In my previous blog, I outlined why enterprises need to take a new, holistic approach to cybersecurity; one which protects organisations’ most important assets from the inside out. Measurement is key to this approach. If you want an effective cybersecurity strategy, you need to understand the performance of the security measures you have in place. This isn’t easy: Defining high performance objectively requires a broad view of capabilities. Here, I’d like to present some guidance to get you started.
Benchmarking security performance
The first step is achieving that all-important measure of performance. We’ve developed an index which does just that. For the index, we assessed performance across 33 cybersecurity capabilities to help you benchmark your existing security strategy. The range of the capabilities we assess is much broader and business-focused than typical audits, and spans seven domains: business alignment; cyber response readiness; strategic threat context; resilience readiness; investment efficiency; governance and leadership; and extended ecosystems.
To ensure we captured a clear and objective measure of performance we outlined three levels of competence—“no or limited,” “average,” and “high”—defined what these mean against each of the 33 criteria. To build business confidence and drive secure growth, companies like yours can use the index to identify areas of poor performance and use that information as the basis of a new approach.
Improving cybersecurity in six steps
When preparing the index, we spoke to some 2,000 executives about their current performance and found most could only report levels of confidence in 11 out of the 33 areas we identified. Businesses need to take immediate action to enhance their security strategies. Here are six recommendations for how you can go about doing just that:
Define cybersecurity success – First, you must improve the alignment of your cybersecurity strategy with your business goals. This involves reframing cybersecurity perceptions around business impact; using mitigated financial loss as a key metric.
Pressure-test capabilities – Don’t just hope for the best: Engage in simulations to assess how well your capabilities can withstand a sustained and targeted attack; employing the services of “white-hat” hackers if appropriate.
Protect from the inside-out – Prioritise investment in securing your most strategic business assets, your ‘crown jewels’, where the effect of a security breech would be most harmful. Focus on stopping the internal incursions that really matter.
Keep innovating – Invest in flexible, dynamic programmes that allow you to continually innovate and stay ahead of potential hackers.
Involve the whole business – Security should be everyone’s job. Prioritise training to ensure your staff are aware of threats and can act as a first line of defence.
Lead from the top – Ensure that CISOs have a voice in the boardroom and are able to help coordinate a top-down approach to security that highlights its role in protecting corporate value.
Embrace these steps and you’ll find you’re able to better secure the business and position it to thrive, even in the face of today’s complex threat landscape.