Cyber maturity is all about ensuring the organisation is prepared for a cyber attack and that can only be determined by establishing where the risks lie and whether the controls that are in place are appropriate and proportionate.
The level of cyber maturity of the business is its strategic readiness to mitigate threats and vulnerabilities.
This is achieved by testing the level of preparedness at regular intervals to help identify areas for improvement, thereby boosting the resilience of the business.
Cyber maturity testing is not widely practised.
According to ISACA's The State of Cybersecurity 2023 report, only 65% of businesses measure their cyber maturity today and the intervals at which they do so can vary greatly.
The report goes on to describe cyber maturity as a 'work in progress' and this is because the needle hasn't moved over the past two years.
The suggestion is that adoption has plateaued when it was expected that more organisations would have begun baselining their cybersecurity posture as standard.
There's also the fact that organisations are under increasing pressure from insurance underwriters to demonstrate their level of cyber maturity.
Cyber insurance premiums are becoming more expensive as the industry grapples with pay outs, leading providers to conducting due diligence and checking that certain measures have been taken and a required level controls are in place to mitigate the risk of a successful attack.
According to the State of Cyber Defense 2023 report from Kroll, trailblazers experienced less security incidents, which proves the insurers are correct.
Benchmarking the cyber security posture in order to achieve cyber maturity has never been as important as it is today.
Conducting a cyber maturity assessment inhouse is challenging for businesses of all sizes but for different reasons.
Interestingly cyber maturity is not a matter of who has the deepest pockets.
The Cybersecurity Maturity Report 2023 found that the countries with the highest levels of maturity were also those with the most stringent regulations, i.e. Norway, Croatia and Japan.
Whereas the US, UK and Germany which tend to have higher cyber spend, lagged behind.
That said, it did deduce that correctly identifying areas of risk and implementing policies and processes could make massive differences to cyber maturity levels.
Whether you choose to undertake the process inhouse or outsource, a maturity assessment is a risk-based exercise and so an established cybersecurity framework can be used against which to rate the level of resilience in different areas.
The NIST CSF is often described as the gold standard in this respect and it lends itself readily to the process as it has five clear areas against which the assessor can rate the level of protection.
The end report then summarises the maturity level of each and provides the C-suite with actionable advice on where and how improvements can be made.
Thus, it's worth remembering that maturity is not a one way process and it is possible for the business to regress unless there is a constant approach to due care and attention and regular assessments of the threats and how mature the controls are to defend against them.
This Cyber News was published on www.cybersecurity-insiders.com. Publication date: Fri, 15 Mar 2024 20:13:05 +0000