Often, CISOs struggle to understand and share precisely what is happening across their estate at all times. To support business change or user demands, organisations have evolved highly sophisticated, interconnected structures. Some of there are internally owned and some run by third parties.
Brett Ogilvie of Celtech Energy Systems states; “A properly formed cyber security program is far-reaching, pragmatic and risk based. When the basics are all properly in place with appropriate monitoring the entire IT (and or OT) operations infrastructure changes from a reactive to a proactive function.”
This growing lack of control and visibility directly impacts how informed and prepared an organisation is to deal with either attempted or successful attacks. If a CISO wants to have an informed business conversation with their executives about risk, they need the same level of confidence in their presentation of cyber performance data and reporting as the finance director would have in the numbers they bring to the board. Organisations that invest in creating a concise and accurate view of their cyber security state and can communicate this clearly with the rest of the business, see the benefits in terms of confidence and more informed, collaborative decision making around the value of cyber investment.
Michelle Joosse from Hotline IT goes on to say; “A Mature Cyber security business has policies and processes in place that staff has been trained and educated on.”
Assessing your CSM: What are the challenges?
The cyber security landscape has grown rapidly; outside of IT, its traditional home, cyber risk touches every aspect of a modern business. Various departments are involved, such as HR through their responsibility for cyber awareness training. Others include risk experts in Finance, to compliance and audit and increasingly resilience and business continuity professionals. An organisation’s data is similarly dispersed.
Those in the unenviable position of reporting the organisation’s current cyber state to the board will often approach the question of the cyber security state from a rather narrow view point. Until now there have been significant inconsistencies in the content and delivery of CSM reporting.
There are a number of reasons for this; the evolving risk landscape and associated technology developed at unprecendeted speed. This has led to organisations implementing a range of security solutions and services from different suppliers. The result is conflicting tools that do not necessarily communicate with one another, leading to gaps, crossover and duplication.
So, what is the answer?
This lack of integration between solutions means organisations get very little value from over half of their cyber security spend. Worse, they will not even have a way of deciding which solution best fits the business priorities. This continual spending without clear direction and results leads to the decrease in the agility of security teams to respond to the next threat that emerges.
Roger Smith from R and I ICT Consulting Services makes a valid point; “The more mature an organisation is, the more developed the protective strategies should be. In most cases this in incorrect.”
Throughout multiple industries we have seen companies find themselves in a never-ending cycle of testing, part-fixing, requesting budget, spending budget, testing – repeat. Though at no point do these companies or the individuals feel confident that every penny of investment is driving CSM.
CSM requires businesses to look beyond security technologies and processes and examine indicators such as behaviours, events, systems and potential threats across the entire organisations. CSM owners need to be able to articulate across the business, especially to the board, the state of preparedness and organisational activity across five areas:
1. Compliance and accreditation
2. Technical compliance
3. Transformation and maturity
4. Events, alerts and threats
5. Governance and policy
Thomas Jreige, Managing Director at Focus Cyber Group believes; “When implementing cyber security in an organisation, it must therefore be implemented within the context of the organisation in mind. Additionally, it must aim to maintain the risks to information in the environment, under the risk appetite for the organisation.”
Having the ability to analyse and benchmark your organisation in these areas in a consistent way allows an organisation to create a contextual and prioritised transformation plan to improve the overall CSM. CISOs, IT Security managers and CIOs can then track improvements and report confidently and knowledgeably to everyone in the business quickly highlighting areas of improvement and the value of these gains as well as building a positive, informed narrative around areas that require improvement.
At CNS, we’ve helped a number of clients unravel the complexity of their estates to establish greater control and visibility of performance – supporting them through the processes of building and then running their CSM programmes. Clients value our independent advice to plan and deliver CSM dashboards that meet their specific business, risk and compliance requirements. And whether organisations have struggled long and hard with cyber or are just beginning – the value of CSM is clear – transforming the on-going business conversation about cyber risk, return on investment and measurable, comparative improvement.
To read our full paper, ‘Cyber Security Maturity: Driving Clarity through Complexity’ click here.
To find out more about how CNS Group can help you develop your organisation’s CSM, click here.