In the realm of cybersecurity, maturity refers to an organization’s ability to effectively manage and reduce security risk over time and recover from cyberattacks. Even the most sophisticated security operations team within a well-funded organization will have room for improvement and be able to set goals for advancing its cybersecurity maturity. There is no finish line to be crossed in cybersecurity where one can declare “we are now secure” and there is no real sense of “winning” when it comes to operating a cybersecurity program. Cybersecurity is a game, but it is an infinite game, much like the game of catch. There are no winners or losers in the game of catch. You play the game to get better at it and to practice and improve your skills and ability. If we keep this in mind, then we will be able to deliver a more sustainable approach to this infinite game.
Cybersecurity maturity assessments are often measured on a 1 through 5 scale that assesses an entity’s capability to protect its information systems, data, and assets against potential threats. It encompasses various elements, including policies, processes, technology, and human factors.
When performing maturity assessments for an established company, university, government agency, non-profit, or a startup it should be noted that level 5 is rather uncommon. In my estimation, you and your team have literally written the book on the subject and are going on a lecture tour at conferences about just how good you are at doing something if you merit being scored with a 5.
A mature cybersecurity posture involves not only the implementation of robust technical controls but also the development of a comprehensive cybersecurity strategy and set of policy documents that align with the organization’s goals and risk tolerance. This strategy typically evolves through different stages, progressing from basic cybersecurity measures to more advanced and proactive approaches.
Key Components to Consider
Some security compliance frameworks are only concerned with whether a given control exists or not. A “pass or fail” approach to compliance is all that is expected. As such, I would argue that security is not the goal of such compliance efforts but rather just a “check the box” mentality of doing the minimum and hoping that bad things won’t happen. It is my belief that a lot of organizations fall into this category of being compliance-minded and not security-minded. As I like to put it, compliance is something that you pick up along the way to building a good information security program and capability.
If you stop short of implementing effective security controls because you only want to achieve the minimum required for a compliance audit, then you are probably not laughing at the absurdity of the following anecdote: A company is preparing for an audit and has asked a security consultant to help them prepare for the actual audit. When asking about whether the company has a firewall, the person replies, “Yes, we have a firewall. I can show you the invoice. We purchased a really good firewall.” Upon being asked the follow-up question of taking a look at the firewall rules and configuration, they sheepishly admit that the firewall is still sitting in the box it was shipped in and has yet to be plugged in and configured.
Key components related to cybersecurity maturity include:
A mature cybersecurity program integrates risk management practices to identify, assess, and prioritize potential threats and vulnerabilities. This involves regular risk assessments and the establishment of a risk mitigation plan. If your organization does not have an ORC (Operational Risk Committee) composed of departmental representation from infosec, legal, HR, and engineering then your maturity with regard to risk management is immature. If you do not have a corporate risk register on which strategic risks are identified and tracked by the ORC and, as required, escalated to the senior leadership team and board of directors occasionally then your risk management is also immature. How can cybersecurity risk be properly managed if there is no risk register on which to place and track it?
Security Policies and Procedures
Well-defined and communicated security policies and procedures are fundamental to cybersecurity maturity. These documents guide employees and stakeholders on acceptable behavior, responsibilities, and actions in the context of security. At a minimum, these policies and procedures need to be reviewed and updated annually. Stronger teams understand that “living documentation” equates to performing updates and reviews more frequently than just once per year.
Implementation of effective technical controls, such as firewalls, intrusion detection systems, encryption, and endpoint protection, is crucial. A mature cybersecurity program continuously updates and adapts these controls to address emerging threats. You might, for example, need to refine your endpoint protection approach and introduce a baseline profile of technical controls that are applied to all users. Stepping away from a “one size fits all” technique gives rise to applying specialized endpoint profiles that are designed to address a lower tolerance for risky behavior on HR and legal laptops and workstations due to the sensitive nature of the data and records that these users access and control. Conversely, you may also need to carve out a more “relaxed” endpoint security profile for members of your infosec team who regularly partake in malware analysis and reverse engineering of executables and code that are identified in email attachments and quarantined by various tools and service providers.
Incident Response and Recovery
A mature organization is prepared to respond to and recover from security incidents. This involves having an incident response plan, a capable incident response team, and the ability to learn from incidents to improve future resilience. Too often we see that an organization is desperately focused on progressing through the various stages of incident response and take the decision to exit the containment phase too early. This often leads to re-infection and re-compromise because the original attack path and vector were not actually identified and mitigated. A mature infosec team exhibits something that can be called “tactical restraint.”
Employee Awareness and Training
Human factors play a central role in cybersecurity maturity. The world of risk management and cybersecurity capability is as much if not more concerned with mindset as it is with toolset. It’s actually easier to make changes to toolsets than it is to make progress on improving a company culture around security and its mindset. This component includes ongoing education and training programs to ensure that employees are aware of security risks and best practices. As with technical controls, mature organizations realize that a diverse user population requires customized training. Data scientists within an engineering department, for example, should be given role-based training around PHI and PII data handling requirements, especially as the new cybersecurity regulations around breach disclosure and reporting take effect this year.
Continuous Monitoring and Improvement
Cybersecurity maturity is a dynamic process that requires continuous monitoring of the threat landscape and regular assessments of the effectiveness of security measures. Organizations should be agile in adapting their strategies based on evolving risks. Building or buying a threat intelligence capability is, for example, a more advanced component with regard to cybersecurity maturity. Knowing what threat actors are targeting your industry means learning about their specific TTPs (Tactics, Techniques and Procedures). Taking this one step further, a very robust and strong continuous monitoring capability will include active threat hunting capabilities where a deception program is in place that makes use of canary tokens and honey pots in order to identify and attribute probing and prodding by threat actors of your infrastructure. Rather than just block it with a WAF or firewall rule, such organizations actually create intentionally vulnerable infrastructure in order to gain threat intelligence of attackers that are actively targeting not just your industry, but your actual company itself.
Maturity Assessments in Hyver
Hyver’s cybersecurity maturity assessment enables CISOs to gain visibility, optimize, and communicate cybersecurity maturity by being able to:
- Calculate the organization’s cybersecurity
- Benchmark to their industry sector
- Define maturity targets
- Create mitigation plans to meet targets
- Track progress over time
In summary, assessing cybersecurity maturity is a holistic and evolving approach to safeguarding digital assets. It goes beyond mere compliance with regulations and standards, aiming to establish a proactive and adaptive security posture that can effectively navigate the complexities of the modern cyber landscape. Continuous improvement requires a concerted effort to align your policies and your practice. The upside of this approach, however, is that you will find that audits and regulatory oversight becomes much less of a burden and source of dread. Who knows, you might even find yourself embracing the idea of being audited so that you can proudly demonstrate the robust set of controls and processes that you and your team have put into place to manage risk.
Want to learn more about Hyver’s cybersecurity maturity assessment? Schedule a demo today.