What’s the point of a cyber security maturity assessment?
Dr Meredith Patton, Director of Cyber Operations with Keith Buzzard, Chief Technology Officer
At worst, information assurance consultancy can risk feeling like paying somebody merely to tell you what you already really know; or even performing work that, at least theoretically, you could do yourself. As a cyber security provider, we obviously beg to differ, but we acknowledge that when most companies have multiple areas competing for each pound of investment (including security), the case for cyber security investment needs to be robust and go beyond the ‘fear scenario’ approach (i.e., your network might get hacked if you don’t do this).
This is especially so in relation to cyber maturity assessments, a form of consultancy that broadly assesses the gap between what ‘ideal’ looks like for your organisation’s cyber security, and its current state. Cyber maturity assessment does this by interrogating a comprehensive set of data points against recognised good cyber security practices and standards. Your organisation ends up with a ‘starting point’ status and, usually, a target maturity status together with a set of recommendations for how to get there and what activities to prioritise.
Paying for a ‘starting point’ may well seem like an indulgence. But there are good reasons why a maturity assessment could, longer term, deliver better value for money for an organisation’s security investment. To illustrate this, we’ve pulled together some of the most common objections we’ve fielded in relation to proposed cyber maturity assessments, and our responses to them.
“We already know where we are, even if we’re not perfect.”
Most organisations will have a view on how mature their security operations are. But this can be distorted by internal biases. For example, the internal security team that has written processes for secure operations may believe that those processes are being followed because they’re important to the author. A review of what’s actually being practiced, though, may reveal considerable gaps between aspiration and reality. In addition, organisations with little or no in-house security expertise may struggle to achieve an objective view of their requirements.
An external maturity assessment can deliver the same effect as, say, a financial audit, i.e., by bringing in an external party to dispassionately assess what’s actually going on in a critical area of your business. If cyber security is important to your organisation, then subjecting it to this external scrutiny is going to deliver an unbiased view of your security requirements and how well they are being implemented.
“We have our own specialists.”
Many organisations are fortunate to have in-house expertise on IT and IT security. As such, an external assessment may be viewed as an insult to their competency. However, this would be short-sighted. Just as with an external financial audit, an external security company will come (a) without any internal company agenda and (b) with a wider frame of reference than an internal team will typically have. PGI’s staff have worked with over 500 different organisations to date, looking at security practices and structures that range from the ‘barely there’ to the outstanding. They will use all of this experience and accumulated knowledge in assessing (and validating) your setup. As such, they may be able to recommend actions that will not only save your organisation from a ransomware attack but might also save it some money in the process.
We’re certainly not dismissing your team’s expertise, but we can help them expand their perspective.
“Can we please just crack on with the pen test and the software evaluation.”
With ransomware attacks on the increase, so too is scrutiny (from shareholders, insurers, etc.) of organisations’ cyber security practices, and the pressure to do something specific/tangible in response. Practical exercises like penetration testing are a popular measure and a good schedule of regular testing will certainly do a lot to protect an organisation’s network. However, it won’t protect your organisation from poor staff security awareness or practices, or the absence of robust business continuity planning in the event that the worst happens.
Cyber maturity assessment not only looks at your security as a totality, it can actually save money, by capturing your risk appetite and matching it to the security measures you take. Where an organisation has exceeded its maturity goals external validation and reporting of this can help with a reduction in expenses that can either be recovered or deployed elsewhere. Likewise, observations on the value of a system can help to uncover a disproportionate cost to return, as is often the case with expensive cyber security products.
“How is an external consultant going to understand us?”
The quick answer to this is, simply: “as well as you help them to”. A good cyber maturity assessment is, above all, data driven. It will involve the participation of a cross-section of people from your organisation in a range of data capture activities which help the consultant build up a comprehensive picture of your organisation, and relate that to their experience of international standards and good practice, as well as other comparable organisations. With the right client involvement, the maturity assessment goes beyond a ‘check box’ audit to build a nuanced picture of overall cyber maturity, and a corresponding set of recommendations. Like any other consultancy, a maturity assessment will only be as good as the data it has to work with – but with your support and involvement, this can be very good indeed.
Want to know more?
To be clear, maturity assessments aren’t always the first answer. But for organisations struggling to prioritise competing investment requirements, organisations that need to be able to demonstrate due diligence to their clients, or even organisations which are unsure about how well they are currently managing the security risk, maturity assessments can be a valuable source of data that will deliver clarity in the first instance, and save investment over the lifetime of an organisation’s security practices. If you would like to know more about whether a maturity assessment is right for your organisation, contact us and we would be happy to talk you through it: firstname.lastname@example.org or +44 (0)845 600 4403.