Recently, we participated on a webinar panel – What You Need to Know about the FFIEC Cybersecurity Assessment Tool – where audience members were asked the following question:
How would you rate your organizations’ cybersecurity maturity level today?
Possible options (taken directly from the FFIEC CAT) for the attendees were:
- Baseline – meets the legal minimum; compliance-driven objectives
- Evolving – risk-driven objectives in place; cybersecurity formally assigned and broadened beyond protection of customer info
- Intermediate – detailed, formal processes with consistent controls; risk management integrated into business strategies
- Advanced – formally assigned throughout the business; automation and continuous improvement
- Innovative – cutting edge practice potentially extending beyond firm
Interestingly, a majority of attendees put their organizations’ cybersecurity maturity level at “Evolving”.
There are two ways to look at this:
- The pessimist would say that organizations have a long way to go still with protecting information (the regular stream of data breach headlines back this up).
- A more positive outlook is that through real self-assessment, understanding where we are and where we need to reach is a good thing.
Many folks who aren’t in cybersecurity and/or don’t follow cyber-related news have an enormous false sense of security. People are too trusting and too curious. Cybercriminals know this and use it to their advantage. So it’s good to see that as security professionals many are taking a good hard look in the mirror and recognizing where we are at. Now the question becomes what do you do/where do you go from here?
Clearly doing the same thing over and over again isn’t working. Cybersecurity is not a technical problem, it’s a business problem in a technical venue. Cybersecurity should and can be viewed in the same way other parts of the business are run.
Another important self-assessment to make is knowing you cannot defend everything perfectly. There simply are not enough resources or budget to do so. Shifting from a reactionary mindset to proactive, data-driven intelligence approach can help you focus on your biggest cyber risk areas.
Look at data, analyze it, understand trends and make decisions. This approach is relied upon to run other areas of the business – it’s what business intelligence is all about. And it can be applied to cyber risk mitigation. The business and IT security sides of the house need to work together and look at cyber from a risk perspective. What are your high value targets (what would a “bad guy” go after and why?)? Then what vulnerabilities and threats are out there that apply to your targets?
Looking at your cybersecurity program and your risk posture through this lens can help you unearth big problems that are coming or identify active threats to your sensitive information and brand. An organization’s appetite for risk is fluid – when all is quiet on the cyber front, there is typically less urgency. That urgency level increases significantly if an organization is breached. But waiting for all hell to break loose isn’t usually a good strategy from a risk management perspective.
In spring, we’re told to change our batteries in the smoke detectors as a precaution. I’d suggest we take a step back and take an honest look in the mirror to see where we’re at from a security perspective and how we can use threat intelligence to drive more effective risk mitigation decisions.