For many organizations to have an effective cyber culture, they must also have a mature cyber culture. A recent cybersecurity culture study conducted by ISACA and CMMI Institute found that only 5 percent of organizations believe no gap exists between their current and desired cybersecurity culture. A full third see a significant gap. That’s why I found it so valuable to sit down with cybersecurity leaders across the public, private and non-profit sectors to have a discussion in the UK last week about cyber maturity, what it means to people and how we can help organizations value being more prepared.
The general consensus at our session, “The Future of Cyber Maturity and Benchmarking,” was that our work must start at the top with the board. We must be speaking in terms the boards will understand and getting boards to value cybersecurity as a business enterprise risk issue that must be managed as such. This hasn’t happened yet to the degree it needs to. The cybersecurity culture study confirms this feedback in that 58 percent of respondents cited a corresponding lack of a clear management plan or KPIs.
Another key word involved in maturity is resilience. No organization is ever completely bulletproof from an attack. The idea is to train and plan thoroughly, ensure that the organization as a whole is as prepared as possible, and if/when an attack happens, is in a position to respond to the attack efficiently and effectively. That’s a resilient organization and the best we can ask for when it comes to cyber crime.
As organizations become more resilient, they must honor the need to effectively manage risk. The risk equation includes workforce readiness, security operations and capability maturity. Your workforce must be thoroughly trained to understand the risk at all levels.
The group was heavily focused on moving away from the old way of managing risk. Risk is not managing compliance or a checklist. It is truly about building resilience through a risk-based approach.
A quality maturity model looks at people, processes and technology, and takes all these elements into consideration. However, the discussion was largely around the workforce readiness and how to motivate people to do what needs to be done. Asking the right questions as technology leaders is a start. Are we doing the right things? Are we doing them well? How can we ensure the board is informed and engaged, and that we are focused on areas of greatest risk?
As technology leaders and assurance professionals, we discussed the need to be ahead of the curve, implementing cybersecurity as a business imperative, rather than waiting for an accident and reacting at that time. An organization must know its risk appetite and its risk posture.
All of this counsel goes for organizations of any size and at all places within the organization. We discussed the importance of supply chains, micro businesses and small and medium enterprises (SMEs) having special considerations as they build capabilities. SMEs do often have a much smaller staff to work with, but the responsibility to manage the risk remains the same, thus making a focused and strategic approach all the more important.
A mature organization is one that has truly examined its risk and understands it from the top down, with buy-in to protect the organization from each and every employee. I look forward to continuing this important discussion.