The Expert View: Accelerating cyber-security maturity in a time of economic uncertainty

Achieving cyber-security maturity is a constant challenge, Mark Watkinson, Head of Product Marketing at Adarma told a recent TEISS Breakfast Briefing at London’s Goring Hotel. He told attendees – all senior cyber-security professionals from a range of sectors – that an evolving threat landscape, growing attack surface and ongoing talent shortage were all exacerbating the problem.

Attendees defined cyber-maturity as a combination of the right technology, people and processes. Organisations must evaluate their capabilities in each area and assess how effectively they perform. While confident organisations might rate themselves as a four out of five, one attendee argued, almost nobody could claim to score a five.

Most organisations have a good idea of their cyber-security maturity because they are regularly undergoing external audits and filling out security questionnaires. In regulated industries especially, maturity is impossible to overlook.

The path to maturity

There are several areas to focus on when it comes to improving maturity, attendees agreed. First, attendees recommended ensuring basic security measures are in place, then building upon those in layers, addressing more complex problems as the foundation strengthened. One attendee said that a risk-based approach would be a good strategy, because managing risks will naturally increase maturity.

That leads to the second point, however: that the security team doesn’t own the risk, they own the controls. It is essential to engage in clear communication with the business to ensure they understand that, then reach a mutual agreement of the appropriate controls.

Third, conduct reviews, audits and exercises, such as tabletop simulations, to identify and address weak points in the organisation’s security posture. These activities also help increase board awareness of the importance of security tools and measures. Attendees agreed that these activities helped to highlight areas that required improvement, while also casting light on the importance of security for the board and other senior executives.

Ultimately, several attendees suggested that the greatest accelerator of cyber-security maturity is a breach. Sometimes this can be a breach that affects a company in the same sector. But regrettably, often senior leadership has to experience a breach first-hand before they take action to improve maturity.

Identifying the right tools

Risk can be managed better with the right tools, but choosing them involves evaluating their ability to manage risks effectively, not just their features. Some attendees said they were often asked to buy a tool based on its features, without a clear understanding of what risk it would address or how it would help.

Furthermore, tools often bring added complexity because they need to be connected to existing systems and frequently require trained staff to manage them. Those people must be recruited and retained which, in the middle of a skills shortage, can be a challenge.

Attendees also pointed out that today’s tools tend to continually expand their features, which increases the overlap between those tools. In some cases, this might mean that a company needs just one tool. But, more often, multiple tools are still required to get the required features, and end up managing greater redundancy.

One area where attendees said they were looking at adding tools is automation. Some attendees said they already automated tasks such as playbooks and ticket management. However, these, too, require skilled staff to manage them – and people with those skills might be harder to find. More generally, some attendees also said they were looking at the security risks that come with increased automation across the business.

Finding the outsourcing balance

Instead of trying to manage tools for every possible risk, attendees were in favour of outsourcing certain tasks. By focusing on core competencies and outsourcing ancillary tasks, organisations can optimise their security operations.

However, establishing the right partnership is crucial to success. Responsibilities must be clearly defined, and organisations must ensure they can trust and work effectively with their chosen partners. One attendee added that it is important to outsource only processes that are already working well. Outsourcing problems just moves the problem elsewhere.

Overall, attendees argued that reaching cyber-security maturity is a complex and ongoing process that requires a multifaceted approach. By focusing on risk ownership, addressing security basics and conducting regular reviews, organisations can make significant progress. The effective use of technology tools, automation and outsourcing can further enhance an organisation’s security posture, ultimately enabling it to better protect its assets and operations in an ever-evolving threat landscape.

For more information, please visit Adarma.com.