Ask two different people to bake a cake using the same equipment, the same ingredients, and the same recipe, and you are likely to get two different results. Change one of those parameters and the result is going to be different again.
Cybersecurity maturity is like baking a cake: Its level depends on your equipment (technologies), your recipe (processes and procedures), and on having the right people with the right skillsets in the right positions. But unlike baking a cake, the cybersecurity of your organization consists of many different aspects, and you need to assess the maturity level of each one of these aspects separately to get a clear picture of the cybersecurity maturity level of your organization.
For example, you may have perfect systems to detect a potential cybersecurity incident, indicating high maturity, but you lack the necessary people in important positions to effectively respond to an attack, indicating low maturity.
So how do you ensure that you don’t overlook measuring the maturity level of important aspects of your organization’s cybersecurity posture? The secret recipe is to use a comprehensive cybersecurity framework as the basis for your maturity assessment.
Using NIST CSF 2.0 for Cybersecurity Maturity Assessments
NIST recently released its Cybersecurity Framework (CSF) v. 2.0. While the original NIST CSF was designed for critical infrastructure organizations, its wide adoption by different organizations in different industries drove NIST to target the new version to all types of organizations.
NIST CSF 2.0 introduces a new “Govern” function, emphasizing the critical role of governance in cybersecurity risk management. In fact, the new Govern function consists of 31 out of the 106 subcategories of NIST CSF 2.0, demonstrating the importance of managing risk correctly to succeed at preventing, managing, and recovering from cyberattacks.
This important change is aligned with the growing liability expectations from management and boards of organizations, demonstrated through the new rules that the SEC adopted earlier this year regarding cybersecurity risk management, strategy, governance, and incident disclosure by public companies.
Measuring Cybersecurity Maturity
How can you measure the cybersecurity maturity level of your organization? Take NIST CSF 2.0—which now, more than ever, covers all the important aspects of the cybersecurity posture of your organization—and then do the following:
- Add scales to each subcategory to measure:
- the level of the security technologies you have in place
- the level of your related processes
- personnel aspects, such as having the right people in the right positions, their level of training, and availability in case of an incident
- Provide objective indications to enable setting the scoring to each of these. This is critical to the accuracy of the resulting scoring.
- Calculate the scoring from all the different subcategories to create scoring for the different functions, and for the entire organization.
Doing the above will give you a pretty good picture of your organization’s cybersecurity maturity level. The result should yield a number which represents the level at which your organization is prepared for an attack and can recover from one when it happens.
But is this enough? Of course not. Measuring is the first step towards improvement, but there are several additional important steps you must take.
Benchmark
Comparing your results to other companies with similar business characteristics as yours is a good way to help you understand whether your weaknesses are common in your industry or if you are lagging. This process can reveal that you are stronger than your peers in some respects, but weaker in others. With this in hand, you can decide where you want to focus your improvement efforts and can proceed to the next step to decide on your targets.
Define Your Targets
Now that you know your current cybersecurity maturity level in each of the aspects represented by NIST CSF 2.0, and you benchmarked your score to other companies like yours, it’s time to decide what to address first. Not less important, it’s time to decide what not to address—at least for the time being.
You should set improvement targets for the aspects you decided to address that will eventually help you reach the maturity level you desire, and at a minimum, the level of your industry sector.
Continuously Measure and Identify Trends
Measurements are in place, benchmarking is done, and targets are set. Now what?
Your team is now working on mitigating and improving, focusing on items with the highest ROI that can help you achieve your targets. To determine how successful they are, and the progress towards the targets, you should repeat this entire process: measure, benchmark, define (adjust) targets, and measure again.
Repeatedly measuring over time enables you to identify trends, and not less important, predict, given the trends, where you are likely to end up if your mitigation continues as it does now.
How CYE Can Help Assess Your Cybersecurity Maturity
Is cybersecurity maturity like baking a cake? I think that it’s more like building a nation-wide bakery chain: You’ve got to have the right technology, the right processes, and the right people in place to get it right. You also need the right cyber risk quantification solution to help you make the right decisions by measuring, benchmarking, setting targets, identifying the most impactful items to mitigate, and identifying trends. Hyver, CYE’s optimized cyber risk quantification platform, does exactly that.
- Hyver calculates your organization’s cybersecurity maturity by considering CYE’s objective and continuous data, as well as your security team’s input.
- It compares your cybersecurity maturity level to others in your industry, and helps you pinpoint areas for effective improvement and set targets.
- Through Hyver’s continuous maturity assessment, you can identify trends and ensure meeting your cybersecurity maturity targets.
Want to learn more about Hyver’s cybersecurity maturity assessment? Contact us.