According to the Council for Strategic and International Studies, an estimated $600 billion is lost to cyber criminals each year. In a study done by Juniper, it’s estimated that the amount lost to cyber attack will grow to $5 trillion by 2024.
Yet year after year, CISOs still face challenges like thinning budgets, lack of executive buy-in, and they’re generally expected to perform the same functions at the same level despite the cutbacks. CISO’s are expected to do more with less, and as responsibilities mount, teams it’s easy to become overwhelmed. COVID-19 has simultaneously exacerbated the problem and partially addressed it.
Known as the year of great acceleration, 2020 pushed digital transformation initiatives across thousands of industries the pandemic made it impossible to manage the day-to-day operations in the office, face to face. CISO’s and CEOs have been in more communication, possibly than ever before. This has helped to align business and technology goals in an important way and increased the number of organizations' security maturity level. Yet, there are still many that haven’t reached their full potential.
Enterprises need a higher level of maturity to adequately address the new cyber threats they’re facing now that they’ve reached mid-level security maturity. But when we talk about maturity, what does that mean?
What Enterprise Risk Management Maturity Means
Cyber security maturity is a term that refers to an organization’s ability and degree of readiness to mitigate vulnerabilities in the threat landscape. The more ‘mature’ a company’s cybersecurity practices are, the better equipped they are at preventing threats before they become breaches.
Companies can fall short in creating new risk management programs by trying to adopt something that already exists but doesn’t match their goals. They essentially try to fit a square peg into a round hole. NIST Cybersecurity Framework (CSF) tiers can act as a guide between cybersecurity risk management and operational risk management. Implementation should be continuous and repeatable but also flexible. Inflexible approaches may seem ideal at first, but since the landscape of risk changes so often, organizations will suffer from a process that only creates more gaps when it refuses to shift with new threats.
Let’s look at steps enterprises can take to further their maturity level.
Step 1: A new mindset
2020 has proven that a new mindset is required to address cyber risk. Security needs to be framed not only around digital risk, but financial and operational risk. Immature organizations are not only endangering sensitive information but also client trust. With financial losses on the table as well, not addressing control gaps is riskier than ever.
A new perspective is necessary to increase maturity level from mid-level maturity to high maturity. Enterprises that have some enterprise cyber risk security features in place but aren’t at the point where they’re ready for advanced automation or to continuously assess risk and compliance are still higher on the maturity scale than level one companies but lack the flexibility to achieve resiliency. If enterprises are simply reactionary in their approaches, they will always be playing catch-up when cybersecurity incidents and data breaches occur.
Executives and information technology departments need to start communicating more often and be open to one another’s struggles and goals. Business goals and tech goals have to start aligning to further any maturity level. The siloed approach of each department working toward their own objectives is no longer enough to increase security risk posture.
Step 2: Innovation and experimentation
Being flexible in risk management approaches and being willing to experiment is also a necessity to increase maturity level. Many IT GRC solutions are designed to address the same problem repeatedly, but when faced with new threats, it struggles to keep up. Legacy GRC solutions are modular, and data remains siloed. Different modules struggle to communicate with one another, leaving very little room to try new approaches or anything outside the box. Although It’s a familiar solution for many organizations, the lack of flexibility doesn’t permit growth and innovation.
Companies must be willing to be agile and encourage new approaches that facilitate new ideas and solutions that can be implemented rapidly in a cyber incident. This also signifies a cultural shift as high-level executives encourage this kind of new, forward-thinking. It will trickle down to the rest of the company.
Step 3: Trust in each other
If executive buy-in doesn’t exist and CISO’s and CEOs treat the business and IT as separate entities instead of departments that complement and support one another, they will continuously clash, and a higher maturity level will never come to pass. A mature organization has IT and business goals that are aligned, and the units work as one toward common milestones. The relationship between the units must be built on transparency and trust.
This becomes critical when there is a breach. If the right policies aren’t in place, if there’s little transparency or trust, departments will be playing a tug-and-war game of blame vs. solution and waste valuable time in a crisis. At the end of the day, security leaders and business leaders are working towards the same goal: business success and security. Being able to frame risk assessments in business terms can go a long way in achieving balance in strategy and agenda.
Step 4: Secure a strategy
As organizations move up the security maturity stack, they evolve from prevention and minimum compliance to continuous monitoring and risk detection. Security leaders who are looking to move up need to make a risk management strategy transparent and direct to all relevant board members and employees, so there are no surprises if (or when) a breach happens. Some questions to ask as you consider strategies could be, do we want to rip and replace legacy systems? Or do we want to augment them? What threat detection software do we have in place and does it monitor in real-time? Are we continuously assessing or only assessing once every quarter or year?
By securing a plan and placing it into policy, companies can achieve cyber resiliency. They will have the ability to implement quick incidence responses to threats and address them promptly. IT and business will become more integrated and will trust each other to address concerns proactively and communicate when they do so.
Step 5: Optimization and efficiency
In a Gartner survey, they found that even small operational advantages can lead to significant business advantages. The ability to get over hurdles even seconds faster is what can win the “race” against competitors.
An enterprise’s IT environment must connect data, people, and systems quickly to address threats in a timely manner. However, there are many IT departments that remain saddled with legacy systems that cannot be integrated quickly and that are being modernized piecemeal.
This kind of approach will never win the “race.” Chronic threats that aren’t addressed efficiently make a company’s security posture more fragile. This could cause them to lose ground to competitors who are more stable. Systems that are optimized, efficient, and work as a unit will not only stay level with competitors but give a business a chance to exceed their peers.
Increasing maturity and aligning business and IT has become a priority for many organizations as digital transformation spikes. Gone are the days of security investments being driven by regulatory and compliance requirements and where organizations don’t prioritize risk. Security leaders are looking for solutions that aren’t cobbled together from many different modules that leave critical gaps open for threats to take advantage of.
To learn how you can increase your maturity level with modern solutions and begin protecting your organization, contact us.