Securing business data

News Article

Deloitte & Equifax - Why it's important to invest in your Cyber Security Maturity, a word to the CISOs

by Giulia Foss | 28 Sep 2017
shutterstock_172854656

Often, CISOs struggle to understand and share precisely what is happening across their estate at all times. To support business change or user demands, organisations have evolved highly sophisticated, interconnected structures, some of which are internally owned and some run by third parties.

This growing lack of control and visibility directly impacts how informed and prepared an organisation is to deal with either attempted or successful attacks. If a CISO wants to have an informed business conversation with their executives about risk, they need the same level of confidence in their presentation of cyber performance data and reporting as the finance director would have in the numbers they bring to the board. Organisations that invest in creating a concise and accurate view of their cyber security state and can communicate this clearly with the rest of the business, see the benefits in terms of confidence and more informed, collaborative decision making around the value of cyber investment.

Assessing your CSM: What are the challenges?


The cyber security landscape has grown rapidly; outside of IT, its traditional home, cyber risk touches every aspect of a modern business. Various departments are involved, such as HR through their responsibility for cyber awareness training, to risk experts in Finance, to compliance and audit and increasingly resilience and business continuity professionals - and an organisation’s data is similarly dispersed.

Those in the unenviable position of reporting the organisation’s current cyber state to the board will often approach the question of the cyber security state from a rather narrow view point. Until now there have been significant inconsistencies in the content and delivery of CSM reporting.

There are a number of reasons for this; the evolving risk landscape and associated technology developed at unprecendeted speed. This has led to organisations implementing a range of security solutions and services from different suppliers. The result is conflicting tools that do not necessarily communicate with one another, leading to gaps, crossover and duplication.

So, what is the answer?


In our experience, this lack of integration between solutions means organisations will get very little value from over half of their cyber security spend. Worse, they will not even have a way of deciding which solution best fits the business priorities. This continual spending without clear direction and results leads to the decrease in the agility of security teams to respond to the next threat that emerges. Throughout multiple industries we have seen companies find themselves in a never-ending cycle of testing, part-fixing, requesting budget, spending budget, testing – repeat. Though at no point do these companies or the individuals feel confident that every penny of investment is driving CSM.

CSM requires businesses to look beyond security technologies and processes and examine indicators such as behaviours, events, systems and potential threats across the entire organisations. CSM owners need to be able to articulate across the business, especially to the board, the state of preparedness and organisational activity across five areas:

1. Compliance and accreditation
2. Technical compliance
3. Transformation and maturity
4. Events, alerts and threats
5. Governance and policy

Conclusion


Having the ability to analyse and benchmark your organisation in these areas in a consistent way allows an organisation to create a contextual and prioritised transformation plan to improve the overall CSM. CISOs, IT Security managers and CIOs can then track improvements and report confidently and knowledgeably to everyone in the business quickly highlighting areas of improvement and the value of these gains as well as building a positive, informed narrative around areas that require improvement.

At CNS, we’ve helped a number of clients unravel the complexity of their estates to establish greater control and visibility of performance – supporting them through the processes of building and then running their CSM programmes. Clients value our independent advice to plan and deliver CSM dashboards that meet their specific business, risk and compliance requirements. And whether organisations have struggled long and hard with cyber or are just beginning - the value of CSM is clear - transforming the on-going business conversation about cyber risk, return on investment and measurable, comparative improvement.

To read our full paper, ‘Cyber Security Maturity: Driving Clarity through Complexity’ click here.

To find out more about how CNS Group can help you develop your organisation’s CSM, click here.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere