Executives are no stranger to the importance of cybersecurity (a Cisco survey last year showed 96% see security resilience as a high priority), but that hasn’t slowed cyberattacks. Not even a little bit. Look no further than Yum! Brands—parent company of KFC, Pizza Hut, Taco Bell, and other franchise restaurant brands—for an example of how even proactive companies can fall victim to breaches.
The Fortune 500 organization has adopted a preventative risk posture, combined security with effective data governance, and worked to identify weak points. Yet in January 2023, they fell prey to a ransomware attack that resulted in the exposure of an untold amount of personally identifiable information (PII). Yum! Brands’ rapid response curtailed any cascading damage in the wake of the breach, but much of the devastation was already done.
If this example underscores anything, it’s that organizations need to treat the assessment of their cybersecurity maturity gap as an open-ended process. Hacking strategies evolve, system and platform vulnerabilities gain attention, and employees get complacent with their security hygiene.
Stop assuming the best or the worst. Instead, take a proactive step and determine how far your perceived cybersecurity maturity is from reality—and then close the gap.
Double Check Your Integrated Risk Management
In a survey conducted by the Information Systems Audit and Control Association (ISACA), 70% of respondents said their buying decisions were governed by an integrated risk-based approach. This is a good sign for overall market maturity, but those lagging organizations are creating a widening rift in their cybersecurity posture.
The old mindset of compliance-based security, a once default approach for IT, only checks boxes to meet regulatory or industry expectations. Organizations that adhere to compliance have met the law and followed the standard to prevent obvious or evident threats to security or privacy. However, mere compliance isn’t well equipped to address emerging challenges or adapt at the speed of hackers’ malicious ingenuity.
Integrated risk management is proactive, identifying and responding to potential sources of risk before they can result in harm to the enterprise. Yet this isn’t only the function of a security or IT team. Business leaders and employees need to know how everything from adopting new tech tools, working with new vendors, or even shifting their work policies (à la COVID remote working) poses a threat that can and should be addressed.
Though not a comprehensive list, here are a few questions that can help you determine if you are actually embracing a fully risk-based approach to cybersecurity:
- Do you have processes to assess vendor cybersecurity risk?
- Have you created fail-safes in the anticipation of outages?
- Does your organization have formalized and routine training programs to decrease user-based risks?
- Are you implementing security measures to defend against user error or liability?
- Do you regularly test your own tools and policies for gaps?
- Do you document your self-assessments to track shortcomings and map progress?
If you’re answering no to any of these questions, your organization still needs to do some work to seal some potential gaps.
Assign Dedicated Staff to Cybersecurity Maturity
Many challenges in the business world remain unaddressed because of a lack of dedicated time or people committed to the resolution. The aforementioned ISACA survey confirms these are the top two problems for building cybersecurity maturity. At least 53% of surveyed executives fret about the time it takes to complete a cybersecurity assessment, and 45% struggle because they lack the people to perform the assessment.
Though large organizations and enterprises have begun to recognize cybersecurity professionals as an essential in-house resource, there is still a gap at the leadership level. Heidrick & Struggles Board Monitor US 2022 report finds that of new board members added in 2021, 17% had cybersecurity experience. This was a sharp increase from the year prior, but there’s still progress to be made on bringing this essential perspective mainstream.
What can the right leaders bring to the table? Here’s what ISACA found was top of mind for IT security executives:
- Creating a roadmap to improve cyber maturity.
- Reducing risk tied to financial loss.
- Making progress tracking towards maturity goals.
None of the concepts are esoteric or novel, but they do benefit from the guidance and perspective of a dedicated leader focused and prepared to act. Moving the needle on security maturation is easier when there is top-down direction.
Pinpoint the Right KPIs
Avoiding a massive data breach isn’t the alpha-and-omega cybersecurity benchmark. Just because a visible violation hasn’t occurred doesn’t mean all gaps are closed (or even that violations haven’t happened). Measuring progress based on actionable KPIs can help ensure that you’re not only closing past rifts in your defenses but preventing new ones from jeopardizing your business.
Where should you be starting? There are two main categories that can help your organization to create some quantitative measures as you mature your cybersecurity posture.
- Access Management – What percent of accounts are secured with multi-factor authentication? How often are password and access policies reviewed? What is the average completion time when removing rights for former employees
- Proactive Patching – How often are you scheduling patches for in-house platforms? How often are third-party vendors patching their systems? How many risks or issues remain unremedied since the last cybersecurity audit or assessment?
- Disaster Recovery – How frequently are backups made? How often are backups tested for their precision and integrity? At what frequency do vendors backup up their own systems?
- Cybersecurity Awareness – What percent of employees have completed training in cybersecurity best practices? How many employees pass phishing or cybersecurity audits? What percent of employees have weak passwords?
- Response Times – What is the mean response time to intrusion attempts? What is your average detection time? What is the average response time when a successful breach is detected
- Types of Attacks – How often are you receiving surges of non-human traffic? How often are you subject to ransomware? How often are phishing attacks successful?
- Vendor Responses – How quickly do vendors notify you after a breach of their own? Which types of cyber-attacks are vendors repelling and how often?
Working with the Right Partner
You might have noticed a repeated theme throughout our recommendations: your vendors have a measurable impact on your overall security posture. Their lack of security hygiene or failure to perform thorough identity access management can spread to your organization like brushfire in a parched and packed forest.
Certainly, some of the proactive measures you implement can compensate for a vendor’s shortcomings, but your partner should take their security as seriously as you take your own. During the evaluation process, they should be able to provide you with their blueprint and best practices for keeping their business secure from crafty and adaptive cybercriminals.
Whether you choose a partner to augment your own security or to elevate your data management or AI capabilities, the proactive steps they embrace should simplify your road to mature cybersecurity measures. Because why should you be the drive-in stop for hackers to satisfy their hunger for sensitive data?
If you’re ready to work with a partner that takes cybersecurity maturity seriously, it’s time you turn to w3r Consulting. We continuously improve our cybersecurity strategies to keep your business and our business protected.