Move Your Security Maturity Five Steps Forward Rather Than One Step BehindStart the journey of moving your organization away from a purely reactive security posture to a more mature approach. By: Hadi Hosn
The problem with reactivity is that you're always one step behind. That might appear to be stating the obvious, but when it comes to cybersecurity, it's still hot news for many organizations whose reaction to new security threats is layer upon layer of new security equipment.
Increasingly though, security is being treated as a business risk issue, with organizations setting and implementing cybersecurity strategies with a set of risk-prioritized goals in mind. That produces a more mature security posture and means getting beyond a reaction-based approach.
To achieve this change there are five key steps organizations can take to improve their security maturity - plan, buy in, execute, evolve and future proof. Let's take a high-level look at these steps one by one.
Step 1 – Building Your Security Plan
To create an effective cybersecurity program, you must first develop a strategic and overarching view of your organization's inherent risk profile. This will consider business and IT priorities, critical processes and systems, and information assets.
Once you have identified the priorities and carried out a risk assessment, the output will be a set of security capabilities that minimize the risks identified. This is your cyber-business risk model. This forms the basis of your security program plan, which you must accordingly design in a way that lets you deliver it in a risk prioritized, phased manner to ensure effectiveness.
Step 2 – Gaining Leadership Buy-In
Doing this is likely to require obtaining buy-in from the Board of Directors and that means selling the idea of security as a business risk issue. This isn't necessarily straightforward – the language of security and the language of business do not always align, and it's important to speak in terms that the Board understands.
It also requires buy-in across other strata of the business too. That means engagement with department heads and critical stakeholders to sell them the plan. It requires understanding their priorities so you can show them how a security maturity focus can help them obtain their objectives, reducing their risk and enabling them to meet compliance objectives.
Step 3 – Executing Your Security Plan
Execution is next the next step, but if your idea of executing a security plan is to search out a compliance checklist and then buy the latest equipment, then you are still stuck in reactive mode. Far more effective is to leverage a framework or maturity model that clearly defines where you are now from a security posture and where you need to be compared to your business risk profile and industry benchmark.
The Secureworks™ Security Maturity Model is a holistic, risk-based, flexible and pragmatic model that uses an organization's business operations and risk profile to create a tailored path to maturity. It draws on the best of established industry frameworks like NIST and ISO27001 and enhances them with the benefit of our extensive experience across our client base and in threat intelligence to enable precision focused benchmarking.
Indeed, benchmarking security against industry is a proven method of demonstrating to senior management and the board the need to invest further in security and optimize security operations.
So, ultimately, to reduce their risk, companies need more than simply adding layer after layer of new technologies. What they need is a coordinated approach across all the layers to reduce inefficiency and complexity, make better use of investments and reduce risk exposure.
Step 4 – Don't Rest on Status Quo
Savvy organizations realize security maturity is a journey, and it's critical to continue to evolve along the maturity axis. Threat actors continually evolve and so must their targets to ensure that they maintain and enhance their level of resilience. Using a suitable maturity model, for example the Secureworks Integrated Cybersecurity Framework, is a good way to do this.
That's because this helps to imbue the organization with a culture and mindset of continuous security improvement across all service areas. Secureworks' framework should be used as a regular means of assessing maturity and identifying areas of focus for improvement and progression to the next maturity tier. What's more, as the threat landscape changes, because this model is risk-based, targeted expectations for the correct tier of security maturity should also change.
Step 5 – Future-Proof Your Security
Finally, organizations need to think about the long-term impacts of their program which can be achieved by ensuring that security and privacy are built into all organizational activities by design, from the outset – not treated as an afterthought. Integrating security early in the development process and including it in user training all go a long way towards creating a culture of security where employees are invested in the program's success.
Many of the other aspects of creating a security culture are found in the previous four steps, but underscoring a mature security program is that cybersecurity must remain front of mind throughout the organization. This is what takes security out of the reactive approach, out of the IT-specific risk mentality, and towards a proactive, business-risk driven methodology.
Obtaining a high level of security maturity doesn't happen overnight. This overview is a great starting point, but we know it takes more than one blog to kick-start your journey. To help you move beyond a reactive approach to security, our white paper, 5 Critical Steps to a More Mature Security Posture, provides actionable advice on the following:
- The seven key stages in creating a security plan
- Security metrics that are actually useful
- How to translate security into business language that will resonate with the Board