This article is the fifth in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Assess how mature your processes and technologies are, and how you compare to others
Among the many questions Boards have regarding cybersecurity, the one that seems to be of most interest is: Are we doing enough and how do we know if we’re doing enough? It’s a straightforward question with no easy answer.
However, if you interpret this question with the perspective of defining your cyber maturity level, you can provide a very clear answer and develop your go-forward strategy, priorities, and investment plans.
Assessing your maturity level is one the most important things you can do to help your Board understand and appreciate what you’re doing and why. It will be the basis for things you need to do, while at the same time satisfying the Board by providing a third-party opinion on your cyber posture.
While you could perform a self-assessment, I would not recommend it, if at all possible. There are very good reasons for this:
- Leveraging a reputable third party satisfies the independent assurance requirements that Boards tend to rely on. This helps by providing another voice in the conversation that can speak with neutrality and objectivity. Sometimes, we get too close to things which erodes our ability to step back from our own work and assess its success.
- A third-party maturity assessment will be structured to reflect current practices and expectations. Everything about cybersecurity moves so fast that is hard to keep pace with the rate of change. You need a provider whose business it is to keep pace with the evolution of good cyber practices and reflect those in their assessment methodology.
- A good third party can provide benchmark comparisons to your industry to inform you and your Board on where you are relative to others. The comparison to your peer group can be a powerful thing, especially if you are in a highly competitive business or in an industry that has been plagued by breaches. While your provider will not be able to tell you who is in the comparative sample, the fact that they are in your industry provides you leverage with your Board if your organization is lagging behind.
- You can re-perform the assessment using the same methodology to demonstrate improvement on various aspects of maturity, along with your overall maturity rating. This will be of great value to you and your team, and will validate the good work you are doing to improve the overall maturity level of the organization.
At the same time, any lack of improvement can then be discussed with your Board in a transparent manner that demonstrates your diligence, and allows you to establish the need for changes in your approach or higher investment requirements. - You can use a maturity assessment to set targets either in specific areas or as an overall maturity level. This is very important in answering the basic question of whether the organization is doing enough. Most maturity assessments will allow you to demonstrate where you are on a spectrum, and give you a grade of some kind, providing, for example, maturity levels on a scale of 1 (ad hoc) to 5 (optimized). Remembering the rule of diminishing returns, the achievement of a level 5 can be very expensive, and going from a maturity level 4 to a level 5 can cost you more than what it took to get to a level 4. The question becomes: Is the achievement of a level 5 necessary for your organization or would a level 3 suffice?
In general, the requirement to have a level 5 cybersecurity maturity rating would apply to organizations in nuclear power management, the military, or within the intelligence community.
With this understood by your Board, you can then turn the question around by asking them where they believe the appropriate maturity level should be. A measurable goal has now been set for you. You can then proceed to develop or adjust your strategy, plan, and set investment requirements — all in support of a target set by your Board. Nice.
Next article in the series: “Cybersecurity essentials – Capabilities and gaps“