When it comes to bringing cyber safety and resilience to all parts of your organization, there is no silver bullet. Achieving cybersecurity maturity isn't something you can do overnight — it requires a significant amount of planning, prioritizing, and coordinating across the business.
While this might sound daunting, just remember that gaining maturity in your organization's security program is a journey, not a destination. It's something you need to whittle away at by building a strong path and adapting to the ever-evolving threat and regulatory landscapes. And you don't have to do it alone.
On Thursday, November 4, three members of Rapid7's team — Wade Woolwine, Principal, Information Security; Erick Galinkin, Principal Artificial Intelligence Researcher; and Bob Rudis, Senior Director - Chief Security Data Scientist — sat down to discuss the path to effective cybersecurity maturity, including how organizations can start that journey and how to measure progress along the way.
Begin with a plan
Bob started the discussion with apt advice, “You're not going to make progress if you don't have a plan."
In other words, you can't throw money at your security program and hope to achieve well-rounded, comprehensive results. Even the most well-funded organizations still have room to grow and learn when it comes to security, because the threat landscape is constantly changing. While you might have a strong endpoint security program today, a new threat may emerge tomorrow that you haven't prepared for, or a new technology could crest the horizon and change your entire approach to locking down devices.
While it's nice to have the shiniest toys to play with, you may not need to invest in the priciest or fanciest security tools on the market to achieve a mature cybersecurity program. Instead, develop a plan that brings the right people, processes, and technology together to achieve maturity across the organization.
And that all starts with prioritization.
Identify what matters to your organization, and prioritize accordingly
If you haven't started your security journey yet or you're still in an early stage of development, you may not know where to begin. Wade suggested the following: “Begin with a threat."
What is your organization worried about the most? What threat is specifically endangering your organization? For example, if you're in the healthcare or financial services industry, you may be particularly concerned about someone accessing and stealing personally identifiable information.
Identify the risks facing your business and shape your security plan around it. As Wade said, “Whittle down the list of things you want to implement. You need to prioritize and refine the list of controls you need to put in place, focusing on the data that matters most to the business and is most attractive to attackers."
Doing this will help you get started, and as your security strategy grows in maturity, you can reassess your objectives accordingly. It should adapt with the landscape, never staying stagnant, to keep up with the latest threats.
Keep track of your progress
When it comes to measuring your progress, it can be difficult to assess what specific metrics provide value. Once you start optimizing for one particular thing, it can become the sole focus, which means you may lose sight of other important factors.
Erick and Wade talked about this at length. “You want a variety of metrics," Erick said. “Your metrics need to reflect something important and valuable for your security maturity program."
Continuing this line of thought, Erick touched on how this ties into your security culture: “In security, it is so important to breed a culture that values honesty over metrics." Things will go wrong, and when they do, it needs to be marked down, even if it may affect how positive your metrics are at the end of the year.
Wade had similar advice about metrics, saying that you need to decorate certain metrics, like mean time to respond (MTTR), with others to paint a better picture. Security metrics are often complex and intricate — one positive measurement is not emblematic of the success or maturity of your entire security program, and it's important to communicate this fact to leadership who may get overly focused on single values.
Head to our 2022 Planning series page for more – full replay available soon!
Base your plan on existing frameworks
Finally, if you don't have particular regulations or compliance standards to adhere to in your industry, Wade and Erick suggest basing your security maturity program on the National Institute of Standards and Technology's Cybersecurity Framework.
As Wade said, “It's a good guide to help you make decisions on which of the components of the framework you can use to accomplish the security goals and requirements you need to achieve for your organization."
When in doubt, focus on risk reduction for the business. Once you have achieved risk reduction to the point where the business is accepting the remainder of the risk, then you can focus on efficiency. These are the two core phases of security maturity, and organizations will continually go back and forth between these stages as new threats, technologies, and regulations emerge.
If you haven't embarked on your cybersecurity maturity journey yet, you should start it. Make it a priority for your business to protect against attacks and the evolving cyberthreat landscape, and use these tips to help you along the way.
For the full discussion that goes in-depth on all of the above and more, visit this link. The on-demand recording of this session will be available soon, and the first webinar recording is available now.
Stay tuned for the third and final installment in our 2022 Planning webcast series! Next up, we'll be discussing how an experienced CISO approaches planning, from thinking about priorities and allocating resources to getting buy-in from leadership and the entire business. Sign up today!