ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Measuring Cyber Resilience - A Rising Tide Raises All Ships

Measuring Cyber Resilience - A Rising Tide Raises All Ships

Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA
| Posted at 3:08 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (3)

Matt LoebI admit it … I am one of the 143,000,000 people afflicted by the Equifax breach. For those of us who reside in the US, that number approaches 60% of all adults, based on recent numbers from the US Census Bureau. Perhaps most unsettling is that failing to perform something as routine as a timely patch produced an event so catastrophic that it cost the CISO, CIO and CEO their jobs. Make no mistake about it, accountability for cyber resilience is in the boardroom and rests heavy on the shoulders of those in the C-suite. This is accentuated by the data from a recently completed study by ISACA and MIT which overwhelmingly confirmed that CEOs and boards are leading enterprise digital technology initiatives.

Strong oversight of cyber security is now a critical component of organizations’ overall governance of their information and technology, and on that front, there remains some steep hills to climb. ISACA’s new Better Tech Governance is Better for Business research shows that only a little more than half of senior business leaders think their organization’s leadership team and board are doing all that they can to safeguard the organization’s digital assets, and less than half of boards intend to fund a significant expansion of their cyber defenses in the coming year, despite expanding attack surfaces and daily changes to the threat landscape.

There is much in the media and literature today calling for increasing technology competency in directors and senior executive leaders to achieve better oversight of what’s happening in the enterprise operations. There are also repeated calls for boards and the C-suite to further invest in cyber security and risk management, not only as a path to averting disaster, but as an enabler of the innovation required to thrive within a rapidly changing and increasingly complex technology landscape and regulatory and compliance environment.

The answer seems simple enough: recruit some new subject matter experts who can ask the right questions to serve on the board. While this is a good start, there’s still something missing— the fundamental ability to qualitatively and quantitatively measure the capabilities of an enterprise, allowing the enterprise to build its cyber resilience.

A CISO for a leading global payment company recently shared with me his story of being asked by a director on the company’s Board, “Are we safe?” His response was, “I think so,” to which, the director retorted, “What do you mean you think so?” The story was instructional for me, confirming the need for ISACA and our CMMI Institute subsidiary to work with industry leaders on the development of a risk-based, enterprise-wide self-assessment that presents a holistic view of an organization’s established capabilities to protect and defend itself from cyber security attacks. Upon completion of the assessment, a report indicating the current state of the enterprise, including views on how the organization compares to other organizations of similar size, geographic location or industry, will be provided.  Assessment outcomes can be used by boards and senior executives to understand the current state, along with a roadmap to improved cyber resilience that can serve as the basis for further risk management-based and business-focused investments. CISOs and board members won’t need to think their organization is safe; they will know it is.

With industry and government support, along with stakeholders in our professional community, this assessment can evolve into a community accepted “universal consensus model” to measure progress in our respective industry sectors. Without such a tool, organizations, many of which are struggling to find tech-savvy board members, will continue to operate with incomplete or misleading information to decide how to invest in the equipment, training and personnel required to build and maintain effective security programs.

The pressure on today’s executives when it comes to reliable cyber security and risk management is significant. The job of leading and managing these critical enterprise concerns is anything but easy. The days of cyber security being treated as a technology concern have passed us by. Cyber security is now and will remain a strategic business risk that, if properly managed, can fortify an enterprise to effectively and securely innovate. Perhaps the timing is now right for this new ability to measure cyber resilience, thereby creating the rising tide that will raise all ships.

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.


Examples of cybersecurity capabilities models

Dear Matt, I cannot agree more with you... In fact, I started to work on this issue 7 years ago and since 4 it has gone public; nowadays it is on version 2 and more than 25 companies are using it to assess the cybersecurity capabilities of the services they provide (both internally and externally - as service providers).

Additionally, last December, Spanish Government published its own version of a cybersecurity capability assessment model focused on industrial control systems.

If someone wants to check it, it is available at LEET Security website:
Antonio Ramos at 11/7/2017 4:26 PM

Measuring Cyber Resilience

Hi Matt, thanks for the informative document,
There are some vendors , who are doing security risk assessment as third party and publish cyber security rating. we have been availing such services.That Cyber Security Rating score can give some idea or confidence to CISO to handle board of directors queries.
But definately that score will be at that moment of time.
If you can suggest some product/services and then that will help to lots of people / CISOs to answer such queries from senior management.
Suresh Ahirekar - CISA,CISM,CGEIT
Suresh599 at 11/9/2017 11:20 AM

Cyberresilience models

The US-CERT and the DHS have made available the Cyber Resilience Review aligned with the NIST Framework. I found it very valuable and the resources can be found here:
Mamane at 11/10/2017 1:50 AM
You must be logged in and a member to post a comment to this blog.