How Do CSA Programs Miss the Mark Even with Extensive Resources?
It could be surprising when internal auditors do not perform or review Cyber Maturity Assessments (CMA).
CMA is a method to ascertain the maturity of business unit’s security program across policy, process, deployment, and capabilities/technologies. NIST, which is a widely used framework added Govern as a function in its CSF 2.0. There are ~22 categories in NIST framework that would enable a holistic understanding of the cyber posture i.e. strengths, resilience, and weaknesses. NIST is one of the frameworks but there are others such as SANS, CIS or a combination that is adoptable for assessments.
Over several years of doing CMAs, I have observed that the advantages are manifold 1. provides a baseline against which the evolution of cybersecurity controls can be measured 2. helps line 1 and 2 to deliberate on the areas where efforts and investments need to be channeled, as opposed to emotions. 3. moves away from disproportionate focus on “detect” by using various functions such as Govern, Identify, Protect, Respond, Recover that are equally important. 4. ability to compare maturity levels across different business divisions. 5. correlate between security controls and results with an integrated approach.
CMA has to be contextualized to the specific business /division, by studying its threat landscape and intelligence. Another watch out is the quality of CMA. Often, CMAs are done at a high level and may even give a false sense of security and assurance on the rating score. It needs to be well planned with adequate depth in execution.
There is a misconception that implementation of tools solves key problems. As a good practice, organizations should define measurable KPIs for all cyber security elements to ensure operating effectiveness of the tools or policies.
For example, a company may have the most advanced EDR solutions, but if the coverage and configurations are not adequate then the maturity of the Protect domain may not be high. Organizations are also constantly advancing the automation of CMA results depending on which stage of the journey they are in. Internal capabilities of line 2 and line 3 could pose some bottlenecks.
As the threat landscape rapidly evolves, new ideas can come from any corner. IA can take a lead or collaborate on CMA to have a shared understanding of risks and posture instead of a siloed view. Basis the CMA done by an IA function, the teams can identify specific areas to integrate into risk-based audit plans instead of vanilla mapping of audit areas “intuitively” to the risk headers of Line 2. Overall, this will be a more structured and comprehensive strategy to enhance Cybersecurity resilience of organizations.
Speak to us if you would like to perform a business-integrated, Risk-connected and practical CMA with actionable insights.
CEO & MD at Innowave360
Experienced Chief Internal Auditor, Chief Risk Officer and Controller – Large US, Europe and Asia listed MNCs
Copyright © 2024. All rights reserved.