Three dimensions that better position organisations for security success Read More
Don’t Just Survive in Cybersecurity – ThriveEnterprises are struggling to advance their security, but a new research study can help organisations reach higher levels of security maturity By: Andrew Matthews
Earlier this year, SecureWorks sponsored the IDC IT Security MaturityScape Benchmark for Asia Pacific report in order to help business leaders understand and address the challenges of IT security, particularly in an age of digital transformation. The benchmark study provides a comprehensive look at how organizations can assess and strengthen their security posture, but in this three-part series, I am going to focus on specific themes that proliferate throughout the report. Two themes that are worth thorough examination include a risk-based approach to security and the role of security within the organisation.
Evaluation Criteria for a Mature Security Program
IDC identified five critical dimensions to security maturity:
- Risk Management
- Security Technologies
Evaluating performance using these criteria, IDC placed organisations into five different categories based on their security maturity. These categories, rated from least to most mature, include Ad Hoc, Opportunistic, Repeatable, Managed and Optimised. Eighty four percent fell into the bottom two categories, where organisations either applied only basic operational security measures on an ad-hoc basis or followed a fundamentally compliance-based security programme.
During the study, organisations were also asked to self-assess their approach to each of the security maturity dimensions in the context of how they were able to leverage their security programmes. Based on these assessments, IDC then segmented organisations into two categories – survivors and thrivers.
What Does It Take To Thrive?
Survivors may be going through the motions in a security sense, such as implementing firewalls and adding AV, but a significant knowledge gap remains when seeing the value security plays in terms of strategic business decisions. As you might expect, survivors tend to cluster around the lower end of the maturity scale, with the largest number falling into the Ad Hoc category.
By focusing their security programmes and resources on reactive tactics instead of taking a more deliberate, methodical approach, they are unwittingly accepting large risks on behalf of their organisations that leave them extremely vulnerable to common and new threats.
When organisations focus on compliance, they may be successfully acting in accordance with security standards, but this approach still presents challenges. A compliance-based approach traditionally does not focus on the bigger picture needed to optimise a security posture. It is likely security budgets are prioritising compliance tactics that may not be the most efficient use of resources. Unfortunately, survivors often fall behind when it comes to vision.
As an organisation’s security maturity advances, their ability to adapt increases, and they move more towards thriving. Maturation not only means enhanced capabilities – organisations that progress through the maturity model have a strong understanding of the importance of risk management and are constantly and proactively on the lookout for the maximum risk reduced per unit cost. This is often accomplished by focusing on executive buy-in, developing a risk based model for a strong security framework, building their business with security in mind and ensuring that their security framework is scalable.
Compliance Alone is Not Enough
A compliance-based approach to security is a common starting point, but resting on “checking off the boxes” will keep your strategy firmly stuck within the Ad Hoc and Opportunistic stages of security maturity. We know it’s important to improve one’s security posture, but organisations don’t always know how to get beyond compliance. Still, there are many ways to expand upon this approach and use it as a leaping pad to better security, such as using risk management processes to develop a strategy that encompasses compliance requirements into an organisational framework.
According to the IDC survey data, thrivers, on the other hand, score highly on vision, which firmly places security into the context of overall business objectives, especially when making broader IT decisions. Ultimately, thrivers have the appropriate balance between short- and long-term vision, and companies can improve their maturity by engaging organisational stakeholders across departments and integrating security and risk discussions across the full breadth of the enterprise.
Process Planning Cannot Be an Afterthought
Thrivers actively take risk considerations into account, guiding how they prioritise their security programmes. As part of this risk-based process, understanding how cyber risk fits into broader overall business risk calculations will almost certainly improve your security posture. After all, security risks don’t just have security implications. An organisation that is dealing with the aftermath of a security breach may find itself suffering reputational damage, with a plunging share price and at risk of fines from regulators. Depending on the breach, its digital capital and IP may be at risk. At the very least, its eye will be off the ball in a commercial sense in the immediate aftermath. By considering these potential risks before an incident occurs, your organisation will be in a better position to mitigate damage and more efficiently respond.
Understanding the broader implications of a data breach will impact how you manage risk within the operational environment, an essential component of the process dimension. Process for thrivers could mean investing in more training, more monitoring and more proactivity, particularly when it comes to patch management. Most importantly, it requires organisations to prioritise and focus process improvements where they are most needed, while constantly aiming to increase scope and automation, while reducing risk at an acceptable cost.
Leveraging the Right People and Technology
Two additional dimensions contribute to IDC’s mature security model – people and technology. Those are often the areas that get the most attention from survivors, which can be attributed to the reactive nature of throwing technology and end user training at the problem. Thrivers use people and technology to enhance their security maturity too, strategically guided by the insights created by their focus on vision and risk management, especially when it comes to integrating support from the board.
IDC’s research showed more than 80 percent of respondents within Asia Pacific region falling into the survivors’ camp. Moving from surviving to thriving won’t happen overnight, but by adopting the key principles of a mature security model, the journey can be made one step at a time – it takes a commitment to focus on a holistic vision, a strong risk management culture and buy-in and support from senior leadership.
For a pragmatic recipe for understanding your risk profile and moving past the Ad Hoc stage, this article about risk modelling can help.
In the next blog in this series, we’ll be taking a closer look at how vision, risk and people contribute to the role security plays as a business function.