Strengthening cybersecurity maturity

Digital disruption has changed the game for government leaders. It has brought significant benefits to agencies, departments, councils and citizens, with more services being offered online.

But despite the benefits, there are challenges.

The push to digital services presents a wider attack surface for cybersecurity incidents, as well as greater complexity and a lack of visibility across the IT environment. And, with the current talent shortages, there is a lack of skilled resources to help implement and manage the transformation.

Without good levels of cyber maturity, government organisations may find service delivery is negatively impacted, resulting in a lack of confidence and trust among citizens, stakeholders and the wider community. To highlight this problem, in its 2020–2021 Annual Cyber Threat Report, the Australian Cyber Security Centre (ACSC) states that commonwealth, state, territory and local governments accounted for 35 per cent of all Australian cyber incidents.

Government organisations can no longer afford to simply guard against known threats; they must anticipate new developments, adjust their strategies quickly, and be prepared for potential attacks from every angle. This can be overwhelming, but it doesn't have to be if a pathway toward cyber maturity has been developed and the journey is underway.

Developing cyber maturity is not just about deploying tools; it's about implementing a complete strategy to protect your organisation from digital threats. This requires a rounded approach that includes people, processes and technology, and a deep understanding of the challenges government organisations deal with daily.

Achieving cybersecurity maturity isn’t something you can do overnight; it requires a significant amount of planning, prioritising, and coordinating. While this may sound daunting, consider that gaining maturity in your organisation’s security program is a journey, not a destination. It’s something that can be built incrementally, forging a strong path and adapting to the ever-evolving threat and regulatory landscapes.

It’s also important that cyber maturity is measured. Multiple frameworks, matrices and models exist, yet many are based on qualitative rather than quantitative measures. A natural place to begin measurement is the Essential Eight framework, which outlines a minimum set of preventative measures. While it helps to mitigate cyberthreats, this framework does not cover them all. As such, additional mitigation strategies and security controls should be considered, including those from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual.

Below are five steps toward strengthening and measuring your cyber maturity:

1. Assess and identify your challenges

Understanding your current level of cyber maturity and the challenges you face provides a view of your current security posture, an objective review of existing plans, and a guide to strategic planning. For example, are you dealing with managing risk, complexity, a lack of visibility, or lack of resources?

2. Have a plan

You won’t make progress if you don’t have a plan. You can’t throw money at a security program and hope to achieve well-rounded, comprehensive results. Even the most well-funded organisations still have room to grow and learn because the threat landscape is constantly changing.

For example, while you may have a strong endpoint security program today, a new threat may emerge that you haven’t prepared for, or a new technology could crest the horizon and change your entire approach to locking down devices. The good news is you likely don’t need to invest in the priciest or fanciest security tools to achieve a mature cybersecurity program. Instead, develop a plan that brings the right people, processes and technology together to achieve maturity across the organisation, which starts with prioritisation and understanding what matters most.

3. What matters most?

What is your organisation worried about most? Is it a specific threat? Service disruption? Fines? Damage to reputation and loss of public trust? Begin by identifying your risks and shape a security plan around it. It pays to prioritise and refine the list of controls you need to put in place, focusing on the data that matters most and what is most attractive to attackers. And, as your security strategy grows in maturity, you can reassess your objectives accordingly. It should adapt with the landscape — never staying stagnant — to keep up with the latest threats.

4. Track progress

When measuring your progress, it can be difficult to assess what specific metrics provide value. It should start with the functions and data that matter, so the metrics are more relevant and meaningful to your stakeholder. A variety of metrics are crucial, reflecting what’s important and valuable for your security maturity program, and creating a culture that values honesty over metrics. Things will go wrong — and when they do, the underlying issue needs to be quickly identified, even if it could impact how positive your metrics are at the end of the year.

It’s also critical to supplement certain metrics with additional context from others to paint a better picture. Security metrics are often complex and intricate — one positive measurement is not emblematic of the success or maturity of your entire security program; therefore, it’s important to communicate this to your leadership team, which may have become overly focused on single values.

5. Utilise frameworks

Various frameworks and matrices are a useful guide to help gain measurement around the strength of your organisation’s cyber maturity and effectiveness. Basing your plan on relevant regulations or compliance standards will help you make decisions on which of the components of the framework you can use to accomplish your security goals and requirements. And while cyber environments constantly evolve, it’s important to try to gain quantitative measurements where possible. There are several important frameworks to consider, including the aforementioned Essential Eight, which is published by the Australian Signals Directorate, along with additional mitigation strategies and security controls it shares. There are also state-based frameworks available online.

Given the challenges government organisations face, going it alone isn’t always an option. Instead, we recommend you equip your organisation with the visibility, analytics and automation you need to strengthen your cyber maturity.

If you haven’t embarked on your cybersecurity maturity journey yet, you should make it a priority to begin. When in doubt, focus on risk reduction first. Once you have achieved that to the point where the organisation is accepting the remainder of the risk, then you can begin moving toward efficiency. Mitigating, transferring, or accepting risk are the core actions of both risk-reduction and efficiency, and as such they must be a continual focus as new threats, technologies and regulations emerge.

Image credit: ©stock.adobe.com/au/suebsiri