Organisations have time to strengthen their cybersecurity posture to ensure they are not only compliant with GDPR by May of 2018 but realising its potential as a business enabler Read More
A New Security Maturity Model: How Does Your Business Stack Up?
The Frost & Sullivan and Secureworks Security Maturity Model (SMM) analyses companies beyond the layers of defence and examines security maturity across five domainsBy: Ian Bancroft
Digitisation has transformed how we live, work, and play, but it’s also given rise to a variety of security threats that stand to challenge this new world order. An assessment report from the UK government found that nearly half of British firms have been hit by a cybersecurity breach in the past year alone. On top of that, news headlines are reporting daily on the latest data breach or cybercrime to hit everyone from high street retailers to transport firms, creating an air of caution amongst citizens and businesses alike.
With the advent of new innovations like artificial intelligence and the internet of things (IoT), that threat only increases as a fresh set of vulnerabilities emerge with more harmful consequences. For example, Abbott's pacemakers were recalled by the American Food and Drug Administration (FDA), as a vulnerability was detected in the software. If exposed, attackers could drain a pacemaker’s battery life, change programmed settings, or even alter the beats and rhythm of the device. Over 400,000 users were urged to go to the hospital to receive the software update but had a breach hit prior it could have easily caused long-term damage.
As new innovations continue to emerge, the potential threats now place information security at the top of every business leaders’ priority list. The majority of businesses regularly update their software and malware protection and two-thirds of organisations invest money in ongoing cybersecurity measures. However, even with the increasing levels of investment companies are still underprepared for potential security threats as they’re not looking at the whole organisational picture.
To address this gap, Frost & Sullivan and Secureworks® co-created a Security Maturity Model (SMM) that analyses companies beyond the layers of defence their IT department has in place and examines five factors that contribute to a company’s security maturity. These include: People, Organisational Culture, Technology Tools & Controls, Security Operations, and Cloud Adoption.
Speaking to hundreds of decision-makers at large UK enterprises, Frost & Sullivan identified three distinct groups on the security maturity continuum ranging from low security maturity to high security maturity which have been named: Underprepared, In Transition, and Security Leaders. The study revealed that more than half of large UK businesses are Underprepared on multiple fronts for the evolving landscape in areas such as people, processes, and organisation culture.
While every organisation’s approach to information security is different, understanding and learning from the shortfalls of those analysed will help inform the best practices business leaders should adopt when forming their security strategies.
- Lack of automation in security controls: The biggest issue for Underprepared enterprises in the Technology Tools & Controls area is how IT tools and controls are used (e.g. using them without any degree of automation and solely as a means to detect and prevent network breaches). It is important to detect and prevent breaches, but an enterprise needs to understand where and how to adequately monitor critical data. This is vital as GDPR expects an enterprise to have the capability to detect breaches that have made it past security defences. Automating select cybersecurity processes will help in that area by increasing efficiency and ensure resources are available where they are needed the most.
- A fragmented cloud strategy: When it comes to the area on Cloud Adoption, 67% of Security Leaders and 74% of Underprepared enterprises have a cloud strategy that lacks input and involvement from IT and security professionals. To put that in perspective, only 6% of Security Leaders have reached the highest level of maturity in this category – signalling a widespread issue. Wherever an organisation is on the maturity scale, if a cloud strategy is being developed it must involve IT and security professionals to ensure it is compliant with industry regulations and has the greatest chance of achieving their business goals. If enterprises struggle to find the right talent to strengthen their cloud security standing, suspending cloud services across the organisation is highly recommended – at least until the business and security teams are aligned on objectives and security needs.
- Limited awareness of incident report plans: Having an incident response plan only works if employees are aware of it, trained regularly on how to implement and an in-house expert is appointed to lead and reinforce it. In the Security Operations section, only 48% of organisations have established security guidelines and have defined incident response procedures. Unfortunately, 72% have not implemented an incident response plan that users are aware of. That’s largely down to a lack of maturity in the organisational culture section, where many organisations do not even have a dedicated security role in the IT, Risk, or Legal departments. With the GDPR’s strict guidelines, security cannot operate in silo; it needs to permeate throughout the business from C-Level to customer support.
While many organisations have the elements for robust cybersecurity strategy, there’s a clear need for a perception shift of its importance beyond the basic security tools and controls. Cybersecurity should be viewed as a critical enabler of business growth that protects the valuable IP, business plans, employee information and most importantly, customer data that drives the organisation forward. While the rise of cybercrime is daunting, the challenge UK enterprises face is not insurmountable. It only requires understanding that just as modern business uses technology to enhance productivity; cybersecurity strategies must mature to protect the business from unforeseen disasters.