From Cybersecurity to Cyber Maturity
19 January 2021
In the past, we have been too reliant on cyber technology, too focused on projects and driven by threat; it’s time to move forward. The saying ‘one size fits all’ just isn’t good enough in today’s threat landscape. Why? Because organisations are different, business operations are diverse, and risk varies across estates – so why would a standard ‘one size fits all’ solution work?
Instead of focusing on cybersecurity, organisations must move towards an operational state of cyber maturity that matches the modern demands of IT teams. So, we’ve created a six-stage risk-based approach that guides organisations from cybersecurity to cyber maturity.
Step One: Organisational Assessment
Understanding the operation of your business is paramount if you want to make calculated strategic decisions on how to protect it. It’s not just about understanding networks, servers, and data but the business strategy and organisational structure – (whether that be physical brick and mortar, or operational departments and teams). Alongside this, is identifying lines of business, the processes that support them, and the potential business impact of an incident occurring to them.
Legal, regulatory and compliance requirements of the business that create those immovable boundaries, should also be considered; alongside, services and systems that support the business, and the data classifications that define their contents. The clever part is to make the elements shown here relational, to define the hierarchy and how each supports the other. This process can be relatively simple for many teams to extract and use standalone Business Process Management tools (or Microsoft Visio), to effectively map the nuances of an organisation. This acts as the supporting foundation to make operational decisions as you progress through the maturity journey.
Step Two: Measure Risk
As part of step one, we extracted the impact of potential disruption on a particular line of business, which acts as a great foundation to take a more operational and organisational focused view of cyber risk. Combine all of this with some prudent investigation on business risk appetite, and you can derive a risk map aligned with the context of the business.
With relationship mapping, we can start slicing and dicing the risk to focus on areas that require more attention, from here we can create an organisational risk map that has business context, and begin mapping the controls to cover those risks. A simple scenario could be teams, systems, or data protected by a particular technical control to mitigate risk, or procedural and people controls that exist across an estate.
Step Three: Quantify the Threat
Step three is being able to quantify the cyber threat. We all know that the threat landscape is broad and diverse, and changing on an ongoing basis; to keep up, we must take an approach that gives us a wider view. The tools that gather this information have never been greater or more readily available. Whether they are external (dnstwister; MITRE ATT&ACK; and CiSP), or internal (alerts and events; vulnerability management; and internal logging) most have a wide breadth of data sources open to us. It’s just a case of widening our scope of vision to allow the threat view to come into focus.
Step Four: Cyber Control Efficiency
The steps up till now give a really good grounding to what controls are needed (and where) to cover risk across the estate. Controls don’t need to be technical; it’s important to consider the full suite of policy, process, people and technology controls already in our arsenal. Step four looks at these cyber controls and answers two questions – do they exist? And are they capable?
First, you assess whether there is a control that exists to undertake these mitigations, second, you see if it’s capable as just having a control doesn’t mean that it is configured and managed the way it should be to return the most value. By breaking out the capabilities into the Must, Should, Could or Would structure, you can calculate whether your controls are effective and efficient.
On the basis that a control does exist but is not capable, we must maximise its operational efficiency, or there’s a risk to be accepted by the business. If a control is absent, a risk discussion must be undertaken to understand whether the threat is high enough to justify work to explore what could be done to mitigate that risk. Or whether there is a control that could reduce the risk until it can be remediated.
Step Five: Operational Maturity
One of the most operationally rewarding steps is taking the controls you have and maximising their operation. To describe this, we have coined the term “to operationalise” which describes the process of ensuring that each control is:
- Configured: To an appropriate standard
- Coverage: Control has full estate coverage
- Monitored: Communicating events and alerts systematically
- Assessed: Control or service gaps assessed
- Remediated: Gaps remediated to achieve the required state
- Automated: Continual validation cycle in place
- Validated: Measures in place to validate efficacy
Each of the operationalisation stages can be measured and reported to evidence maturity of individual controls and the overall estate, and be used to drive continual service improvement reporting.
Step Six: Cyber Incident Response Plan
Part of any good cyber maturity journey is a well-thought-out Cyber Incident Response Plan (CIRP). A solid plan needs to be contextual and aligned with the business to make decisions quickly. This step takes all the learnings and, organisational insight gathered in the previous steps to help answer those difficult incident response questions we know are asked:
- Can we recover?
- Have we practiced?
- What do we need to recover?
- In what order do we recover?
- Who makes the call?
- How quickly can we decide?
All that data is in the wisdom we have built up in the previous five stages.
A ‘one size fits all’ package just won’t cut it, and while technology plays a part, it’s not designed to drive strategy or built to align to different organisational models. It’s about taking a strategic approach to operational cyber maturity and taking the controls you have and maximising their operation to demonstrably increase the value they add to a business.
Explore what zero trust really is from both an analyst and common view, we’ll look at common approaches, including practical steps you can take now to start the journey, and share our views on the operational side of it all.
A vulnerability found in Pulse Secure VPN appliances has been exploited impacting Government and Financial organisations. Read our advisory.
The NCSCs 8 Zero Trust principles help you focus your efforts when establishing a zero trust architecture. How many can you tick off?