The growing prevalence of cyber incidents highlights the need for organisations of all sizes to carefully analyse their strategy for cybersecurity and to undertake a structured approach to test and enhance the controls and improve the confidence an organisation has in its ability to prevent and respond to data and technology incidents.
“Cyber Maturity” frameworks are commonly used within the information security industry to provide a process for assessing the current state of an organisation and uplifting its security controls and overall posture. Across the industry many vendors, academics and advocacy groups have developed various preferred Cyber Maturity frameworks. These frameworks can be helpful, however can also result in over reliance being placed on elaborate processes, rather than strategic cybersecurity decision making. In many cases an organisation will obtain stronger and more cost-effective outcomes where cybersecurity strategies are driven by risk assessment principles and a focus on the key concerns and business needs of an organisation.
Any approach for improving cyber maturity must begin with an understanding of what an organisation’s key cybersecurity risks are. A Cybersecurity risk is defined by the US National Institute of Standards and Technology (NIST) as:
The risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.
An often-overlooked component of the above definition is that cyber risks almost always result from a failure of “digital technologies” used by an organisation. Technology infrastructure can fail in a variety of ways, ranging from not implementing an appropriate technical control, lack of staff training, incorrect implementation of a technology solution, lack of monitoring and detection, to not managing actions taken by third parties within your IT environment. The breadth of these issues highlights the need to examine technology risks collectively to ensure a robust approach is adopted for cybersecurity maturity.
Cybersecurity risk is increasingly recognised as a significant business issue that creates both immediate and long-term harms for the impacted organisation and its stakeholders. The exposure landscape also increasingly creates legal and regulatory risks for organisations and their leaders, which can be seen in the growing number of regulatory actions and the current focus placed on company executive and director’s liability.
Many organisations grow organically from small beginnings to multi-million-dollar revenues and multi-site operations. Often the technology environments have grown organically to reflect changing business needs. The pace of technology changes also means that many organisations have little or no guiding cybersecurity strategy and limited resources available for cyber focused investments. This does not necessarily mean there are no controls, but the coverage of all the elements used across IT environments (referred to as cybersecurity domains) may be inconsistent.
Additionally, as they move from the start-up phase into growth phase there is often a recognition that there is little overall accountability or ownership of cybersecurity risk management within the business. This often results in the appointment of a Chief Financial Officer or of general technology leaders who must also wear dual hats across cybersecurity risk management. While these individuals will recognise inherent cybersecurity risks, they will not have detailed subject matter knowledge, and will often need to rely heavily on third party providers to formulate an organisation’s cybersecurity strategies.
To commence improving cyber maturity the first thing to understand is what you need to protect. This is likely to be something like a customer database or a key system that allows you to sell or manufacture products. There is likely to be multiple systems but try to limit the number of systems or assets that fit this description. These are your ‘crown jewels’ and should be the assets that you direct most of your efforts towards protecting.
Once you know what you are protecting you can then focus on the strategy. The strategy should be documented and articulated in a high-level business document that clearly states the goals of the security program and the areas of focus that support the overall business strategy. This means that the strategy should dovetail with the aforementioned ‘crown jewels’ analysis. For example, if a customer database supports the main business activity to generate on-line sales then the security strategy should address how the organisation will protect the eCommerce environment and the supporting database.
The role of cyber risk registers is also becoming increasingly important. A good starting point is usually a cybersecurity risk assessment involving key stakeholders including the senior executive team to agree the key risks and document them in the risk register. It is likely that cyber risks to multiple systems and applications will be identified. The risk register can also be used to help prioritise key security objectives, and plan how work can best be staged to improve cyber maturity across the most relevant domains.
This strategic approach can also help organisations avoid being overwhelmed and remove fears that cyber risk is too big an exercise to effectively tackle. A prioritised multi-streamed program can be implemented over a period of time, allowing cyber maturity to improve within the context of the organisation’s available resources and capacity.
The easiest way to think about designing the strategy is to break it down into meaningful timeline horizons and map out the initiatives. You will not be able to address all the risks immediately, but each of the focus areas can be further broken down into components that will support the overall business strategy.
As cyber maturity improves, it should begin incorporating three main elements – Governance, Incident Lifecycle and Oversight. These are described below:
Governance refers to the activities that define the controls and supporting processes that will be used to manage cybersecurity risks. Some of the focus areas are Strategy, Policies and Standards, Accountability, Risk Management and Architecture. It is important that while the governance needs to be functional, it should also be proportionate. We do not recommend mid-sized organisations adopt a full Information Security Management System (ISMS) at the outset. ISMS’s include many policies and procedures that developing organisations will not have the capabilities to implement and monitor.
Often a Security Policy and an IT Acceptable Use Policy will be sufficient to state how security will be delivered and how end-users can use the technology provided to them. The Security Policy should establish the internal accountabilities and define high-level architectural principles.
Incident Lifecycle refers to technology controls and supporting processes that provide protection, detection, response, and recovery elements when the cybersecurity incident occurs. The NIST Cyber Security Framework breaks down the incident lifecycle as per the table below into five functions:
| Function | Objective |
|---|---|
| Identify | Develop the organisational understanding to manage cybersecurity risks to systems, assets, data and capabilities |
| Protect | Develop and implement the appropriate safeguards to ensure delivery of essential services |
| Detect | Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event |
| Respond | Develop and implement the appropriate activities to take action regarding a detected security event |
| Recover | Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event |
Investments should be made by the organisation across each of these functions to provide better redundancy, and defence in depth, meaning that if one control or process fails the risk of a cyber threat can still be minimised or reduced by other compensating controls.
Oversight refers to activities to measure and report on the overall effectiveness of the cybersecurity program. This is important to ensure that cybersecurity risks are being appropriately managed by the executive leaders to ensure that the strategic goals are being met or any issues can be resolved.
Oversight functions should also tie into the organisations wider approach to risk management and governance, and incorporate strategies for internal and external audit functions, board reporting and how accountability and key metrics will be measures and recorded by the organisation. Effective oversight is also becoming an increasingly important component of cyber security risk management for directors.
WTW has invested in a cross-functional team of cybersecurity and incident response experts who have successfully delivered strategic cybersecurity programs across multiple industry sectors that have mitigated significant underlying risk.
We are uniquely placed to provide the right support to develop your organisation’s strategy and give guidance on how to deliver a successful, focussed cyber maturity program. In the current environment, we also provide key guidance on how organisations can align cybersecurity strategy with their wider business needs.
We actively partner with our clients to deliver quality outcomes and have a track record of providing cost effective and creative solutions that meet our clients’ individual needs. If you require assistance or further information on any of the issues outlined in this article do not hesitate to reach out to our team.
