Earlier this year, SecureWorks sponsored the IDC IT Security MaturityScape Benchmark for Asia Pacific report in order to help business leaders understand and address the challenges of IT security, particularly in an age of digital transformation.
The benchmark study provides a comprehensive look at how organizations can assess and strengthen their security posture. I am going to focus on specific themes that proliferate throughout the report. The themes that are worth thorough examination include a risk-based approach to security and the role of security within the organization.
Eighty four percent of Asia Pacific organizations were categorized at the bottom of the security maturity curve, either applying only basic operational security measures on an ad-hoc basis or follow a fundamentally compliance-based security program
Evaluation Criteria for a Mature Security Program
IDC, a global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets, identified five dimensions that it considers critical to security maturity:
- Risk Management
- Security Technologies
Evaluating performance using these criteria, IDC placed the organizations surveyed into five different categories based on their security maturity. These categories, rated from least to most mature, are Ad Hoc, Opportunistic, Repeatable, Managed, and Optimized.
Eighty four percent of the Asia Pacific organizations evaluated fell into the bottom two categories, where organizations either applied only basic operational security measures on an ad-hoc basis (Ad Hoc) or followed a fundamentally compliance-based security program (Opportunistic).
During the study, organizations were also asked to self-assess their approach to each of the security maturity dimensions in the context of how they were able to leverage their security programs. Based on these assessments, IDC segmented organizations into two categories – “Survivors” and “Thrivers.”
What Does It Take To Thrive?
Survivors may be going through the motions in a security sense, such as implementing firewalls and adding anti-virus software, but a significant knowledge gap remains when seeing the value security plays in terms of strategic business decisions. As you might expect, Survivors tend to cluster around the lower end of the maturity scale, with the largest number falling into the Ad Hoc category.
By focusing their security programs and resources on reactive tactics instead of taking a more deliberate, methodical approach, they are unwittingly accepting large risks on behalf of their organizations that leave them extremely vulnerable to common and new threats.
When organizations focus on compliance, they may be successfully acting in accordance with security standards, but this approach still presents challenges.
A compliance-based approach traditionally does not focus on the bigger picture needed to optimize a security posture. It is likely security budgets are prioritizing compliance tactics that may not be the most efficient use of resources. Unfortunately, Survivors often fall behind when it comes to vision.
As an organization’s security maturity advances, their ability to adapt increases, and they move more towards thriving.
Maturation not only means enhanced capabilities – organizations that progress through the maturity model have a strong understanding of the importance of risk management and are constantly and proactively on the lookout for the maximum risk reduced per unit cost.
This is often accomplished by focusing on executive buy-in, developing a risk based model for a strong security framework, building their business with security in mind, and ensuring that their security framework is scalable.
Compliance Alone Is Not Enough
A compliance-based approach to security is a common starting point, but resting on “checking off the boxes” will keep your strategy firmly stuck within the Ad Hoc and Opportunistic stages of security maturity.
We all know it’s important to improve one’s security posture, but organizations don’t always know how to get beyond compliance.
Understanding how cyber risk fits into broader overall business risk calculations will almost certainly improve your security posture. After all, security risks also have implications on corporate reputation, regulatory fines, digital capital and intellectual property
Still, there are many ways to expand upon this approach and use it as a leaping pad to better security, such as using risk management processes to develop a strategy that encompasses compliance requirements into an organizational framework.
According to the IDC survey data, Thrivers, on the other hand, score highly on vision, which firmly places security into the context of overall business objectives, especially when making broader IT decisions.
Ultimately, Thrivers have struck the appropriate balance between short- and long-term visions. Companies can improve their maturity by engaging organizational stakeholders across departments and integrating security and risk discussions across the full breadth of the enterprise.
Process Planning Cannot Be an Afterthought
Thrivers actively take risk considerations into account, guiding how they priorities their security programs.
As part of this risk-based process, understanding how cyber risk fits into broader overall business risk calculations will almost certainly improve your security posture. After all, security risks don’t just have security implications.
An organization that is dealing with the aftermath of a security breach may find itself suffering reputational damage, with a plunging share price and at risk of fines from regulators. Depending on the breach, its digital capital and intellectual property may be at risk.
At the very least, its eye will be off the ball in a commercial sense in the immediate aftermath. By considering these potential risks before an incident occurs, your organization will be in a better position to mitigate damage and more efficiently respond.
Understanding the broader implications of a data breach will impact how you manage risk within the operational environment, an essential component of the process dimension. Process for Thrivers could mean investing in more training, more monitoring and more proactivity, particularly when it comes to security patch management.
Most importantly, it requires organizations to prioritize and focus process improvements where they are most needed, constantly aiming to increase scope and automation while reducing risk at an acceptable cost.
Leveraging the Right People and Technology
Two additional dimensions contribute to IDC’s maturity security model – people and technology. Those are often the areas that get the most attention from Survivors, which can be attributed to the reactive nature of throwing technology and end user training at the problem.
Thrivers use people and technology to enhance their security maturity too, strategically guided by the insights created by their focus on vision and risk management, especially when it comes to integrating support from the board.
IDC’s research showed more than 80% of respondents within Asia Pacific region falling into the Survivors’ camp. Moving from surviving to thriving won’t happen overnight, but by adopting the key principles of a mature security model, the journey can be made one step at a time – it takes a commitment to focus on a holistic vision, a strong risk management culture and buy-in and support from senior leadership.
For a pragmatic recipe for understanding your risk profile and moving past the Ad Hoc stage, this article about risk modelling can help.
About the Author
Andrew Matthews is ANZ Senior Marketing Manager at security solutions provider SecureWorks.