In a recent report, the Philippine government’s Department of Information and Communications Technology (created in 2016) outlined a scale of cyber resilience based on an A to E grading system. With ‘A’ being the most robust in terms of cyber security maturity and ‘E’ being the weakest, it put the Philippines in class D. The reasoning behind this grade stems from the fact that they are reactive to attack using only the available tools and technologies. They do not proactively seek out vulnerabilities and exploit them to ascertain the extent of a weakness. Nor do they deploy cutting edge strategies or prepare for the process of remediation to address the issues ahead of time.
This reactive approach is not limited to the Philippines. Far from it. In fact, these same principles can be applied to a frightening number of organisations across the globe. Those who simply react are always behind the curve, attempting to patch and mediate the impact of attacks on an ad hoc basis. An immature organisation focuses simply on prevention and regulatory compliance but with limited co-ordination, using basic technology and simple configurations.
In contrast, those with cyber maturity demonstrate their vigilance by employing a proactive strategy rather than simply waiting for a breach to occur. So what are the characteristics of cyber maturity?
- To begin with, in a mature organisation, cyber security is not seen as something that should be done, but is already embedded within the fabric and culture.
- Information and cyber security is not the responsibility of an overstretched CISO, who reports only to the head of the IT department. It is in the hands of a CISO who is well resourced, supported and who exerts confident influence at board level.
- Information security policy and testing is documented and has a formal structure, using automated tools, regularly scanning systems and web applications to identify any vulnerabilities in a proactive way.
- A mature organisation has built-in enterprise security technology architecture and strict focus on incident prevention, detection and response; regularly undertaking advanced and manual penetration testing to uncover weaknesses in the ever-changing scope.
- Business Continuity and Disaster Recovery Planning are integral to a mature organisation, together with the associated training across all staff, not just those within an IT or infosec department.
Our recent blog post on the topic of the NHS’ response to WannaCry highlights a ‘work in progress’ but certainly an admirable move towards cyber security maturity. Their plans centre around Test and Exercise methods, and are inclusive of annual Red Team Engagements to push their plans to the limits and ensure complete peace of mind.
SRM’s Test and Exercise (T & E) team works with all sizes and types of organisation to achieve cyber maturity. With wide experience in other areas of information security consultancy the T & E programme is not conducted in isolation but within the wider context of a client’s business activity. Every project is bespoke and our team includes consultants who are CREST ethical security testers as well as those with the Offensive Security Certified Professional (OSCP) qualification. Additionally, we often work with CISOs and organisations to develop and implement proactive robust and innovative T & E plans.
For more information on our T & E team, visit our website.
See a recording of our webinar: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?
Or see our blog: