elevenM’s Jonathan Topham discusses moving beyond cyber maturity metrics and taking a risk-based approach to cyber security.
You have to start somewhere, and for organisations about to embark on a formal cyber security program, that often means using a control framework to assess the efficacy of their controls and justify an initial investment.
As a place to start, cyber frameworks give a good grounding. Building maturity against frameworks like the Essential 8, NIST CSF and CIS helps organisations gain momentum in their security program, become compliant and have some confidence in their basic cyber security hygiene. However, organisations often get fixated on control maturity as a metric for how their security program is performing.
The risk to using maturity as your primary metric, especially in reporting to boards and senior stakeholders, is that it traps security teams on a maturity hamster wheel chasing higher maturity scores and little else.
What’s the problem with using maturity metrics?
Maturity-based approaches typically don’t consider the context of your organisation. That means the controls you need to implement and the level of coverage you must meet to hit maturity targets aren’t always appropriate.
This can be problematic for employees and organisations as it often leads to a “we’ve got to monitor everything” mentality in security teams. Trying to cover everything in your environment to an equal level of control often just leads to alert fatigue, security teams who are reactive or robbed of focus, and unhappy employees finding it harder to do their jobs.
From a cost perspective, maturity-based approaches often aren’t efficient in the long term. Expending ever-increasing resources to implement and maintain security controls, some of which might be unnecessary or even unhelpful in the context of your organisation, isn’t a recipe for sustainability. Especially where budgets are tightening and Boards are increasingly wanting to see a return-on-investment for cyber spend.
However, perhaps the most insidious and dangerous outcome of a maturity-based approach is the sense of potentially mis-placed confidence it provides. That high maturity score might offer an easy narrative for stakeholders, but could be masking deficiencies in your program, typically over-monitoring areas of low value while under-monitoring key risk areas. As we’ve noted before, “…the existence and maturity of a set of capabilities does not in and of itself indicate protection against the specific threats an organisation faces.”
Taking a risk-based approach
Adopting a risk-based approach is a more targeted way of addressing this challenge.
By integrating cyber security into your organisation’s enterprise risk management processes, cyber security risks are positioned as a cross-enterprise issue, rather than just a technology or security team problem. This helps you, and your stakeholders, quantify the risk of cyber to business or enterprise objectives and better prioritise the implementation of controls.
Essentially, the risk-based approach moves your organisation away from trying to address everything, everywhere at the same time and concentrates focus on addressing the ‘most likely’ and ‘most dangerous to us’ first.
By understanding the threats and working with the business to identify what’s of value to your organisation, you can focus your efforts on the business-critical assets and the processes most in need of securing. This is typically better value for money than trying to build controls everywhere and it makes it easier to justify ongoing investment, as costs are tied to outcomes everyone understands.
Focusing on risks can also position security as an enabler of the business, where the controls you implement allow the organisation to act on opportunities that they couldn’t otherwise have done.
5 steps to get you started
Risk-based approaches differ from organisation to organisation, which is what makes them effective. However, they all rely on a good understanding of the context of your organisation and the environment in which it operates. Some good first steps to consider are:
- Identify the threats that are relevant to your organisation — Who are they, what are they after and how do they operate?
- Engage the business to understand sources of “value” to your organisation — These could be people, processes and/or critical assets (“Crown Jewels”) but it’s important to get them into a register. And don’t forget to include your third parties.
- Use a control framework to assess the health and scope of controls across your organisation — Identify potential areas of control improvement, paying particular attention to the controls around those sources of value.
- Use your enterprise risk management framework to take what you’ve learned and quantify the risks — By identifying the risks and understanding the “cost” of exposure you should be able identify some risk reduction initiatives to bring them down to an agreed appetite.
- Start to communicate cyber risks in terms the business can understand — Build your communications to senior stakeholders and boards around business outcomes. Stay away from operational metrics or maturity scores and instead concentrate on building out Key Risk Indicators (KRIs) to show how you are reducing risks to the things the organisation cares about.