Security posture assessment challenges
As cyber threats become more sophisticated in today's digital age, organizations must ensure their cyber security measures are robust and effective. One way to achieve this is through independent cyber security maturity assessments. This article explores the benefits of such evaluations, the choice of frameworks, target maturity levels, sector benchmarking, and the transition from a maturity-based to a risk-based approach.
Some organizations steer away from independently assessing their security posture. This hesitance can be for several reasons, including:
- Over-reliance on the internal teams and controls in place:
Unfortunately, organizations often have a false sense of security, which can be shattered when they fall victim to a serious cyber-attack – which is frequently the trigger for the realization that an independent assessment should be done.
- Reluctance to share sensitive information with external assessors:
This is a false assumption, as appropriate confidentiality agreements can and should always be in place before the assessments.
- Complexity of implementing recommendations for improvement:
This is often linked to a perception that such recommendations might be 'too much' for the organization.
This article will present the case of why these points should not deter organizations from being independently assessed, as the benefits far outweigh perceptions and concerns.
The buy-in of senior leadership/executive boards is essential to improving an organization's cyber security posture, and topics such as those covered in this article should be discussed with and well understood by them.
The benefits of an independent security assessment
Why should organizations use the services of a trusted third party for a cyber security maturity assessment rather than relying on an internal assessment? There are several reasons for that.
1. Independence:
An independent assessment ensures that the evaluation is free from internal biases. Even if an organization has a suitably skilled internal audit function independent of the IT / cyber security functions, this may not be sufficient to ensure that the principle of not auditing your work is followed.
2. Expertise:
Independent assessors bring specialized knowledge and experience. They are well-versed in the latest cyber security threats, trends, and best practices, providing valuable insights that internal teams may lack. This is extremely valuable not only for the findings of the assessment, but also for the associated recommendations for improvement, which are typically provided as part of the assessment. Additionally, independent assessors assure that the criteria for maturity ratings are well understood and consistently applied – something which is often lacking in internal assessments.
3. Reliability:
As a corollary of the two points above, an independent assessment is generally considered to provide more reliable outcomes than an internal assessment and provide credibility and actionable insights that resonate with key internal stakeholders (such as executive boards), but also in many cases, with external stakeholders (such as customers or regulatory authorities). This can also contribute to fostering a culture of continuous improvement and security awareness within the organization.
4. Assurance:
An independent assessment provides an additional layer of assurance that the cyber security processes and controls in place are robust and aligned to best practices.
Engaging with a trusted third-party for an independent maturity assessment does not come without associated costs, of course, but the long-term benefits (improved security posture, reduced risk of breaches, compliance with regulations) far outweigh the upfront investment.
What to consider when evaluating cyber security maturity
Choosing an assessment framework
Selecting the proper framework for a cyber security maturity assessment is essential. Some of the most widely recognized frameworks include:
- NIST Cybersecurity Framework (CSF): This framework provides a comprehensive approach to managing and reducing cyber security risk. It is very widely adopted across all industries and organizational sizes.
- CIS Controls: The Center for Internet Security (CIS) Controls are a set of best practices for securing IT systems and data. They are prioritized and actionable, making them a practical choice for many organizations.
- ISO 27001: This international standard specifies the requirements for an information security management system (ISMS). It is widely adopted and, unlike the two frameworks mentioned above, provides the possibility of certification against it.
The CIS Controls comprise more detailed controls than the other two frameworks, but they are mostly technical in nature, and there is minimal coverage of governance, risk, and compliance aspects—which are comprehensively covered in both NIST CSF and ISO 27001. On the other hand, the CIS framework includes the useful concept of 'implementation groups', which allows organizations of small/medium size to be assessed only against defined subsets of the full set of control safeguards.
Depending on the industry sector and specific needs, organizations might also consider other frameworks, such as the NCSC's Cyber Assessment Framework (CAF), or consider a hybrid approach with more than one framework.
In essence, assessments can be tailored to an organization's unique needs and scale, ensuring relevance and practicality and helping to meet applicable regulatory requirements.
Choice of target maturity
Most cyber security maturity assessments are scored using a 0-5 maturity rating scale based on the Capability Maturity Model Integration (CMMI) or a variation thereof. A target maturity in the region of 3 is frequently adopted. The criteria for a rating of 3 are that the controls are consistently implemented and extensively documented, both at policy and procedural level, with ownership clearly assigned.
In any case, determining the target maturity level is a strategic decision that depends on various factors, including the organization's risk appetite, regulatory requirements, and business objectives. A higher maturity level indicates a more advanced and proactive cyber security posture but also requires more resources and investment. Organizations should aim for a target maturity level that balances security needs with operational feasibility.
Sector benchmarking
Benchmarking against industry peers can provide valuable insights into an organization's cyber security maturity. However, it is important to note that benchmarking data can be limited and may not always be reliable. Proprietary benchmarking databases of specialist providers who deliver cyber security maturity assessments will generally be reliable but have significantly lower volumes of data than broader subscription-based available databases. Still, the data within the latter is known to be much less reliable for a number of reasons.
All things considered, it is preferable to rely on a relatively small but reliable sample rather than a large but unreliable one. Independent assessors should always be transparent to their clients about the source, volume, and reliability of benchmarking data presented to them.
Variations in frameworks adopted, organizational size, complexity, and industry-specific threats can also impact the comparability of benchmarking results. Organizations should use benchmarking as a general guide rather than a definitive measure of their cyber security maturity against their industry sector.
Cyber security maturity: maturity-based or risk-based approach?
While a maturity-based approach focuses on achieving specific levels of cyber security capabilities, a risk-based approach prioritizes addressing the most significant risks to the organization. Starting with a maturity-based assessment can help establish a strong foundation, but organizations should aim to transition to a risk-based approach over time.
This shift allows for more dynamic and adaptive cyber security strategies that are better aligned with the evolving threat landscape and lead to more cost-effective resource allocation. The two approaches can also be combined by starting with a maturity-based approach to establish foundational controls and governance and then adding a risk-based approach layer to address specific threats and optimize cyber security investments.
Quantitative management of cyber security, with appropriately defined metrics, can and should provide the means to measure, post-assessment, the success of implementation of improvements.
Conclusion
Independent cyber security maturity assessments are a vital tool for organizations seeking to enhance their cyber security posture.
Organizations can build a robust cyber security strategy by leveraging the expertise and objectivity of external assessors, selecting appropriate frameworks, setting realistic target maturity levels, and using sector benchmarking judiciously. Ultimately, transitioning from a maturity-based to a risk-based approach will enable organizations to manage and mitigate cyber security risks more effectively in an ever-changing cyber landscape.
If your organization has not yet undertaken an independent assessment of its cyber security maturity, we strongly recommend that you take the first step by selecting and engaging with a trusted, specialist third party.
About the authors:
Alvaro Rosa and Darren Speirs are Principal Security Consultants in NCC Group’s Consulting & Implementation division. They are co-responsible for the Cyber Security Review service line and have delivered cyber security assessments based on various frameworks to clients across sectors and regions.