When is a good time to do a cyber maturity assessment?
Dr Meredith Patton, Director of Cyber Operations
Most of us love data, especially when it gives us a sense of progress. I say this as a confirmed FitBit tragic who lives for yet another point on my ‘cardio fitness’ score. It feels like tangible proof that all those hours of breathless, red-faced agony are generating the right result.
Similarly, the proliferation of cyber security ‘maturity assessments’ is fulfilling the increasing demand for organisations to be able to demonstrate their progress towards good cyber security practice. At their best, these assessments generate clarity around an organisation’s risk profile and priorities and generate a relevant and realistic picture of how well its cyber security policies and practices reflect them. Good cyber security maturity assessments also give clear direction on what needs to be done in order to achieve target maturity. They can save money by showing where current levels of investment are already adequate and directing further investment where it is most needed.
Elsewhere, we have laid out the various benefits of professional, external cyber maturity assessments in more detail and addressed some of the common misconceptions around the value of doing a maturity assessment. However, the timing of conducting an assessment is also a key factor in its effectiveness and value. Below are some considerations which should be factored into the decision to go ahead, in order to get the most out of a maturity assessment.
Has your organisation begun to seriously address the issue of its cyber security?
If your organisation is at the very beginning of its cyber security journey, then a detailed assessment is not likely to tell you anything that you don’t know; i.e., that you don’t have much in place and you need to do something about this. At worst, a very negative assessment might make implementing better cyber security seem overwhelming. In this instance, it might be better to start with the basics; for example, in the UK, the NCSC-endorsed Cyber Essentials or Cyber Essentials Plus schemes. These are an excellent starting point to achieve basic levels of cyber security and deliver some resilience against threats. Increasingly, they are also prerequisites for partnerships and opportunities with other organisations, especially within Government. Implementing them will teach your organisation much about its own ability to change and implement structures and, of course, its current level of security (e.g., defences and processes that are already in place). It also serves to help prepare for the non-technical aspects of cyber security maturity (such as behavioural changes) which can require executive time and process change.
If your organisation has completed Cyber Essentials and has also begun to implement some specific security measures—such as (but not limited to) regular penetration testing, staff awareness initiatives and risk reviews—then a cyber maturity assessment could help your organisation achieve a more holistic view of its cyber maturity. And when this is measured against risk appetite and the threat environment, it could help set direction and prioritise action for effective—and cost-effective—cyber security well into the future.
Does your organisation have a developed view of the cyber threat and the specific risks to it?
Cyber security is very much (but not wholly) a business of risk management; as such the extent to which different organisations will choose to mitigate cyber threats will vary. A cyber maturity assessment will give your organisation an objective view of its security practices and policies, but subsequent decisions to act on the results of the assessment will need to be informed by the organisation’s risk appetite and business priorities.
If your leadership don’t have a view on the cyber threat or perhaps don’t know what is at risk, the starting point needs to be education. We have provided many of our clients with executive cyber awareness sessions to help their leadership understand the broader cyber threat and what it looks like for a specific sector or business. The sessions help senior stakeholders understand the potential costs of a cyberattack or data breach and how their current measures stack up against the rest of their sector.
How invested is your organisation’s leadership in its cyber security?
The best cyber security maturity assessments involve a high level of engagement with, not just the organisation’s nominated information security POCs, but its leadership team. Leadership engagement is critical from two perspectives; firstly, the need to have a view on the perceived cyber threat to the organisation and its appetite for risk in relation to this threat (as noted above), and secondly, the will to invest in and implement changes that will contribute to improved cyber security practices and awareness.
A maturity assessment is usually going to recommend some changes or improvements to the status quo. Of course, IT and other parts of the business can support this operationally, but visible leadership buy-in and support will be the key factor in ensuring that the changes ‘stick’ and are taken seriously across the organisation. Legal obligations in relation to things like data protection as well as the organisational benefits of increased cyber maturity can and should be communicated across an organisation, but the extent to which that organisation’s leaders are seen to be taking cyber security seriously will determine how much the message ‘sinks in’ and, accordingly, how much value the organisation gets out of its maturity assessment.
If you aren’t sure whether it’s the right time for your organisation to do a cyber security maturity assessment, PGI can help. Our consultants will help you work out where your organisation is on its cyber security journey, and what the most effective ‘next step’ is, whether this is a maturity assessment or something else. Contact us via: +44 (0)845 600 4403 or email@example.com