Security Staff Acquisition & Development

Comprehensive, Risk-Based Cyber Resilience: The Time is Now

Author: Matt Loeb

As one who attends a number of industry conferences, it’s almost a guarantee that you will hear the cliché question “What issue keeps you up at night?” posed to enterprise security executives on stage.

While the question may be monotonous, the responses can trigger lively exchanges, especially in today’s cybersecurity landscape. Contending with the proliferation of connected devices, ransomware attacks, insufficiently trained security teams, a shortage of security personnel, rapid changes to the threat landscape, and responding to board concerns are just some of the many relevant issues that emerge from those who answer that seemingly “routine” question.

But there’s nothing routine about it. Thanks to the moving target of the rapidly changing threat landscape, many CEOs, CIOs, CTOs, CIOs and board members themselves are having some restless nights. As if the volume and complexity of security risks aren’t enough, most of these stakeholders are unsure of where their organization stands in its cyber security capabilities and resilience. Absent that fundamental understanding, how can boards of directors effectively assess critically important investment decisions to strengthen an organization’s security posture? How can directors on those boards gain assurance that the organization is taking the steps necessary to enhance its cybersecurity resilience, mitigate risks of attack, and have confidence in the organization’s capabilities to respond to an attack should one occur?

Assessing the strength of cybersecurity programs – people, processes and technology – must be viewed through the lens of enterprise risk and by measuring maturity, all with the objective of building organizational cyber resilience. Risk scenarios should be evaluated in terms of likelihood and business impact. Based upon the risks that rise to the highest level of concern in that context, the capabilities most important to mitigating those risks can be identified. Importantly, establishing sound audit processes must be an integral piece of ensuring the appropriate risk mitigation.

Many organizations rely upon outdated compliance frameworks to reduce risk. This approach has proven insufficient, as evidenced by ISACA research showing that less than half of security leaders are confident in their organization’s ability to combat anything beyond simple cyber incidents. The reality is most are ill-equipped to confidently conclude what their organization is or is not prepared to handle. A more comprehensive, evidence-based approach is urgently needed.

It is time for the industry to coalesce around a risk-based capability and maturity model for cybersecurity, one that draws on organization-specific evidence and analyses as a catalyst for strategic, purposeful action. One such assessment platform has been developed by the CMMI Institute, which ISACA acquired in 2016. CMMI developed its approach after hundreds of conversations with board directors, C-Suite executive and other industry leaders. While each person came at the discussion from the perspective of their own industry experiences, a common need emerged: produce a consensus-based model, grounded in the most appropriate and recognized industry standards, so organizations can understand their level of cyber resilience – and how to strengthen it – through a comprehensive, risk-based approach.

Organizations need guidance in framing the business case for enhancing their cybersecurity programs, and to prioritize resources and investment to focus their programs on what matters most. The CMMI assessment platform, which will be released in April, does exactly that, while also providing organizations a road map to identify gaps through evidence-based analysis. This platform also will enable organizations to benchmark their capabilities against peers in their industry and in their geographic areas. The results are board-ready, presented in simple to understand business terms.

Recalibrating our approach to risk and security is only going to become more vital in the coming years, as inferred by unsettling new research on potential malicious uses of artificial intelligence. AI and other disruptive technologies will make the security landscape increasingly challenging going forward. Boards of directors are often characterized as being cavalier or apathetic about enterprise security. However, that assessment is unfair. The board conundrum is shaped by a combination of insufficient cybersecurity expertise and a lack of actionable information that can ensure security risks are integrated into the overall enterprise risk analysis.

Equipping enterprise leaders with a risk-based capability and maturity model represents a major step forward for those who seek an evidence-based understanding of where their organization stands on cybersecurity and what steps are being taken to fortify their programs and enterprise resilience. With a more quantified analysis of the enterprise’s current state, a roadmap to improved cyber resilience, and proper consideration of the financial investment to get there, the necessary due diligence on this complex, mission-critical area will result in improved oversight from board directors and confidence in their organization’s capabilities. Only then will leaders sleep better knowing that their organization is assuring the most secure path possible going forward.

Matt Loeb is CEO of ISACA. Read more ISACA blogs here.