Whilst the cybersecurity challenge is complex and ever-changing, organisations should be able to evaluate their capabilities and identify areas where improvement is needed. Sometimes, however, that mission can get lost in the day-to-day fight of staving off attackers. Overcoming these challenges involves a shared commitment among organisational and security leadership.
To build a cybersecurity program is to understand your business context, and how organisations can use this information to map out their cyber risk profile and identify areas for improvement. This requires an integrated approach to manage all aspects of an organisation’s cyber risk, holistically and efficiently. To effectively address both internal and external cyber threats, organisations need to be able to manage their information security program as part of their overall risk management strategy.
Identifying priority areas to begin the cyber target operating model journey
In a recent poll conducted at one of our online seminars, only 12% of our EMEA webinar audience and 31% from APAC said they were confident in understanding their organisation's type of data.
First, determine what data is most important to protect, where it resides, and who has access to it. You can then identify each responsible business function to create a list of priorities. We suggest mapping out as follows:
- All the types of data within your organisation
- All locations where the data resides, including cloud, database, virtual machine, desktops, and servers
- All the people that have access to the data and its locations
- The business function associated with each area
Once you have identified the most recurring business functions, you can list your priority areas.
Foundations to identify risk, protection, detection, response, and recovery
A cybersecurity program is built on the core foundations of the organisation. To operationalise cybersecurity within a targeted area, first you must assess the maturity of each foundation. A strong foundation will help your organisation be resilient under duress, whereas a weak foundation will need strengthening first. There are six core foundations of your cybersecurity program for any organisation:
A set of values shared by everyone in an organisation determines how people think and approach cybersecurity. Your culture should emphasise, reinforce, and drive behaviour to create a resilient workforce. Every security awareness program should, at minimum, communicate security policy requirements, and tracking employee policy acknowledgements ensures everyone is aware of the policy and helps you meet compliance requirements.
A quick response can reduce damages from an attack, and security awareness training teaches your workforce how to self-report incidents, malicious files, or phishing emails. This metric will prove you have safeguards in place, especially when you tailor security awareness training to employees' roles and functions to measure the effectiveness of each department.
Measuring the ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats enables a robust operating model. The best approach requires an understanding of what your most significant risks are. Consider analysing the following examples:
- Phishing rate: A reduction in the phishing rate over time provides increased awareness of security threats and the effectiveness of awareness training. Consider a phishing simulation to document the open rates per business function to track phishing risks.
- The number of security breaches: Track and record the number of new incidents and breaches each month, which provides a percentage increase or decrease report.
- Mean time to detect (MTTD): Calculate how long it takes your team to become aware of indicators of compromise and other security threats. To calculate MTTD, take the sum of the hours spent detecting, acknowledging, and resolving an alert, and divide it by the number of incidents.
- Patching cadence: Determine how long it takes to implement application security patches or mitigate high-risk CVE-listed vulnerabilities.
- Mean time to recovery (MTTR): Take the sum of downtime for a given period and divide it by the number of incidents. For example, if you had 20 minutes of downtime caused by two separate events over two days, your MTTR is 20 divided by two, equalling 10 minutes.
A security goal generates the requirement for actions of an entity to be traced uniquely to support non-repudiation, deterrence, fault isolation, intrusion detection, prevention, after-action recovery, and legal action. The quality of your incident response plan determines how much time passes between assigning tasks to different business functions. Calculate the mean time between business functions aware of a cyber-attack and their response.
Also, calculate the mean time to resolve a cyber-attack once they have become aware by measuring how much time passes between assigning tasks to different business functions. Finally, record how internal stakeholders perform with awareness or other security program efforts to track the effectiveness of training.
Processes are critical to implementing an effective strategy, and they help maintain and support operationalising cybersecurity. To determine your increase in the number of risks, link the percent differences in the number of risks identified across the business monthly. Identify accepted risks by stakeholders and vendors monthly and hold regular information security forums between business functions to review levels of progress. Also, document meeting notes and actions for compliance and internal reference.
Ownership of cybersecurity creates knowledge to manage, maintain and operate cybersecurity. When determining the effectiveness of resources, analyse what levels of training you give different levels of stakeholders. For example, administration training will differ from targeted executives. Calculate the engagement levels of input and feedback from previous awareness training and record positive and negative feedback. Also, ensure that different parts of the business have the required skill level and knowledge within the business function's scope, and use a skills matrix aligned to security domains to uncover stakeholders' hidden knowledge or skills gaps.
The automation of security tasks includes administrative duties, incident detection, response, and identification risk. Consider implementing automation in vulnerability management processes internally and externally to the business, and detect intrusion attempts and malicious actions that try to breach your network. Finally, automate patch management actions on all assets within scope by assessing the number of patches deployed per month based on the environment.
A journey that delivers outcomes
A cyber-targeted operating model is a unique approach that provides defensibility, transparency, and accountability. Defining a target model in terms of the foundations of your organisation will bring together a holistic view of the future of your organisation's security posture. By identifying the most critical business functions and defining a process for each foundation, you can methodically improve cyber maturity.