By Phil Robinson, Principal Security Consultant, Prism Infosec
Establishing basic cyber hygiene practices is vital but how should the security team then seek to build on these foundations and bring about improvements? After baselining the security posture of the business it makes logical sense to assess the cyber maturity of the business at regular intervals to help improve resilience. However, only 65% of businesses do so at the present time according to ISACA’s The State of Cybersecurity 2023 report and the needle hasn’t moved in the last three years. So, what does cyber maturity entail and how can organisations measure it?
ISACA defines cyber maturity as being an organisation’s strategic readiness to mitigate threats and vulnerabilities although very few organisations are truly cyber mature. According to a report from McKinsey, the vast majority(70%) of organisations have yet to advance to a mature-based approach and only 10% are approaching that level of advanced cybersecurity functions.
Misunderstood maturity levels
What’s more, most don’t accurately gauge their maturity level. Unmature businesses overestimate their level of maturity, with the State of Cyber Defense 2023 report from Kroll finding 43% in the novice group thought their detection and response was fully mature and required no further improvement. In contrast, trailblazers that are mature were found to underestimate their level of maturity which could see them needlessly devoting spend on bolstering already tight procedures and processes.
Becoming cyber mature is therefore a long journey but it is attainable provided the organisation is prepared to systematically evaluate and commit to improvements. Cyber maturity assessments are a key part of this, with most organisations (39%) carrying these out on an annual basis, according to the ISACA report. But in order to move forward with the maximum return, organisations need to take a risk-based approach that recognises that some assets are more critical than others and security measures are proportionate.
Taking this approach to cyber maturity requires the use of risk cybersecurity framework such as the NIST CSF which can then be used to assess the level of progress made. The five areas are covered by the NIST CSF – identify, protect, detect, respond and recover – can then be used to measure the level of competency reached, usually on a sliding scale of 0-5 or by being described in similar terms such as initial, developing, defined, managed or optimised.
The way a cyber maturity assessment is carried out will usually see interviews carried out with key personnel, documents and policies reviewed, and processes and practices observed to seek how well these mitigate the risks identified from the CSF. Typical areas are likely to include asset management, supply chain risk, identity and access management (IAM), employee security awareness, data protection, monitoring and threat detection and incident response and recovery. The end report will then not only furnish the organisation with a summary of its level of maturity in these areas but will also provide insights into how improvements can be made.
Why not measuring maturity is a mistake
It’s a process that you might assume any responsible business would take but the reality is that many organisations don’t have the time or resource to carry out. Many don’t even know what their risk profile is and it’s not uncommon to find that financial data or intellectual property (IP) are not recorded on asset lists, for instance. Smaller organisations don’t have personnel they can assign to risk management and so often realistically don’t have any risk management processes either. Larger corporates may have an internal audit team or CIO but they are frequently overstretched. Indeed, the ISACA report found the top three reasons for not conducting regular risk assessments were the time commitment involved (41%), not having enough personnel to perform the assessment (38%) and lack of internal expertise (22%).
Shockingly, ISACA found one in five organisations do not carry out cyber maturity assessments at all. However, the McKinsey report demonstrates that becoming cyber mature can confer real advantages on the business. The leaders were shown to have low failure rates during employee phishing awareness training, reviewed and revised their cybersecurity priorities at least annually, centrally controlled identity and access management, regularly scanned for vulnerabilities and used general and specific threat intelligence to mitigate risk. The Kroll report also found that trailblazers with high cyber maturity experienced less security incidents, saving millions.
What these results all indicate is that no matter the size of the organisation or where it is positioned on the maturity matrix, there are benefits to be had from knowing the risks and measuring the cybersecurity stance. A cyber maturity assessment can help identify where those risks are, how effectively they are being mitigated and where there is room for improvement, reducing the likelihood of the business over or underestimating the effectiveness of its defences. That in turn will help direct spend to where it is needed which in today’s challenging economical climate must be a wise move