While many security leaders understand the importance of cyber risk assessment, measuring and tracking cybersecurity maturity can be seen as less of a priority. In truth, however, cybersecurity maturity assessments are key to evaluating your organization’s readiness in the event of a cyber incident.
We sat down with Inbar Reis, Chief Product Officer, and Hemi Ramon, Director of Product Management, to talk about cybersecurity maturity and how CYE’s Hyver measures it.
Why is it important to measure cybersecurity maturity?
Measuring cybersecurity maturity is a complementary tool to measuring cyber risk. We know that mature companies have lower risk over time. Using NIST’s Cybersecurity Framework together with a CMMI-like ranking, organizations can measure their cyber strengths and weaknesses that are related not just to the core function of “protect,” but also “govern”, “identify,” “detect” “respond,” and “recover.” And most importantly, organizations can see where they stand compared to the industry benchmark. They can also build a much more strategic mitigation plan on how to make their organization much more mature, as opposed to a tactical mitigation plan which only measures risk and is more common.
How is considering maturity different than simply mitigating vulnerabilities?
Let’s say, for example, I have software with a vulnerability. I can update to the latest version of the software to remediate this vulnerability.
That is a tactical solution which is typically used by less mature companies. Mature companies have patch management, scanners, tools that check that the scanners are working and that systems are configured properly, processes to review vulnerabilities, and automatic tools that mitigate them. It’s about having the right people, processes, and technologies, rather than mitigating that one severe vulnerability that is in the news.
What are some of the challenges that organizations face measuring maturity?
The process of measuring maturity is often done manually and subjectively; it requires a lot of interviews with a lot of stakeholders to obtain the data, and eventually each person provides their own opinion—which could be biased. These are the reasons companies do it only once or twice a year, but not more than that.
Besides the huge investment, at the end of the day, those numbers are not defendable. If I asked you why your maturity scoring is four and not two, it is because people provided their own opinions, so that is hard to defend when presenting it to management and the board. This is the reason that people hardly use these types of maturity assessments.
What is unique about the way that Hyver measures maturity?
Many companies still use Excel spreadsheets for measuring maturity, if at all. In that spreadsheet, they provide their own scoring, which means that it’s very subjective—and they do it only once or twice a year. Which means that it is not continuously updated and therefore most of the time practically outdated.
The information varies based on what they decided to add. With Hyver, on the other hand, scoring is based on objective measures. Hyver’s maturity assessment is structured exactly like NIST’s CSF, using its functions, categories, and subcategories. And it works at the subcategory level, NIST CSF’s lowest granularity, to make everything as accurate as possible. It relies on information such as the security technologies that an organization has in its environment, processes that have been implemented, employee training, and existing vulnerabilities that are related to each subcategory. These are all objective measures which affect the maturity score.
And, yes, you can also provide your opinion about each one of the subcategories through manual evaluation, but even this is relying on a scale which is very well-defined to enable you to provide the most correct information and receive the most accurate scoring possible.
Why is benchmarking your maturity important?
Benchmarking is extremely important. First, it helps you define your own targets, since you typically want to be a notch above your industry.
Second, it helps the CISO communicate maturity to the board by reporting, for example, that the industry score is 2.7, but we are at 3. It places the organization in a very positive position compared to other companies in the same industry. On the other hand, if the company scores lower than the benchmark, it can help the CISO justify a budget request.
This is the reason that CYE has collected and analyzed cybersecurity maturity-related data from many companies over the years. This enables us to provide our customers with a precise benchmark. The benchmark is calculated per industry, as we can see different trends in different industries; not all industries score the same in each of the functions. This is why it’s important to compare yourself to similar companies in the same industry.
How can CISOs communicate maturity scores using Hyver?
When a company receives a maturity assessment score, and they compare that to the industry benchmark, they can set targets and build mitigation plans to improve their maturity.
As mentioned earlier, the information that Hyver uses for the maturity assessment is objective data such as findings, existing technologies, and processes, which are updated regularly; therefore, the maturity scoring is regularly updated too. You can track the progress that you are making over time at the organizational level or the functional level and you can see whether the trend is positive or negative in each one of the functions. Of course, you can also compare the status with the benchmark and your targets and ensure that you keep improving until you reach your targets.
How does Hyver obtain enough organizational data to measure security?
Hyver integrates with EDRs, CNAPP, and many other tools, and also performs its own automatic assessments. All of these generate findings of vulnerabilities and misconfigurations, as well as identify technologies and processes. The maturity score is calculated using all that data. In addition, when findings are remediated, new security controls are introduced, or configurations are changed, the data automatically gets updated in Hyver and the maturity score is adjusted accordingly.
Want to learn more about how Hyver assesses cybersecurity maturity? Request a demo.
