We need to get our maturity levels up December 12, 2016 Most SMEs acknowledge the importance of cybersecurity. A large majority even has the right tooling in place for cyber protection. Surprisingly enough, we all have a low cybersecurity maturity level. What are we doing wrong? A couple of years ago, AMS researcher Yuri Bobbert did a survey with more than 100 companies and their average maturity level was 2 on a scale from 1 to 5. It even decreased to 1.8 in a follow-up study. Further research learned that most SMEs fail at the typical governance disciplines like regulation, policies, business continuity management or information security management. Which is odd, as we are all investing in frameworks like COBIT, NIST and ISO 27000 to implement governance into our organisations. “That’s a large part of the problem”, Bobbert said at our latest CIO café on cyber security. “Companies fail at information security because they get lost in the wide variety of frameworks and their exhaustivity too. The trick is to combine one of the frameworks for increased structure with – less academic – best practices from practitioners.” Companies fail at information security because they get lost in the wide variety of frameworks Practice complements theory In his 2010 book Maturing Business Information Security, a framework to establish the desired state of security maturity, he focused on seven security principles companies must adhere to in order to mature their security level. “These still stand today”, Bobbert explained. “But they are … a bit obvious in current cyber security. Therefore, I’m continuously on the look-out for additional critical factors that prove to contribute to implemented frameworks.” Three tips from real life From his work as a CISO, the academic researcher distilled three critical factors to convince the board to invest in cyber security and subsequently allow you to improve your maturity level. Get your facts together. What to do when your board doesn’t believe information security is to be put so high on the agenda? Get your facts together. Know why you claim more budget, don’t rely on common gut feel or vendor reports. Be aware of the amount of attacks you are undergoing every day: is it 5, is it 5,000 or 50,000? Knowing the numbers will help you to build your story towards your board, and convince them to invest in cyber security. Value your assets. Make your investments in your information security tangible. Yuri Bobbert: “I once succeeded to integrate our work in cyber protection in the annual report of the company I worked for. Before that, the annual report was rather a financial document, but I managed to convince the CEO it was important to write and prove how our cybersecurity protected our end customers’ assets. It was critical in order to make cybersecurity part of the company’s DNA and it clearly made people more cyber aware.” Demystify your jargon Don’t talk about the necessity of logging and monitoring software to your board. Use the same language as the CXO. Translate information security to a business model like Michael Porter’s five forces analysis. On Sandra McCarthy’s balanced scorecard, you have four perspectives for your organisation: financial, internal, external and innovation. What’s the impact of cyber security on each perspective? How do external parties perceive the security of your company, according to www.internet.nl? Faulty cyber security impacts the value of your company Complement the theory of the frameworks you use with the feedback you get from your customers, from your peers. Cyber security impacts your company’s success,… but also failure: 60% of the hacked companies won’t survive within 18 months after a breach. It also impacts the perceived value of your company. Analyst firms increasingly rate companies on their ability to manage security risks. As cybersecurity is a rat race, the critical factors for a successful security strategy are continuously changing. The industry is currently looking at automation of manual, high fault tolerance tasks like access rule or firewall verification, for instance. In his book How safe is my share?, Yuri Bobbert advises how to safeguard your reputation, trust and the operational continuity that cyber insecurity jeopardizes. It includes twenty concrete business cases, explains how to manage cyber security within the board room and depicts the CISO of the future. We need to embed business information security in our organizations and get those maturity levels up. It will allow us to embrace the breach, safeguard our respected businesses and undoubtedly our positions, too.