Building a security assessment system that is suitable for an ever-changing threat landscape

Maturity assessments have been a mainstay for measuring the effectiveness of an organisation’s security function. The primary outcome from these maturity-based activities is to measure the effectiveness of cyber defence activities in protecting an organisation’s assets and to expose gaps which need to be plugged to improve the organisations overall posture.

These assessments are often a ‘once-and-done’ exercise, providing a screen shot of the current security status in any given year. They sit on top of the multitude of other security and compliance assessments which security departments complete. This is not fit for purpose in an ever-changing threat landscape.

While maturity remains the focus of most organisation’s security assessment activity, increasingly, organisations are interested in finding strategic and focused outcomes from their assessment activity. A recent report from the Information Systems Audit and Control Association (ISACA) stated that risk-based approaches ‘can pinpoint exactly where you need to have the most mature part of your cybersecurity capability… to help you move forward your capability maturity’.
This drive comes from two primary factors:

• Externally there is an evolving threat landscape, requiring organisations to understand their vulnerabilities and how they relate to the strength of the cyber campaigns aimed to exploit their weaknesses

• Internally, there is a desire to invest in targeted security programmes which will uplift the most important controls to protect the most critical assets

This new lens for security means that many organisations recognise that they don’t need to invest in expensive tooling or embed exhaustive processes across their entire security estate. Rather, through assessing the threats they face and the most critical controls they can ‘right size’ security measures to meet needs.

This approach needs to be continuous and dynamic. Threats are ever changing and the only way to ensure that we are focusing in the right areas is having a flexible and dynamic assessment system for organisations to adapt. Organisations need not only shift their focus to risk but also invest the tooling to advance their security assessment activity.

This culture shift can be witnessed in the new Cyber Assessment Framework developed by National Cyber Security Council (NCSC). As outlined the Government’s latest Cyber Security Strategy the framework is specifically focussed on ‘provide a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible’. Organisation’s don’t necessarily need to adopt the CAF as a separate assessment but can map and integrate it with existing tooling, providing a risk lens to assessment activity, to focus on the gravest threats facing an organisation.

The maturity assessment model still has its value, but organisations should push to align these activities to risk focused frameworks such as National Institute of Standards (NIST) and Technology Cyber Security Framework (CSF). Such frameworks propel organisations’ security services by providing more prescriptive guidance on ‘how’ security is done. They help to drive a more holistic and common approach to security risk management, monitoring and reporting while integrating other compliance requirements as necessary.

Henry Lawrence

Consultant

Experienced consultant who has delivered strategic security assessment framework and strategy implementation across public and financial services clients.