Building cyber-maturity

Javier Dominguez at Commvault describes cyber-maturity and explains how it helps organisations maximise resilience and recovery

 

Like every important business priority, the way organisations approach cyber-security is heavily influenced by the maturity of their strategy and processes. Despite many organisations now having direct – and often painful – experiences of being attacked, relatively few can be categorised as being ‘cyber-mature’.

 

But what does this mean, and how can organisations understand how their status impacts their security and resilience? Research published last year examined these issues in detail, using five resilience markers to assess levels of cyber-maturity: 

1. Security tools that enable early warning about risk, including insider risk
2. A known clean dark site or secondary system in place
3. An isolated environment to store an immutable copy of the data
4. Defined runbooks, roles, and processes for incident response
5. Specific measures to show cyber-recovery readiness and risk 

Combined with insight into how often companies were breached, what resilience technologies were (or were not) deployed, and how rapidly businesses could recover data and resume normal operations, just 13% of respondents were categorised as ‘mature’.

 

Digging deeper into the data helps underline the link between preparedness and resilience. For instance, organisations deploying at least four of the five resiliency markers recovered 41% faster than respondents with zero or one marker. Maturity is also a product of continuous improvement and testing, with the research revealing that 70% of cyber-mature organisations tested their recovery plans quarterly, compared to 43% of organisations with only one or zero maturity markers that tested with the same frequency.

 

This adds up to a situation where 54% of cyber-mature organisations were completely confident in their ability to recover from a breach, compared to only 33% of those less prepared.

 

On a journey

So where does that leave the large majority of organisations who want to improve their levels of resilience and cyber-maturity? Getting there is a journey with progress dependent on five key stages:

 

1. They recognise that security and IT are specialisms

In many smaller organisations, security tends to fall under the auspices of the IT department, with the IT director taking overall responsibility. In this context, security will also tend to focus on more basic, routine tasks, such as software patches and maintaining firewalls and antivirus technologies.

 

Elsewhere in the business, cyber-security can easily be overlooked, with key safeguards, such as multi-factor authentication, missing from the overall approach. Recognising that effective security and resilience require more than these basic measures is a key starting point for delivering organisational maturity.

 

2. They hire a CISO

As an organisation grows, so does its technology estate, number of employees and accompanying attack surface. This is often the stage at which security becomes a leadership issue, and organisations get more serious by appointing a dedicated senior cyber-security leader or CISO.

 

Organisations can find, however, that their initial foray into building dedicated cyber-security resources has a heavy focus on technical priorities, with the CISO working closely with the development team rather than planning and executing a company-wide cyber-security strategy.

 

This is also the time when compliance becomes more important, with a need to deploy formal monitoring and auditing solutions. Effective compliance also requires strong collaboration, with IT and security needing to establish and build clear security channels with mutually agreed objectives to prevent gaps from appearing.

 

3. Security becomes a strategic priority

Many companies on this journey find that, to build a robust organisational approach, leaders must be mandated to step back from day-to-day technical responsibilities and focus on defending, detecting and recovering from attacks at a holistic level.

 

In this context, security can drive wider business decision-making and has the authority to build its principles into existing and new processes. This can necessitate a change in approach across other teams where, previously, security wasn’t on their radar.

 

4. Security appears on each board-level agenda

In those organisations that can be considered to have reached full maturity, strategic cyber-security planning becomes an integral part of discussions at the board level. The leadership team collaborates to address cyber-security risks, resilience and recovery efforts. Together, they establish the organisation’s risk tolerance levels and ensure that policies are in place to maintain operations within these agreed thresholds, supported by regular analysis of changes in the risk profile.

 

At this stage, the organisation should also be in a position to evaluate the benefits and drawbacks of emerging technologies, such as AI, incorporating cyber-security as a foundational element of its strategic planning processes.

 

5. Security is fully integrated and ‘by design’

From this point onwards, security is viewed as business DNA, with fully engaged employees following strict security processes and policies as a matter of course. Continuous testing and monitoring of corporate systems is standard practice, security teams are well-versed in incident response and data recovery, and the organisation has the right technologies and processes in place to ensure it can address resilience and recovery objectives.

 

With these capabilities in place, organisations can put themselves in the strongest possible position to optimise their approach to resilience and recovery. They can also have confidence that their approach to security aligns with the levels of maturity across other core business processes and capabilities.

 

---

 

Javier Dominguez is CISO at Commvault

 

Main image courtesy of iStockPhoto.com and Supatman