[By Phil Robinson, Principal Security Consultant, Prism Infosec]
Cyber maturity is all about ensuring the organisation is prepared for a cyber attack and that can only be determined by establishing where the risks lie and whether the controls that are in place are appropriate and proportionate. The level of cyber maturity of the business is its strategic readiness to mitigate threats and vulnerabilities. This is achieved by testing the level of preparedness at regular intervals to help identify areas for improvement, thereby boosting the resilience of the business. Yet, cyber maturity testing is not widely practised.
According to ISACA’s The State of Cybersecurity 2023 report, only 65% of businesses measure their cyber maturity today and the intervals at which they do so can vary greatly. The majority (39%) carry the assessment out annually with the next most common interval being every six months or less (19%) but there are some that only test every one to two years (7%) or even two years or more (3%). The reasons given for infrequent testing were primarily due to a lack of time (41%), personnel (38%) and internal expertise (22%) and, given that the current economic climate and growing skills shortage both of which are likely to see resource become even less, we could well see those gaps widen further.
A work in progress
The report goes on to describe cyber maturity as a ‘work in progress’ and this is because the needle hasn’t moved over the past two years (2021-2023). The suggestion is that adoption has plateaued when it was expected that more organisations would have begun baselining their cybersecurity posture as standard. Without doing so, they’re unable to determine exactly where those weaknesses lie in terms of their preparedness and the robustness of the measures they have in place to prevent a threat from adversely impacting the business.
But there’s also the fact that organisations are under increasing pressure from insurance underwriters to demonstrate their level of cyber maturity. Cyber insurance premiums are becoming more expensive as the industry grapples with pay outs, leading providers to conducting due diligence and checking that certain measures have been taken and a required level controls are in place to mitigate the risk of a successful attack. In fact, according to the State of Cyber Defense 2023 report from Kroll, trailblazers (i.e. those who actively chose to focus on achieving a high level of cyber maturity) experienced less security incidents, which proves the insurers are correct. But the upshot of this is that those who don’t choose to assess their cybersecurity posture are likely to face higher insurance premiums in the future or may even find themselves uninsurable.
In fact, benchmarking the cyber security posture in order to achieve cyber maturity has never been as important as it is today. Faced with escalating threats, increasing compliance demands and the need to justify security spend and investment during these tough economic times, an assessment can help provide the hard evidence needed to win over the board. But while the drivers are there, the problem now is a lack of resource.
Maturity is not assured by size
Conducting a cyber maturity assessment inhouse is challenging for businesses of all sizes but for different reasons. Some may be completely unaware of their risk profile or may only have partially recorded their information assets in a suitable register, for example. Small businesses don’t have the capacity or expertise required and while large organisations do have dedicated teams for internal audits and established risk management processes overseen by a CIO, they are often overburdened. It’s for these reasons that many are now choosing to outsource the process to a third party.
But interestingly cyber maturity is not a matter of who has the deepest pockets. The Cybersecurity Maturity Report 2023 found that the countries with the highest levels of maturity were also those with the most stringent regulations, i.e. Norway, Croatia and Japan. Whereas the US, UK and Germany which tend to have higher cyber spend, lagged behind. Moreover, SMBs outpaced larger organisations although this was primarily down to the relative size of their assets and the attack surface. That said, it did deduce that correctly identifying areas of risk and implementing policies and processes could make massive differences to cyber maturity levels.
What the process entails
Whether you choose to undertake the process inhouse or outsource, a maturity assessment is a risk-based exercise and so an established cybersecurity framework can be used against which to rate the level of resilience in different areas. The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is often described as the gold standard in this respect and it lends itself readily to the process as it has five clear areas (identify, protect, detect, respond, and recover) against which the assessor can rate the level of protection.
The assessor will typically document the findings by interviewing stakeholders, reviewing documents and policies, and observing processes and procedures and security controls in operation. Areas they are likely to look at include asset management, supply chain risk, identity and access management (IAM), employee security awareness, data protection, monitoring and threat detection and incident response and recovery. The end report then summarises the maturity level of each and provides the C-suite with actionable advice on where and how improvements can be made.
A final word to the wise
Methodically assessing the capabilities and controls that the business has in place is just the start, however. As the ISACA report intimates, it’s just as important to test regularly and often and preferably more than once a year because this will ensure that the defensive capabilities of the business continue to align with the sensitivity and amount of its information assets (as well as an ever changing landscape of how/where they are stored and accessed) and the risks posed to them which will fluctuate as the threat spectrum changes. Thus, it’s worth remembering that maturity is not a one way process and it is possible for the business to regress unless there is a constant approach to due care and attention and regular assessments of the threats and how mature the controls are to defend against them.
