Unfortunately, there is no definitive answer to this question and no two organisations are facing the same challenges when it comes to cyber security. Invariably, organisations everywhere are looking to maximise their cyber security position whilst managing limited security budgets and ensuring they have the right skillsets available.
Observing the results of recent cyber security-related research studies shows us that organisations are still struggling with the same issues they were facing back in 2015. Including phishing awareness, supply chain management, incident response and legal/regulatory compliance which all remain high priorities for many of our clients.
In addition to this, business operations are never static. The elements which impact your business are in constant turmoil. Markets are growing and evolving, pushing you to invest in new technologies. Increasing regulatory requirements could throw greater focus on your sector or part of your operations (such as HR or Finance). A considerable shift such as the one experienced by many organisations took to a working from home model during the COVID-19 pandemic may mean that security and other governance measures which were already in place may no longer be fit for purpose.
In light of this, the right question to ask may not be “are we doing cyber security correctly?”, but “do we have the right governance in place?”. This is because governance is, put simply, about the way things are done. You can have an elaborate and robust cyber security strategy drafted and in place, but if nobody owns it, or measures progress against it, then it may not be effective. It is vital to understand who has ownership over the digital risk to your organisation? How are they being managed? And how are you benchmarking progress?
In this article, we look at Cyber Security Maturity Assessments as a way of effectively measuring ‘how things are done’ in relation to cyber security within your organisation. This enables you to determine whether you are on the right track and provides you with a clearer path to operational resilience.
What Your Organisations Security Goals Are, Or Should Be
Your organisation's cyber security goals may be as simple as keeping your customer's data secure or reducing the risk of cyber attacks. However, goals should be more specific, complex and part of a broader business plan, considering risks to your organisation and how to mitigate them. In the cyber security domain, this could include various issues such as developing staff awareness of cyber threats, meeting data protection requirements such as GDPR or (for medical providers) DSPT, information management, change management and technical controls, to name just a few. Invariably, some of these will be more important than others in the context of your business operations.
Where The Important Gaps Exist In Your Current Security Measures
By helping define your organisation's goals for security, a Cyber Security Maturity Assessment enables you to focus on the steps you need to take to meet them. For example, if your supply chain is critical to your business, gaps identified in your supply chain security will indicate a high level of risk. Established priorities and goals can also shift in response to external factors. A recent example of this was the seismic shift to home working brought about by the COVID-19 pandemic. This meant many organisations had to take a fresh look at technical controls for remote workers.
Which Areas You’re Already Effective In
Assessing what you’re already doing will show you where your team is already achieving or exceeding expectations in any given area. A competent maturity assessment will identify what’s ‘good enough’ in the context of your organisation and its needs across a range of issues: staff awareness and education, physical security, technical controls and so on.
What You Need To Do To Close The Important Gaps
Identifying the absence (or presence) of the components which make up having adequate protection in place will help you pinpoint where your efforts need to be concentrated, how that effort should be concentrated and in which order actions should be prioritised. This is particularly effective when there are a large number of tasks and a limited budget to work with. This prioritisation is vital to ensuring a sustainable approach to improving your organisation's cyber security maturity. In addition, having access to this information will enable you to facilitate effective project planning, resource forecasting and budgeting and provide you with an effective cyber strategy planning tool.
What Skills You May Need To Maintain & Improve Your Cyber Security
Does your organisation have the right skills? Either internally or outsourced? The cyber skills gap is a growing issue as organisations of all sizes struggle to fill vital positions. For some organisations, cyber security is ‘owned’ by IT or someone with specific cyber security skills, with the rest outsourced to specialists. Larger organisations may have an in-house team that does a bulk of the work, such as running a SOC (Security Operations Centre) but outsources more specialist or compliance-related work such as PCI DSS accreditation or penetration testing. If you know what your priorities are, you can identify the skills required and whether they need to be in-house or outsourced or a combination of the two.
Data is vital to truly understanding how well your organisation is managing cyber security risk and for developing the pathway to ensuring those mitigations are sustainable and pragmatic in an ever-changing threat landscape. A cyber maturity modelling and assessment engagement provides the right data to help your organisation to either demonstrate that it is on track or to discover how to get on track; this delivers value in almost every scenario.
If you would like to discuss your cyber security requirements or speak about Cyber Security Maturity Modelling in more detail, please get in touch to speak to one of our specialists.
This article was published in partnership with our cyber security partners PGI.
© SES Secure Limited and ses-escrow.co.uk, 2022. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content