Understanding risk is one thing, but how do you know if your organization has what it takes to withstand those risks being realized? Establishing cyber maturity can help determine resilience, where the strengths and weaknesses lie, and what needs to happen to improve those security processes.
In its recent The State of Cybersecurity 2023 report, ISACA describes cyber maturity as a work in progress. The reference is not just a nod to the fact that assessments should be carried out periodically but to the fact that uptake is not as high as it should be. The number carrying out regular assessments (65%) has not moved over the past two years, revealing adoption has stalled.
This seems surprising given that the demand for verifying the level of cyber maturity within the organization has never been higher. In the face of escalating risks leading to more claims, cyber insurance providers are now pushing for cyber maturity assessments to determine their risk exposure when quoting for policies, for example. The likelihood is that such demands will become the norm as these providers seek to increase market penetration in the face of escalating threats (currently increasing premiums, dampening uptake).
Where it adds value
There are other clear benefits to the business in determining cyber maturity. By identifying gaps to security controls (and thus potential risks to the organization), it can help with reporting to the board on cyber security posture, while for the C-suite, amid a recession and skills crisis, need to be laser-focused when it comes to invest, being able to pinpoint where and how to dedicate spend is also invaluable.
Moreover, as measuring maturity is a proactive risk-based process that seeks to bring about continuous improvement it can also reduce the likelihood and cost of an impact: Kroll’s State of Cyber Defense 2023 report found that those with a high level of cyber maturity experience less security incidents. And being as it is focused on process, cyber maturity can help to embed a security culture within the business.
So, what’s preventing uptake? According to the ISACA report, the main obstacles are the time needed to carry out the assessment, insufficient personnel to perform it and a lack of internal expertise.
But there are also marked differences depending on the size of the business: SMEs will sometimes have less governance such as effective data protection or risk management processes, whereas larger enterprises, while they have the manpower and may even have a dedicated internal audit team, may be stretched or in some cases, inexperienced.
It’s also not uncommon to find organizations where the risk register is incomplete, with asset lists that do not contain tangibles such as information assets such as personal / financial data or intellectual property, so that this must be addressed as part of the exercise.
To be of value, a cyber maturity assessment needs to be thorough and systematic so it can be repeated, and the results compared over time to demonstrate and measure progress made.
Usually, the assessment is based on a proven risk framework, with the NIST Cybersecurity Framework (CSF) regarded as the gold standard. The CSF covers five areas – identity, protect, detect, respond, and recover – and the assessment rates the ability of the organization within each of these using a sliding scale of 1-5 or using rankings such as initial, developing, defined, managed, or optimized.
How it’s carried out
Assessors evaluate maturity through interviews with key personnel, the review of documents and policies, and observation of how processes are performed to determine how effectively risks are mitigated.
Areas likely included in the assessment include asset management, governance, risk assessment, supply chain risk, identity management and access control, staff awareness and training, security monitoring, threat detection and response and recovery planning. The results are then put into a comprehensive report which sets out which areas have achieved best practice and where further action is needed.
How often the exercise should be repeated remains a topic of debate. The ISACA report found assessments were predominantly performed annually but the consensus was that more and more businesses are performing these assessments more frequently.
The next most popular timeframe was every 1-6 months. This has clear benefits as it allows the business to reappraise its security posture in light of any changes made, information that can then be used to meet compliance objectives and drive down insurance premiums further. But equally some seem to be only paying the process lip service, carrying out the assessment every two years and sometimes at even longer intervals.
Adoption has largely been driven by regulation. From CYESec’s Cybersecurity Maturity Report 2023, it’s clear that the most heavily regulated industries, such as finance, retail, and industry, are the most advanced in terms of maturity. The introduction of further risk-based regulations, such as DORA, PCI DSS 4.0, and NIS2, is likely to spur adoption further.
Similarly, cyber insurance is now acting as a driver in other sectors, forcing businesses to become more proactive and to adopt a risk-based approach.
To truly move the needle and make cyber maturity testing part and parcel of cybersecurity management, we need to make it part of how organizations measure themselves and their effectiveness as a matter of course. As a process that is relevant to businesses of all shapes and sizes, whether conducted in-house or via a third party, there’s no reason why cyber maturity assessment can’t become standard practice and, in so doing, help hone reporting, budgets, and resource allocation as well as advancing best practice.