fabric of the organisation. Purposeful value creation represents a key informant to customer journey mapping, consumer touchpoint messaging, and the identification of what matters to potential clients. Through increased alignment to customer values, you are better positioned to define the customer journey through your organisation, and secure future access to the customer’s wallet. Customer Journey Mapping Sales funnel formulation and market targeting typically focuses resources and efforts on ‘top of funnel’ customer acquisition and the development of velocity around transaction creation. When considering customer-centricity, greater focus needs to be given to Post Purchase Management, and securing customer loyalty through an improved customer experience. Post Purchase Management supports the creation of brand equity, reputation, and future opportunities. Effective customer journey mapping requires the identification of market segments, target consumers, and product positioning. Once you have identified targets, it becomes easier to map the offline-online interactions of target customers and how best to engage with each distinct customer persona, amplifying or quietening their voices as they contribute to business success. Customer Satisfaction Customer satisfaction and the creation of customer enjoyment should be at the forefront of your organisation’s culture. However, it necessitates a mechanism to collect and codify customer feedback related to the delivery of goods and services. Various mechanisms exist to support customer satisfaction identification, including: Kano’s model for customer delight Net Promoter Score Measures, ie. the likelihood to which you would recommend a service Customer Effort Score, identifying the friction associated with engaging with a product or service ACSI Measures, which address a) Overall satisfaction, b) Expectancy disconfirmation, and c) Performance versus the ideal product or service. While it is impossible to pick just one ideal method, and organisations will need to select a solution which best supports their insight creation process, we can confidently recommend the use of CSAT surveys as critical to customer-centricity and the provision of critical insights into products and services on offer. Conclusion When cultivating a customer-centric organisation, all ventures and operations should be directed towards the goal of customer satisfaction; inversely, you can be assured that your business is successfully customer-centric when you observe increased customer satisfaction. In this article, I have covered how best to integrate this goal into your business plan, ensuring it follows the same steps as your customer’s journey. In the next and final article in this series, I take these basics and outline ways in which technology can be leveraged to amplify these goals.
Binary code art installations - hundreds of numbers hanging from the ceiling
by Tom Burton 25 October 2024
Would you feel comfortable flying in an aeroplane designed by engineers who only considered what might go wrong after they had built it? ‘Secure by Design’ (SbD) is not a technology, it is a set of principles to be adopted to improve business risk and resilience. It has strong similarity to conventional engineering practices, and it will save money by reducing wasteful rework. The critical first step is to understand the risks that the solution will be exposed to. Like Failure Mode Analysis in conventional engineering, these inherent risks form an essential part of the solution requirements. The design can then be a collaborative and iterative exercise of review and enhancement to meet the security requirements. Effort spent defining requirements before design and implementation is widely recognised to save time and money. The situation is no different with security requirements, but there are wider benefits as well, compared to addressing security late in the lifecycle: Security controls applied after design and implementation are more likely to restrict functionality, undermining overall user satisfaction and the return on investment Early engagement reduces the risk of budgets overruns, or having to accept inadequate security if you can’t secure the budget A well-documented set of risks, security controls and design decisions can then follow the solution through implementation and into operations, enabling future change to understand past rationale Above all else, late identification of risk and security requirements causes wasteful rework of the solution, which will cost time and money The key to success is defining the system scope correctly. If the scope is too great and encompasses a number of separate systems, then the benefits are eroded and the exercise becomes more akin to a homogenous enterprise risk assessment. If the scope is too small, the number of systems becomes unwieldy and unsustainable to assess and manage. It is not a Technology, and it is not New Despite what you might believe from some of the cyber tech product sheets, SbD is not a technology (for that matter, Zero Trust, which we see as a valuable component of SbD practice, is not a technology either). It is a philosophy or strategy, a set of principles that bring efficiency, consistency, and discipline to cyber risk management. You may find tools that help you to adopt these principles, and the practice requires a sound understanding of technology, but above all SbD is a human endeavour. Like many other buzzwords in the security community, SbD is frequently presented as something rather mystical, requiring specialist knowledge and attracting a new set of standards and vocabulary. We don’t hold with this concept; in our view, it ‘does exactly what it says on the tin’. It is about ensuring the system’s very design enforces security and mitigates risk rather than relying on sticking plasters applied after implementation. Whether those design features are preventative controls, controls to detect and respond to issues, or any other category, they will have been defined and tuned to the specific risks and characteristics of the solution in advance (and managed through life). The concept is not new. The benefits of early security engagement have been known for some time. But sadly, this has been frequently ignored. As the cyber security industry matures, and the frequency and impact of cyber attacks on businesses increases, the call for this discipline has been increasing. Governments are starting to mandate it in the standards and security governance of technology programmes. The Similarities between Digital and Conventional Engineering Most engineering lifecycles, not just those related to digital solutions, recognise the importance of spending adequate time defining the requirements. At the start of the programme, the level of uncertainty will be at its greatest. The purpose of Requirements Engineering is to reduce that uncertainty so that design and implementation can proceed with direction and to minimise the number of ‘wrong turns’ that have to be unwound. If you do not reduce uncertainty as early as possible, the problems grow as they move downstream, and solving them then becomes a disheartening exercise in ‘pushing water uphill’. Let us imagine that we want someone to build us a house. We would go to our local house building company and commission the job; if they get started immediately, the chances of the end result being anything like what we originally wanted would be almost zero. Where do we want our home located? How many bedrooms, bathrooms, and living rooms? What architectural style? What about the fixtures and fittings? We will identify everything wrong once the sub-optimal, ill-thought-out building is completed for our inspection. Putting those right at this stage will cost orders of magnitude more than they would have with an effective design phase. Worse, there will be many issues that we cannot put right without starting again, and, therefore, we will be left operating in a flawed and compromised solution. Where do we Start? So, how do we identify the security requirements for the design? What is Requirements Engineering in a security context? The security requirements are defined by the risks that the solution will be exposed to. One of the most important SbD principles emphases this by stating that you must ‘adopt a risk-driven approach’. These risks and your organisation’s appetite to accept risk determine the requirements for controls; or, to put it another way, the controls are required to mitigate the risk to a level that it is within your organisation’s appetite. Again, there are similarities with conventional engineering. Understanding the risks that the design must treat is similar to identifying the Failure Modes of an aircraft or other system. The risks need to be articulated so that all stakeholders can understand them, including by the non-technical and non-security communities. Getting all stakeholders to sign off on these inherent risks is crucial to ensure that everyone recognises the constraints the solution will be confined by. If you do not have a sound understanding of the risks before work starts on the design, let alone the implementation, then you are lacking an essential part of the solution requirements. Review, Collaborate, and Iterate Once you have the security requirements, you can feed them into the design process similar to functional requirements. Selecting appropriate controls to meet the requirements will undoubtedly require some specialist expertise. However, this is similar to the requirement for technical architects to be familiar with the technologies employed in the solution stack. This design process should be iterative. Requirements change, frequently due to learning in one iteration providing feedback into the next. The security requirements may influence the architectural approach to fulfil the functional requirements. Occasionally, a complete rethink may be required to adjust the functional requirements to meet the security constraints while also meeting the business needs. However, like the house-building analogy above, this time spent optimising the design will be significantly less than the time, cost, and disruption caused if security is addressed later in the lifecycle. Each iteration takes the proposed design, reviews the inherent risks to identify any that can be retired or if new ones have been created, assesses the residual risk given the existing security controls, and identifies additional security controls to reduce the residual risk to an acceptable level. Done collaboratively, this can introduce fast feedback into the design process, and, over time, the technical architects will become more familiar with security issues and their resolutions. Zero Trust’s Role in the Exercise, and Scope Definition Zero Trust is another trending buzzword frequently camouflaged with mystique, or hijacked as a ‘feature’ on product sheets. My view on Zero Trust is similar to my view on SbD: it should be easy to understand, and ‘does exactly what it says on the tin’. In design and in operations, we start from the baseline that nothing is trusted. Whether it is digital identities, devices, applications, or services, we can only trust them once we have an objective and explicit reason to trust them. We use the principle of Zero Trust extensively when applying SbD. By having no implicit trust in any identity, device, or service, we can decide on the minimum level of trust we need to enforce and the maximum level of trust that the entity can offer. If the maximum trust on offer is less than the minimum trust we need, then there is a design decision to be made about how we close the gap. It may be necessary to reduce functionality in order to reduce the required minimum. Or, we may need to put in place other compensatory controls to reduce the risk in other ways. Defining an appropriate scope of the system is key to success. If you set the scope too large, then everything is inside the ‘circle of trust’, and SbD becomes a homogenous exercise in enterprise security. If you set the scope too small then you will drown under the sheer quantity of projects to manage. The World is not a Greenfield Site, and Security is not a Fire-and-Forget Weapon The world is not a greenfield site, and there will be challenges retrofitting a SbD approach to the broad portfolio of legacy solutions. There is no simple or quick solution to this, it will be a case of progressively revisiting each project’s architecture and identifying the changes that will make it secure by design. But, risk can help us here too. Some projects or services will be sufficiently low-risk so that they can be tolerated until they are retired (so long as they are not trusted by any other more important system). The SbD approach lends itself well to a progressive rollout. SbD will limit the negative impact that a legacy system can have on a target system, because nothing outside of a project’s scope is implicitly trusted. You can only aim for a perfect world by progressively taking steps to make it a better world. In this article, we explain why risk management needs to be addressed at the design phase of projects. This does not mean that we believe this is the end of the journey. Security and risk management still needs to be managed in operations as new threats change the risk profile, or change is applied to a system. But with the foundations laid early in the lifecycle, the task of management through life becomes easier. The documentation generated by SbD should provide clear traceability between risks and controls. When a project is reviewed in life, the rationale behind previous decisions can be clearly understood, enabling change to be an informed process. Summary This article outlines why I believe applying the principles of Secure by Design avoids issues getting into operations, and saves time and money. If what I have described already seems obvious, then that is positive. However, from my experience, too many projects do not consider security to be an essential component of design. I believe that this is a missed opportunity, and, when applied correctly, it delivers solutions that are more secure and easier to manage.
Window with a neon sign reading: What's Your Story?
by Mauro Mortali 24 October 2024
"If you want to build a ship, don’t drum up people to collect wood, divide the tasks, and give orders. Instead, teach them to yearn for the vast and endless sea." —Antoine de Saint-Exupéry The need to communicate complex topics to third parties, whether they be executives, stakeholders, or potential clients, is a universally recognised challenge across industries and sectors – particularly doing so in a way that connects with the people behind these roles. You can enter a meeting with all of the evidence, data, insights, and analysis, but unless you make an emotional connection with your audience, you are only going to get halfway there. In other words, you might win their minds, but how are you going to win their hearts? In this article, Mauro Mortali, Senior Partner for Strategy and expert in leveraging the power of narrative to convey a message, details how to apply age-old story structures and techniques in a business context to amplify communication and build positive working relationships. This approach of using the power of story is a key part of how Cambridge MC delivers Strategy Development projects. The Science of Story The practice of storytelling is an intrinsic component in the genetics of human nature and our history. Cave paintings may be comprised of pictures rather than words, but they still tell a story and represent the way in which constructing narratives is as old as communication itself. Since then, story has proved invaluable for enabling us to share experiences, transfer knowledge, and build social connections. In fact, there is evidence to suggest that story is the primary lens with which we interpret the world and digest our day-to-day lives. Though it may seem reductive, our brains are constantly creating a world for us to understand our experiences, populated with ‘good guys’ and ‘bad guys’, main characters – Me! – and deuteragonists – You. All of our milestones, memories, and goals, become the plot-points that tell the story of our lives. This makes them the perfect, universal language with which to engage with other people. Our brains respond positively and attentively to stories because they eliminate distraction and help us to remain focused on a particular topic or message. We register stories with the same receptors that detect speakers, giving them the ability to reach our psyche quicker and facilitate a shared experience. In a Board Room Far, Far Away So how can we apply these practices and principles to our working life? In short: decision making is driven by emotion first and rationality second. We spend a lot of our time justifying decisions that we have already made with our gut. Fundamentally, organisations are systems of people who are characterised and steered by their emotions, and so organisations should be considered to be a network of collected emotions. Thus, data may speak to a person’s rationality, but it is often not enough to influence their actions or their decisions. Stories are significantly more powerful for the way they capture someone’s emotions, and so the language and narrative you use to frame your data has much more authority. Below are several techniques that you can use to strengthen this framing to facilitate an emotional connection with your audience. Narrative Arcs A narrative arc can be a useful tool for structuring a speech or proposal to make its delivery more cohesive, relatable, and dynamic. There are numerous classical arcs which you can extrapolate to fit the message you are seeking to convey and suit the tone you are hoping to create. The Cinderella Story, for example, provides an inspiring rags-to-riches trajectory which communicates hope, optimism, and determination. Man in a Hole (a person leading a perfectly bearable life finds misfortune, overcomes it, and then is much happier afterwards) is useful when encouraging someone to escape from a stagnating situation. And when you need to face your fears, or empower someone to do the same, Overcoming the Monster (an underdog story where the main character sets out to destroy a greater evil of some kind) provides a positive framework for success. The most common and popular, however, was uncovered by Joseph Campbell (1904-1987) in the 1940s, upon collating and studying all available myths, legends, and fairytales across the world to compare them for similar patterns and structures. Following this thematic analysis, Campbell coined the Hero’s Journey , a monomyth which can be applied to nearly all protagonists between classical and modern fiction, and now the boardroom, following their journey from the call to adventure, initial resistance, influence from a wise mentor, and ultimately pursuing their mission. Simplified, this becomes a universal and accessible three-act structure of Context / Conflict / Resolution (known to some as SOAR: Situation, Obstacle, Action, Result) which can be used to frame any story and give it an emotional, uplifting ending. Hook, Line & Success When you begin a story, open in a way that immediately captivates your audience, and sustains their engagement and belief in what you are about to reveal. These are referred to as hooks , and, similar to narrative arcs, there are numerous different kinds that you can use. For example: Provocative Question: Intrigue your audience with a provocative question that compels them to learn the answer, e.g. What if a single app could revolutionise the way we manage our health? Personal Anecdote: Speak to the human, emotional side of your audience by pulling from your background or that of your company, e.g. Five years ago, our founder was living out of a van chasing a dream; today, that dream is a $1million enterprise. These represent only a couple of examples, but it is important to remember that the rule of first impressions applies just as much to your story as it does to you, so open with something charismatic that will make your audience want to learn the rest. Know Your Audience Choosing a hook to open your story can be coloured by a keen and informed understanding of your audience. Specifically, predicting how they will respond to a topic is dependent on knowing their comprehension of it before you begin. One way to visualise this is through the idea of a Story Ladder , which extends from a place of no awareness on your given subject or message, and lands in a place of actionable understanding. The rungs in between represent all the stages of knowledge which it takes to get from one end to the other—and thus it is unrealistic to expect your audience to be able to jump multiple rungs at a time. Before addressing your audience, first acknowledge where on this ladder they are to anticipate where you would like them to end up, and how you will manoeuvre them there. Another way to imagine this ladder uses a more emotional structure. If you view the top of the ladder as a feeling you want to produce, you can use the rungs as stages to work out how you can produce an emotional pay-off. Happily Ever After We will finish our story with a reiteration on the importance of speaking to the hearts of your audience, as well as their minds. One half of this may be supported by data, facts, and figures, but the rest is ensured by a relatable, thought-through, and structured delivery which speaks to the human, rather than just the client/employee/stakeholder/etc. This can be informed by turning to the idea of story, a premise which everyone has grown up with, whether consciously or not, and thus envelops a social feeling of community, and amplifies your message with importance and universality. In this article, we have detailed the basic methods of forming this structure and improving how you frame your narratives, but for further guidance and information on this topic and how Cambridge MC uses story within Strategy Development Projects, get in touch with Mauro Mortali , Senior Partner for Strategy.
SEE MORE INSIGHTS

Get in touch with our Consultants today


We are a highly collaborative team of senior-level executive professionals able to adapt to any challenge, however niche & challenging.

+44 (0)1223 750335

info@cambridgemc.com

Contact Form - Strategy

Case Studies


Our team has had the privilege of partnering with a diverse array of clients, from burgeoning startups to FTSE 100 companies. Each case study reflects our commitment to delivering tailored solutions that drive real business results.

CASE STUDIES

A little bit about Cambridge MC


Cambridge Management Consulting is a specialist consultancy drawing on an extensive global network of talent. We are your growth catalyst.


Our purpose is to help our clients make a better impact on the world.

ABOUT CAMBRIDGE MC