A large majority of organizations with mature cybersecurity programs leverage security frameworks to systematically improve risk posture and resiliency. Frameworks (such as NIST, ISO and CMMC) can be the basis for a comprehensive, systematic, iterative approach to auditing, validating and performing risk management for cybersecurity operations. Immature organizations can benefit greatly from such an approach, as they may learn about what they don’t know or have never considered before, such as controls related to auditing for unauthorized logins when they may not have considered nor enabled any such auditing prior to such an assessment.
WWT is often asked by executives, “How do I compare to others?” as they seek to find out where the ‘bar’ should be as they consider their return on investment (ROI) and milestone goals for maturity. This article provides indicators and insights towards to enable executives to identify where they are in this journey, when compared to others, and where the best strategic gains may exist in light of frameworks within their own cybersecurity program.
WWT has reviewed recent surveys, benchmarks (Fair Institute and ESG) and anecdotal data from our own global practice to identify key insights and outcomes associated with framework driven programs. For sources related to select indicators below, please see references included with this article.
|Of assessed organizations are in a mature leadership category.|
|Of assessed organizations show improvements in maturity over a year. Little to nothing for maturity gains for organizations with no assessment.|
|Leaders are nearly five times more likely to have a strong security posture.|
|Leaders are more than eleven times likely to have extensive consolidation and processing of event data.|
|Leaders are three times more effective in incident response.|
|Leaders work with an MSSP to free up limited SecOps staff for business operations.|
|Leaders are five times more likely to be viewed as an enabler for business.|
|Leaders are more than seven times more successful in overall revenue, in part due to maturity of operations and integration.|
|Leaders are also six times more likely to receive an increase in budget.|
Risk acceptance or risk ignorance?
Ignorance is not bliss when it comes to the risk of a cybersecurity breach. Accepted risk refers to that risk which an organization has consciously accepted. For example, in a three-year cyber security plan, the organization may choose to prioritize endpoint while delaying network monitoring solutions, based upon available resources and priorities. Embracing transparent accepted risk is an important cultural element that executives commonly strive for in mature organizations towards understanding and managing risk for both immediate and long term needs.
Risk ignorance is not accepted risk, as it is not known or managed. For example, organizations that rushed to the cloud in a pandemic-based global environment in 2020 may not have considered security solutions or risk in work from home architecture. This type of risk involves the threat of the unknown, unmanaged risk that may or may not be present. Without any due diligence systematically applied to people, process and technology, risk ignorance reigns.
Risk ignorance also occurs when organizations are overwhelmed with big data challenges and a high volume of security events. Immature organizations ignore more than 25 percent of events (ESG) simply due to an inability to investigate each event. 71 percent of mature organizations (ESG) ignore far less, as they are able to scale and automate with high efficiencies for threat detection operations.
What do most organization struggle with?
Threat and asset visibility are common areas of challenge for most organizations. Assets and threats are dynamic with constant fast paced changes underway. Tracking of assets at scale, along with criticality, and associated threats requires mature practices, processes and capabilities, along with orchestration and automation components. Mature cybersecurity organizations focus upon management of people, assets and software pillars for SecOps risk management.
Fewer incidents for mature organizations
Leading organizations have 40 percent fewer incidents (ESG) compared to immature organizations. Despite a similar risk exposure, one organization has mature capabilities, process and business functions in place to identify and protect against risk. The immature organization lacks visibility and controls to identify and mitigate threats and, as a result, are much more likely to experience an incident. Mature organizations also calculate their average cost for incident and contextualize it within their larger SecOps expenses to accurately identify financial risks mitigated.
Mature organizations are over four times more effective at dealing with stages of threat and vulnerability management. They are able to identify and mitigate risk far more effectively than those that are not leaders. Comprehensive capabilities and process components for these work functions can be identified in a cybersecurity assessment, enabling more mature organizations to close gaps for highly effective and efficient operations.
Maturity gains follow assessments
The average maturity of an organization, following a baseline assessment, is 25 percent mature or less (FAIR 2019). On a five-point scale, common for reporting maturity, most organizations are around a value of 1 out of 5 with initial assessments (FAIR 2019). This represents the all-too-common practice of ad-hoc operations lacking policy- and process-driven operations, dependent upon 'heroes' within operations for quality outcomes.
How do organizations mature?
Organizations that perform a baseline audit and assessment of cybersecurity are able to clearly identify, comprehensively, findings and gaps to create a risk management roadmap for prioritized maturity. Within a year, organizations that perform a follow up assessment typically address low levels of effort “low hanging fruit” improvements to policy and program to rapidly increase overall maturity. The rate of maturity slows as organizations become more mature, due to increased levels of effort, complexity, cost and dependencies.
Most organizations seek to become “managed,” rather than being ad-hoc and inconsistent, aiming for a mid-range maturity around 2.5 (out of 5). Optimized maturity, levels 4 and 5, represent metrics- and data- driven monitoring and optimization. Many organizations select to only perform higher levels of maturity for select areas of business where the return on investment is strong, while seeking to only achieve moderate maturity for lower risk areas of operations.
Frequency of board reporting
Most organizations report on assessment maturity gains on a quarterly basis (FAIR 2019). A smaller number of organizations only report bi-annually or annually. Less than 1/3 of stakeholder board members have an IT or InfoSec background (FAIR 2019). A majority of briefings are performed using narrative based storytelling, heat maps and maturity scoring updates. 60 percent of boards (FAIR 2019) are satisfied with meaningful updates with room for improvement on terminology and alignment with board focused outcomes related to non-technical economic and business challenges as impacted by cybersecurity.
Performing a baseline cybersecurity assessment is the start of a commitment to a comprehensive, effective and efficient SecOps practice and risk managed organization. Organizations that then choose to respond to identified gaps and areas of opportunity predictably achieve rapid gains around documenting and maturing the low hanging fruit and opportunities that involve a low level of effort in the first year.
SecOps managers may use this as a strategic play to identify areas of risk and rapid gains garnered by the team over a 1-2 year period. While achieving strategic cultural transformation, managers also need to set expectations about the projected declined rate as an organization becomes more mature over time.
One of the largest areas of challenge for an organization in the middle of their journey centers around threat detection operations and a big data world with complex, large scale, dynamic assets and operations for a business. This is an area of increased risk for organizations with notable architectural changes, such as migration to work from home and cloud solutions in the 2020 pandemic. With a massive increase of data and maturation of attacks and new architectures including cloud and 5G, all executives must address these critical changes in an organization in light of security needs.
Leaders in industry embrace frameworks as a way to systematically prioritize and embrace change towards desired maturity. Leaders are also able to handle much larger volumes of data, and massive amounts of meta-data, much more efficiently with more automated correlation, enrichment and enablement than immature organizations.
Fair Institute. Jan. 29, 2020. Cyber Risk Management Maturity Benchmark Survey Results Show Where There’s Room to Improve”, https://www.fairinstitute.org/blog/cyber-risk-management-maturity-benchmark-survey-results-show-where-theres-room-to-improve
Enterprise Security Group (ESG) and AT&T. July 23, 2020. “Assessing Cybersecurity Risk: Applying a standards-based maturity framework to assess the state of the market” https://www.brighttalk.com/webcast/8887/423929/how-do-you-compare-to-peers-when-it-comes-to-cybersecurity-maturity