How to Measure Organization’s Cyber Maturity

qowrgk.jpgA much talked about topic today, does it ring a bell in your mind too, have you also heard about Cyber Security? I am sure you would have if you are related to technology in some form or the other.

I wonder why big giants all big 4s talking about it designing their services around the Cyber Security.

What is Cyber Security? Do we need Cyber Security? Are we not there yet? Some of these questions are in my mind and I am sure in yours too.

The increasing devices around me make me think and at times I wonder do I need them, why do I need them, can I not live without them? The answer is No and Yes both.

No, is the answer that many will choose and so did I, however on the other side Yes is also prevalent, the big question is do I really want these devices around me.

Imagine the era where the landline phone was there in one of the houses and all used to use a PP number, I am sure some will have a smile on their face as I used a PP number to be accessible.

People say times have changed and it has forced us to have these devices and high tech gadgets around us, I think it’s us who needs more and more every day, it’s not the time or the technology it’s the humans who has the uncontrolled need of innovation, be in the comfort of everything which are giving rise to these devices and gadgets.

It’s like if Apple has 5S the latest phone.. Darn it.. the 6S is bound to be released - it has become the minimum expectation of people now. These days the definition of events which will happen by course of its nature has changed, earlier it was winter will come after summer, now a days we talk about the next version before the current version of any device in market.

Today all my dear friends and technology experts have a serious concern on the security, a decade ago to ensure security all that was required was to do was focus on building a secure digital fort around their in-house enterprise IT infrastructure, which included servers, network architecture and the employee PC stations all of which were on premise and hence relaxed to monitor and control within the physical walls of the enterprise. 

Today all CISOs/CIOs are facing vast security encounters due to hurried evolution in the volume and variety of information across multiple devices, platforms and infrastructure, increased connectivity to third-parties.

These devices will keep growing more and more, the Management will always ask for more and more efficiency and business from employees and CISOs will keep adding the security measures and Infrastructure, making the layer fat and complicated.

( Read more:  My Key Learning While Implementing Database Security )

What’s the solution?

Well there is no perfect answer to this long lasting debate; neither will it have in future it will keep getting more complex every day.  

I believe that many organizations need to change their outlook on cyber security. They should do this by playing on the strengths than the fears, Investment should be balanced between risks and potential impacts.

Some of the ways if adopted may help us control the risk in a big way, it is essential that organization management take leadership in:

  • Resource allocation to deal with Cyber Security – Experts
  • Strong Governance, Monitoring and Control mechanism
  • Building the organizational culture, awareness – MOST IMPORTANT   

( Read more:  Annual Survey on Cloud Adoption Status Across Industry Verticals )

Are we heading in the right direction?

Organizations are running for 100% security, best in class security by heavy investments, have to be world class these are some of the trends that I have observed.

 

As a CISO, you want to know whether your organization has adequate approach to Cyber Security, do you have a view of organization’s Cyber Maturity?

It’s the ecosystem of the organization which plays a major role; I would say it is the 6 pillars which tell the maturity.

8669797461?profile=original

 

Management – Display ownership, onboard right people,the experts.

Information Security ISMS- How effective are the current risk controls and the management of information throughout the organization.

BCM – Disaster recovery – How prepared are you and to what ability to prevent or minimize the impact through crisis management.

People- What is the level of involvement and integration of Skills, Education, Culture and Knowledge.

Service Delivery – What level of controls are implemented to minimize operations impact

Legal & Compliance – Comply to legal and regulatory requirements to minimize the impact

There can be many ways to protect and assess the Cyber Maturity of the organization but the most important is that it should be on radar.

You can also refer to some of the additional information

  • Standard of Good Practice -  Information Security Forum (ISF)
  • NERC- North American Electric Reliability Corporation
  • The North American Electric Reliability Corporation (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes
  • NIST- National Institute of Standards and Technology
  • ISO 15408 - This standard develops what is called the “Common Criteria”. It allows many different software applications to be integrated and tested in a secure way.
  • ISA/IEC-62443 (formerly ISA-99)
  • ISA Security Compliance Institute - Related to the work of ISA 99 is the work of the ISA Security Compliance Institute
  • IASME - IASME is a UK-based standard for information assurance at small-to-medium enterprises (SMEs).[2] It provides criteria and certification for small-to-medium business cyber security readiness. It also allows small to medium business to provide potential and existing customers and clients with an accredited measurement of the cyber security posture of the enterprise and its protection of personal/business data.


Let me know your thoughts on it, feel free to add to it for the betterment of the subject.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform