Time to grow up: why cybersecurity maturity is crucial for organisations

A true analysis of cybersecurity can show organisations where they are at risk and measure the return on investment of cybersecurity spending

Importance of cybersecurity maturity

Achieving cybersecurity maturity (CSM) enables the IT security team within an organisation to report on the status of their organisation’s security posture with confidence. Through consistent monitoring and risk analysis, a clear perspective can be provided to the board. A high level of CSM is also proven to reduce overall cybersecurity spend over a three-year period.

CNS Group, an independent cybersecurity consultancy, has developed Aegis, a comprehensive CSM service. The service provides organisations with a concise and contextual reporting mechanism for cybersecurity to the board and other stakeholders. By expediting CSM and visibility, organisations of all sizes can show return on investment from cybersecurity spend, and eradicate unpredictable and ineffective spending.

What is cybersecurity maturity?

CSM is the effectiveness of an organisation to make cybersecurity decisions in a way that considers all relevant factors on a changing technology and threat landscape; the ability to improve defences continuously while the business operates and transforms. Organisations that invest in creating a concise and accurate view of their cybersecurity state and can communicate this clearly with the rest of the business see the benefits in terms of confidence and more informed, collaborative decision-making around the value of cyber-investment.

Cybersecurity challenges

01 Complexity of information for the client

From threat intelligence, compliance and regulations to security-testing and audits, the amount of information that an organisation is required to digest and base investment decisions on is growing. Not only does this impact the level of resources and skills required from the internal IT team, but it is confusing for the extended team of stakeholders. The maze of information and limited visibility across the overall IT infrastructure can leave an organisation vulnerable.

02 Unpredictable and ineffective spending

With no clear reporting model, organisations are basing their investment decisions on the results of the latest penetration test, security audit or pressure from existing or new regulations in force. This never-ending project-based model doesn’t allow for continuity and intelligent spend over time. The traditional cybersecurity spend becomes a pattern of testing, part-fixing, requesting more budget, spending budget, testing – and repeat.

03 Confusing and growing compliance landscape

From the European Union General Data Protection Regulation, PCI Security Standards Council compliance, Cyber Essentials to ISO standards, the compliance landscape is a minefield for any organisation. Although achieving compliance enables organisations to achieve a level of best practice and is a helpful negotiation tool for budget requests, it doesn’t mean that an organisation is completely protected. The constant changes in regulations also require up-to-date knowledge and skills within the IT team.

Measuring the current state of cybersecurity maturity

There are a few variations and grading scales for measuring CSM with the most common being the COBIT maturity scale. Recent research using the COBIT scale found that only 22 per cent of IT security professionals surveyed believed their CSM level to be optimised. Almost 20 per cent stated their level of maturity as non-existent, ad-hoc or didn’t know.

This growing lack of control and visibility directly impacts how informed and prepared an organisation is to deal with either attempted or successful attacks. If a chief information security officer (CISO) wants to have an informed business conversation with their executives about risk, they need the same level of confidence in their presentation of cyber-performance data and reporting as the finance director would have in the numbers they bring to the board.

Aegis: a comprehensive cybersecurity maturity service

A change is required in the way we manage and report on cybersecurity and CSM offers the most effective way to manage that change. To simplify CSM for organisations and support a higher level of CSM, CNS Group developed Aegis.

Aegis is a CMS transformation programme incorporating a proprietary benchmarking tool, active dashboard and consultancy services. CNS Group specialists use the programme to support organisations in measuring and scoring their current CSM against five key domains and 73 sub-domains.

This intelligence then provides the contextual, prioritised transformation plan for the organisation to reach its cybersecurity goals. The Aegis CSM scale draws measurements from standards including: ISO 27001; Cyber Essentials (Plus); PCI DSS; SANS/CIS/CPNI – top 20 critical control set; Sarbanes Oxley; SEC OCIE; and NCSC HMG IA maturity model and risk management principles.

The CSM market remains immature. CSM dashboards often omit one of the critical components that CNS Group’s Aegis platform measures or fail to provide automated, systemised reporting for elements such as penetration-testing outputs or threat intelligence. Many solutions have their own reporting function, which may or may not be reviewed regularly, their own vendor point of contact, owner, interface into the business and assigned budget. The result is impenetrable complexity with multiple vendor conversations, stressed management overhead, conflicting advice due to limited context, and an increasing number of gaps, crossover and duplication.

The Aegis programme enables organisations to standardise and automate as much data input as possible. It gives organisations a clearly defined dashboard of business metrics to articulate cyber-risk and benchmark cyber-technology, resources and investment. This form of analysis and reporting drives better, more informed cyber-conversations with every stakeholder in the business, especially at board level.

Organisations that invest in CSM can all confidently answer these questions: Compliance and accreditation: are we meeting all mandatory regimes and standards? Technical compliance: where are the vulnerabilities and poor controls in our infrastructure, and what are we doing about them? Transformation and maturity: what’s our current status across all projects? Events, alerts and threats: how good is our internal and external threat intelligence? Governance and policy: how robust is our policy compliance; where are the exceptions and who owns what?

Using an agreed benchmarking process allows CISOs, IT security managers and chief information officers to create a contextual plan of action, track and share improvements, and report concisely on the value and impact of every investment. At CNS Group, we have seen the positive impact of the transformation in CSM demonstrated through better targeted investment, more robust compliance and effective allocation of resources.

The graph demonstrates how an organisation can and should drive value from its cybersecurity spend. The Aegis programme is proved to reduce cybersecurity spend over a three-year period.

CNS Group’s comprehensive CSM service enables organisations to transform the quality and value of short, medium and long-term planning and decision-making. The primary benefits of Aegis aim to provide a concise and contextual reporting mechanism for situational cybersecurity to the board and stakeholders; expedite a client’s CSM and visibility; show return on investment for cybersecurity spend; organise and prioritise future cybersecurity spend for greatest risk reduction; highlight the greatest areas of cybersecurity weakness for immediate action; identify greatest threats to an organisation by type; and reduce a client’s overall cybersecurity spend over three-year period

In addition, the CSM service allows organisations to identify the key and common criteria for successful cybersecurity by customer and by industry; ensure compliance to pertinent and mandatory regimes; reduce stress on inter-departmental management and overheads; improve cybersecurity awareness across an organisation; and promote a framework driven approach that ensures a complete picture of the cybersecurity state

By improving the level of CSM through CNS Group’s Aegis dashboard and consultancy services, IT security teams can finally have the confidence deserved in today’s complex threat landscape.

For more information please visit www.cnsgroup.co.uk

Research was carried out at Infosecurity Europe 2017. Total sample size was 172 IT security professionals. Fieldwork was undertaken June 6-8, 2017. The survey was carried out face to face.