A Roadmap to Cybersecurity Maturity, Part 2: Am I Mature?

A new report from CrowdStrike® Services titled “Achieving Security Maturity: A Roadmap to Building a Robust Cybersecurity Capability” addresses the three questions organizations must answer if they are serious about improving their security programs: “Am I breached? Am I mature? Am I ready?” In Part 1 of this three-part series, I covered the first step — determining if a breach has occurred. In Part 2 —

 

“Am I mature?” — I discuss the criteria that will help you arrive at a comprehensive and accurate picture of your current cybersecurity maturity, so you can begin planning your way forward.

Assessing and Improving Cybersecurity Maturity

If you discover you haven’t been breached, consider yourself lucky. However, it doesn’t mean there are no areas for improvement. The second phase, assessing your cybersecurity maturity and learning how you can mature and enhance your defenses, is a critical next step. Even organizations with the most mature cybersecurity capabilities are constantly evolving and looking for ways to improve. It’s also important that your cybersecurity maturity goals align with your company’s profile, based on both threat information and risk — for example, who is likely to be targeting your industry, and what are the types of data and assets you need to protect? As the threat landscape shifts, so should your cybersecurity goals. CrowdStrike categorizes a cybersecurity program according to six key areas:
  1. Security foundations
  2. Prevention
  3. Detection
  4. Response
  5. Governance
  6. Threat intelligence

Together, these categories support each other, but each is also important in its own right.

The following offers a summary of each area, including what they involve and how you can accurately assess your organization’s capabilities in each. In Part 3, I’ll cover how simulation exercises and hands-on training sessions allow you to test the maturity of these capabilities, which is the key to answering the third question, “Am I ready?”

Security Foundations

To assess an organization’s security foundations, it’s important to delineate between cybersecurity and information security — terms that are often used interchangeably even though the concepts are quite different. Information security covers anything that protects information, spanning both the physical and cyber worlds. Cybersecurity, on the other hand, is more specific. Functions such as updating obsolete and end-of-life systems, installing patches and managing outdated devices are all part of an organization’s broader information security program. However, you will need to do these basics of information security well in order to build a successful foundation for your cybersecurity program with the capabilities described below.

Prevention, Detection and Response

Beyond having a strong security foundation, cybersecurity revolves around the core capabilities of prevention, detection and response. Assessing your capabilities in these areas involves accurately evaluating your organization’s ability to prevent breaches, while knowing that you’ll be unable to prevent every breach, and also understanding how well you can detect and respond to a breach that slips through. Today’s adversaries are continuously evolving their tactics, techniques, and procedures (TTPs), and prevention alone isn’t an adequate defense. To counteract the sophistication of today’s adversaries, it’s essential to invest in prevention, detection and response capabilities at three levels: people, process and technology.
  • People: Even if you have the right tools, without the right staffing, those tools become “shelfware.”
  • Process: Without processes that are consistent and repeatable, your organization won’t be prepared to take the necessary steps at the moment they are needed.
  • Technology: Without the right tools, you’re potentially bringing a knife to a gunfight.
These elements work together to arm your organization with the flexibility and expertise needed to counteract a cyberattack, although your level of proficiency is based on maturity. Too often, we see organizations refuse to invest in human capital, because they’ve already spent significant funds on tools. Unfortunately, that’s often a losing proposition: Without the appropriate monitoring and management, tools are much less effective. It’s also important to realize the role that time and practice play. Cyber “muscle memory” must be trained and exercised to ensure that your prevention, detection and response capabilities can function at an optimal level on a continuous basis.

Governance

One of the quickest ways for a cybersecurity program to fail is for it to operate without the support of others in the organization, especially those in leadership positions. With today’s constant barrage of headlines about cyber breaches, cyber risk is often at the top of a board’s agenda. However, when this heightened awareness is combined with a limited understanding of cybersecurity requirements, it can lead to a well-intentioned but poorly executed program. Unfortunately, we sometimes see organizations establish cybersecurity improvement programs, only to fail to follow through with the full implementation due to the lack of leadership support and necessary resources — leaving the risk unaddressed.

Threat Intelligence

The decision to invest in cybersecurity should be driven not only by what you think is valuable within your organization, but also by understanding how your data and information may be valued by potential adversaries. To achieve this perspective, CrowdStrike looks at an organization’s threat intelligence capability as the final element of an effective security program. In short, threat intelligence can be used to enhance prevention, detection and response capabilities, inform a robust governance model and ensure that basic security foundations are being addressed in a meaningful way. While it’s uncommon to find a mature threat intelligence capability in most organizations, companies mature enough to focus on anticipating threats typically leverage intelligence to give themselves an edge. Part 3 of this blog series on cybersecurity maturity will address the question, “Am I ready?”

Additional Resources

Breaches Stop Here