Is my organisation doing cyber security correctly?
Dr Meredith Patton, Director of Cyber Operations and Karis Bouher, Communications Manager
A question we often hear from our clients is, “are we on the right track?” Of course, when it comes to digital/cyber risk there is no simple answer for this, there never is. In fact, if you look at many of the cyber security related studies/surveys, many organisations are still struggling with the same issues in 2021 as they were in 2015. Phishing awareness, supply chain management, incident response and legal/regulatory compliance remain very much at the top of the list for many of our clients. Above all, organisations everywhere are faced with the challenge of getting the most out of invariably limited cyber security budgets.
Your business operations are never static—how can they be when so many of the elements that influence your organisation change over time? It could be the growing market and the requirement to keep innovating and investing in new technologies. Increasing regulatory requirements could throw greater focus on your sector or part of your operations (such as HR or Finance). The enormous change to working practices since the COVID-19 pandemic may mean that security and other governance measures already in place are no longer appropriate/fit-for-purpose.
In light of this, perhaps the right question to ask is not just “are we on the right track?”, it’s also “do we have the right governance in place?”. This is because governance is, put simply, about the way things are done. For example, you can have a great cyber security strategy drafted and in place, but if nobody owns it, or measures progress against it, then it may not be effective. Who owns the digital risks to your organisation? How are they being managed? How are you benchmarking progress?
In this article we look at cyber maturity assessment as a way of effectively measuring ‘how things are done’ in relation to cyber security in your organisation, and why it can enable you to really track where you are at and whether it’s the ‘right track’.
5 things a cyber security maturity assessment will tell you about your organisation
A cyber maturity assessment of your organisation will capture what’s working and what isn’t, giving you a clearer path to operational resilience. Here are the five things a cyber security maturity model should tell you to help you answer the “are we on the right track?” question:
What your organisation’s security targets/goals are, or should be.
An organisation’s cyber security goals may be as simple as keeping customer data secure, or reducing the risk of cyber attack. More likely, your goals are more complex and may be part of a broader business plan considering risks to your organisation and how to mitigate them. In the cyber security domain, this could include various issues such as developing staff awareness of cyber threats, meeting data protection requirements such as GDPR or (for medical providers) DSPT, information management, change management and technical controls, to name just a few. Invariably, some of these will be more important than others in the context of your business operations.
Where the important gaps are in your current security measures
By helping define your security goals, cyber maturity assessment allows you to focus on what you most need to do to meet them. For example, if your supply chain is critical to your business, gaps identified in your supply chain security mechanisms will indicate a high level of risk. Established priorities and goals can also shift in response to external factors, the obvious example being the huge trend towards home-based working brought on by the COVID 19 pandemic in 2020. This could mean that you need to take a fresh look at your technical controls for remote workers.
Which areas you’re already effective in
Conversely, and somewhat more positively, assessing what you’re already doing will show you where your team is already achieving or exceeding expectations in any given area. A competent maturity assessment will identify what’s ‘good enough’ in the context of your organisation and its needs across a range of issues: staff awareness and education, physical security, technical controls and so on.
What you need to do to close the most important gaps
This is where a Cyber Maturity Assessment really touches on the governance of your security—or ‘the way things are done’—because it will look at all the important components of having something like adequate data protection in place. For example, whether there are defined roles and responsibilities in relation to data protection, the extent of top-level support and ownership of the issue, and whether there is a credible data breach plan in place. Identifying the absence (or presence) of these components will help you pinpoint where effort must be concentrated, how that effort is concentrated and in which order actions should be prioritised. Particularly when there is a large number of tasks and a limited budget, this prioritisation is vital to ensuring a sustainable approach to improving your organisation’s cyber security maturity. And, of course, knowing this will facilitate effective project planning, resource forecasting and budgeting and provides companies with a cyber strategy planning tool.
What skills you may need to maintain and improve your cyber security
Does your organisation have the right skills, in-house and/or outsourced? We talk a lot about the cyber skills gap—it’s a growing problem—and organisations of all sizes are struggling to fill vital positions. For some organisations, cyber security is ‘owned’ by IT or someone with specific cyber security skills, with the rest outsourced to specialists. Larger organisations may have an in-house team that does a bulk of the work, such as running a SOC (Security Operations Centre), but outsources more specialist or compliance-related work such as PCI DSS accreditation or penetration testing. If you know what your priorities are, you can identify the skills required and whether or not they need to be in-house or outsourced or a combination of the two.
Is my organisation on track to cyber security maturity?
Data is vital to truly understanding how well your organisation is managing cyber security risk and for developing the pathway to ensuring those mitigations are sustainable and pragmatic in an ever-changing threat landscape. A cyber maturity modelling and assessment engagement provides the right data to help your organisation to either demonstrate that it is on track, or to discover how to get on track; this delivers value in almost every scenario. Contact us to discuss how we can help you understand how well your organisation is managing cyber risk: firstname.lastname@example.org or +44 (0)845 600 4403