Phil Robinson, Principal Consultant at Prism Infosec, details how addressing cyber maturity can improve a business’ cybersecurity strategy.
Determining the effectiveness of your cybersecurity measures might seem like a no-brainer. Yet, a recent report from industry group ISACA reveals that only 65% of organisations regularly carry out a cyber maturity assessment.
What’s more, The State of Cybersecurity 2023 report claims that it’s a number that has remained largely static over the past two years, which suggests it’s still perceived as a sunk cost rather than a means to focus investment and avoid the expense of dealing with a breach.
Firstly, it’s worth defining what cybersecurity is and placing its achievability into context. ISACA describes it as an organisation’s strategic readiness to mitigate threats and vulnerabilities, but it’s important to note that this is a movable feast. As cyber-attacks evolve and the threat spectrum grows, the cybersecurity provision needs to be able to counter that growth pre-emptively, so a cyber maturity programme must keep pace with that level of change. The only way we can determine the two are well synchronised is through a cyber maturity assessment.
Cyber maturity is evaluated by looking at the security controls and processes that are in place and their ability to mitigate a potential incident. Assessments are based on a risk-based framework such as the NIST Cyber Security Framework (CSF), with the level of achievement graded on a sliding scale of 0-5 or using graded terminology (i.e. initial, developing, defined, managed or optimised), thereby providing a benchmark.
This allows areas to be identified for improvement. It’s also invaluable because it communicates the effectiveness of the current provision in a way that is intelligible to IT/security teams, senior management, and the board.
Addressing cyber maturity can create an elevated status
In fact, developing an understanding of and effectively communicating an organisation’s cybersecurity is so important that it has now been enshrined as a sixth requirement in NIST 2.0, unveiled in February. In the second version of the CSF, which was originally developed for US federal purposes ten years ago, the framework has been tweaked to make it more applicable to the commercial organisations that now use it worldwide.
Joining the five pillars of identify, protect, detect, respond, and recover is a ‘govern’ function that spans them all and aims to illuminate how cybersecurity risk is ‘established, communicated, and monitored’. Govern should hopefully elevate the status of governance and may well see demand for cybersecurity maturity assessments.
However, there are several other drivers that should boost adoption. Cybersecurity maturity can provide hard evidence of the due diligence that businesses need to be able to demonstrate in a number of scenarios. It’s increasingly being demanded by cybersecurity insurers, for example, who are seeking evidence from prospective or renewing clients of the controls they have in place to reduce risk and their level of exposure.
There’s even evidence to support this, with the State of Cyber Defense 2023 report from Kroll finding that those with strong cybersecurity maturity experienced fewer security incidents and were much more successful at detecting zero-day attacks.
It’s claimed this has the potential to save millions due to the high costs associated with dealing with a data breach, which has risen by 15% over the past three years, according to the Cost of a Data Breach 2023 report from IBM. Consequently, having an understanding of cyber maturity could help an organisation secure insurance and even drive down the cost of premiums. It may even become a mandatory requirement in the future, much like an MOT is for motor insurance.
Regulation as a driver
From a regulatory point of view, cybersecurity maturity can also help with compliance. We’re seeing a tranche of new regulations come into force this year, a notable example being the Network and Information Security (NIS 2) directive in October.
While this currently only applies in Europe it will also affect those who trade on the continent and is expected to see revisions made to its predecessor – NIS – which continues to apply in the UK.
NIS2 sees a substantial expansion in scope, which will now incorporate over 160,000 businesses across 18 sectors deemed critical to the effective economic operation of the countries involved and introduces personal accountability and substantial fines for non-compliance. For these reasons, many are now advocating that the first step a business should take on its journey to compliance is to undertake a cybersecurity maturity assessment, which can show where the business currently sits and what it needs to do to address the requirements.
These are all strong reasons to perform a cybersecurity maturity assessment, but for many, there can be a struggle to justify the time and resources to carry them out. The top three reasons unearthed by the ISACA for not doing so were the time required (41%), insufficient personnel to perform the assessment (38%) and a lack of internal expertise (22%). Resourcing was also an issue, with a rise in the number claiming they lacked the right tools (19%) or that the cost of tools was an impediment (18%).
These issues are being felt across the board, regardless of the size of the business. SMEs, for example, may have a smaller attack surface but also tend to lack a risk management strategy. At the opposite end of the scale, large corporates, which may have a dedicated CIO/CISO and audit team, are finding both are overstretched due to increasing workloads.
For these reasons, outsourcing the assessment is becoming a popular alternative to benchmarking cybersecurity posture. Yet, in order to truly move the needle and compel organisations to undertake such assessments more frequently, organisations need to be able to see not just the operational but also the financial value.
That’s now beginning to happen as cybersecurity insurers and regulators boost the case, which can only be a good thing.
The hope is that adoption begins to gather in pace so that these become a routine part of the way in which businesses operate, increasing awareness of and communicating the need for cybersecurity resilience across the entire organisation.
