Achieving maturity in organisational approaches to cyber security

Achieving maturity in organisational approaches to cyber security

Maninder Singh at HCL Technologies talks to teiss about the important issue of cyber security maturity and how to achieve it

What is cyber maturity and how important is it?

To understand cyber maturity and its importance, it’s imperative to understand the landscape of today’s technology and businesses. With rapid digital transformation, adoption of cloud and SaaS, and the proliferation of ever-increasing amounts of data, enterprises have become a ripe target for cyber criminals. Bad actors have actively pursued enterprises by advancing the scale and sophistication of their attacks.

The burden of protection has fallen onto organisations, as they endeavor to secure their assets, employees, customers, and stakeholders with appropriate safeguards and training. This is in addition to  mandated legislative and corporate regulatory requirements.

In this context, cyber maturity refers to an organisation’s ability and readiness to mitigate vulnerable threats, including multi-dimensional strategies designed to prevent, detect, contain, and respond to any digital threats.

It’s the backbone of any digital enterprise since cyber maturity has become a business necessity as it enables revenue growth and product innovation within a holistic digital business transformation. As per the State of Cybersecurity 2021 report by ISACA and HCL Technologies, almost two thirds (65%) of enterprises carry out cyber maturity assessments. The more ‘mature’, a company’s cybersecurity becomes, the better-equipped they are to mitigate threats and prevent them before they become breaches.

What are the criteria that businesses need to meet to become cyber mature?

For a long time, the typical targets for cyber threats were end-customers and businesses in the public and financial sector. However, when global industries became more digital, so did everything of value within them – from proprietary data to trade secrets.

And as industry continues to digitalise and embrace interconnectivity, no business is safe. This is why business leaders consider cyber threats to be the biggest disruption to organisations and have adopted some common principles that guide their roadmap to cyber maturity. This mainly includes criteria such as:

  • Framing cyber threats as a risk management issue and not an IT issue. Companies need to put in place an organisational structure and governance approach that brings transparency and enables real time risk management.
  • Cyber risk must be addressed in a business context. 80% of respondents in our survey indicated that their executive leadership team see value in conducting a cyber risk assessment. Organisations need to invest in technical experts that can reduce the complexity of commercial and organisational problems, while also securing the entire value chain across every digital touch point. This is where issues of vendor risk management or third-party risk management come into play.
  • Mitigating risk at every level with investments in automation tools for seamless cataloging of critical vulnerabilities such as data, infrastructure, applications, and people. These are typical threat vectors that are persistent at every level and can lead to invasive threats.
  • Adapting technology, processes, and employees on a regular basis – whether by upgrading the first, improving the second or upskilling the third. Or all three, as the case may be. A company’s organisation, processes, people, IT, OT and products need to be reviewed regularly and adjusted as cyber threats evolve over time.

Governing with a comprehensive and collaborative framework that factors in the interconnectedness of everything and everyone. The lines between business-continuity management and data protection are blurring while those between in-house and external security are obsolete. To reduce redundancies, speed up responses and boost overall resilience, companies need to address all parts of the business that can be potentially affected by cyber threats.

What are the different elements of cyber maturity, such as governance, culture, processes, knowledge?

Digital transformation, cloud adoption, SaaS solutions and other trends have reshaped the way businesses carry out their day to day operations. But the siloed approach of working within isolated departments, is no longer sufficient if we want assured security.

Leaders have to integrate their business and technology goals to rapidly achieve cyber maturity and strengthen their security posture. There are a number of steps that enterprises can take to increase maturity:

  • A new perspective. Immature organisations not only risk the possibility of breach of sensitive information but also the breach of client trust. A new mindset is necessary to increase maturity. If enterprises are simply reactionary in their approach, they will soon be left behind and expose their systems to data breaches.
  • Flexibility and agility. A flexible approach to risk management and a willingness to experiment is also necessary for increased maturity. Enterprises must be agile and encourage new approaches that facilitate new ideas and solutions that can be implemented quickly. Moving from outmoded legacy systems onto cloud computing platforms can easily help mitigate many of the challenges faced by organisations.
  • Transparency and trust. Business and cyber-security leaders must collaborate on ways to improve internal risk culture and educate employees at all levels about cyber-attacks and best practices for fending them off. This can only be achieved through transparency and trust.
  • Security strategy. By securing a plan and placing it into a policy, companies can achieve cyber resiliency. As organisations move up the security maturity stack, they evolve from prevention and minimum compliance to continuous monitoring and risk detection. Also, they need to look at  people, processes, tools and technology to create a successful security strategy.
  • Optimisation and efficiency. There are many IT departments with legacy systems that cannot be integrated quickly and that are being modernised piecemeal. This kind of approach will never win the “race.” Systems that are optimised, efficient and work as a unit will not only stay level with competitors but also help create a competitive advantage.

How important is it for organisations to measure their cyber-security?

There are several cyber-security maturity models that businesses can use to develop their best practices, such as the ISO 27001:2013 and National Institute of Standards and Technology (NIST CSF)

NIST focuses on five domains which are the foundation of every good security program. These are – identify, protect, detect, respond, and recover. Ratings for cyber-security maturity typically range from 0 (lowest) – 5 (highest).

If an organisation has a “5” rating, it indicates that the company has optimised practices and controls and is well-equipped to detect and prevent cyber threats. All businesses should strive for a “5” rating during the security model assessment, although it’s impossible to achieve – considering the ever-evolving threat landscape and new vectors.

These cyber maturity assessments are helpful to businesses of any size. It provides insights to understand vulnerabilities, identify and prioritise areas of remediation, and demonstrate corporate and operational compliance.

Performing a cyber-security management assessment takes time but the benefits outweigh the cons as it provides:

  • Important insights into the company’s cyber-security practices and how effective it is at preventing breaches.
  • The information to identify current gaps in compliance and risk management.
  • Assessment results that can be compared with similar organizations to help identify security trends using insights.
  • Independence, as organisations no longer have to rely too heavily on some security controls and ignore others.
  • A framework to prioritise key areas for a management action plan by improving communication between employees, IT personnel, and upper-level management by supplying documentation.
  • Proven standards to help align and map cyber practices against industry standards e.g. NIST and ISO 27001:2013

Maninder Singh is CVP and Global Head of Cybersecurity & GRC Services at HCL Technologies

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”” /]