Regularly rethinking your cyber strategy is a must for cybersecurity teams. Changes in the threat, regulations, business priorities, etc., necessitate an in-depth review of the action plan at least once every three years, or yearly, if necessary.
To accomplish this, you must understand your starting point and your market position. Wavestone’s cybersecurity maturity assessment framework, which currently has the support of over 100 international organisations, was developed with this conviction.
Discover how the CyberBenchmark works with Anthony GUIEU, the Cybersecurity Manager at Wavestone.
Hello Anthony. As a start, can you present CyberBenchmark in one sentence?
The CyberBenchmark is a comprehensive tool that allows companies to assess their level of cybersecurity, position themselves in relation to the market, and establish a roadmap- thanks to a questionnaire and a database of nearly 100 customers worldwide.
Why did you create the CyberBenchmark when there are already many frameworks in the market?
We created the CyberBenchmark because many of our clients were concerned about where they stood in relation to the market. Historically, our clients were looking for absolute ratings against known frameworks such as NIST or ISO. But now, they are very much interested in knowing their relative position within their ecosystem. Our CyberBenchmark allows them to deal with both of these approaches simultaneously.
CyberBenchmark also enables to come up with slightly different angles of attack: there are issues that our clients are not mature as per the market and prioritising these actions can make them progress. On the other hand, there are areas where they are not good and the market is also not mature, here the subject’s urgency must be put in context. Companies such as Gartner and Forrester provide general trends on major cyber issues, to which we add a concrete perspective based on our field observations with clients.
As soon as we built the CyberBenchmark, we realized that numerous competitors offer their own augmented versions of cyber security questionnaires. Our real added value is the market comparison: to date, nearly 100 clients have trusted us and been evaluated using this reference framework!
How does the CyberBenchmark work?
To have a coherent framework, we based ourselves on the existing frameworks, i.e., the security standards as per the market: ISO 27001/2, NIST, etc. This was necessary because our clients used these standards for assessing themselves. We added a questionnaire with our own feedback from the field to refine the maturity levels by theme.
One of the added values of the CyberBenchmark is the granularity of the evaluation. It allows precise perimeter measurement in relation to their level of maturity. In concrete terms, it is possible to distribute the level of maturity for a given question with different levels: for example, 30% level 2, 60% level 3 and 10% level 4, which may be due to heterogeneous perimeters, initiatives in progress, etc. This enables us to quantify the value of projects that take a longer time to complete and are complex to implement over several perimeters: particularly in large groups by materialising their progress.
Subsequently, each evaluation gives rise to a report in two parts-
- One part is for top management with budgetary ratios, human resources, and the level of maturity in relation to international standards.
- Second part is for the operational security staff, who identifies good and bad practices as well as the actions to be launched as a priority. The objective is to develop recommendations and concrete measures to elevate the level of the organisation.
When should the CyberBenchmark be used?
- In my opinion, this tool will be ideal for an organisation that wishes to rapidly identify its cybersecurity priorities
- The first results are quick: within a month itself, we were able to produce a deliverable for the Executive Committee that included specific action proposals
- It is one of the few tools in the market that offers a comparison with competitors
- Unlike the traditional frameworks, our questionnaire addresses both governance and operational concerns
The CyberBenchmark is also adaptable to all requirements and budgets
- The “quick” approach requires only a few interviews. It is based on a declarative evaluation to quickly determine the company’s level of maturity and the projects to be launched
- The “complete” approach is based on an in-depth audit, dozens of interviews, a review of the evidence, and even additional technical tests (intrusion tests, Red Team, etc.)
Can you provide an example of a specific application of the CyberBenchmark?
To illustrate the “rapid” approach, we recently used it to support a large industrial group in initiating a security process and challenging its executive committee. After 2 months of work and 5 workshops, we were able to provide a clear vision of the structure’s cybersecurity level and project a target level for 3 years, which got accepted by the Executive Committee.
In terms of a comprehensive approach, over the last few months, we have been working with a British bank for assessing its general cybersecurity posture and level of compliance with the reference frameworks. We mobilised a team of 10 consultants in 3 different countries for conducting more than 50 workshops and collecting evidence. With this we were able to provide concrete and reliable feedback on the level of security as well as for identifying market-related investment priorities. Likewise, these elements are utilised in exchanges with their main regulators.
A final word?
Wavestone’s CyberBenchmark provides a broad view of the market’s level of maturity while delving deep into its specific technical subjects. This is what makes it a differentiating asset for our clients, as they could position themselves against competitors within their sector on each of their topics. The priorities in terms of cybersecurity would then emerge clearly for the client, allowing them for an effective cyber budget. It is a real cyber strategy accelerator, that has been tried and tested by numerous clients!
We can easily generate statistics and trends using CyberBenchmark’s exclusive data: how many companies have deployed a security tool (EDR, bastion, probes, etc.), where they stand in terms of deployment, who is leading the market, and so on. According to the latest study on the maturity of French companies, the general level of maturity on our benchmark based on international standards (NIST CSF Framework and ISO 27001/2) is… 46%. Each year, we formalise our market knowledge and forecast strong sector and technical subject trends.
Finally, as you would have understood, the CyberBenchmark evolves and develops as it is used by new companies. We now have a database of over 100 companies, which will enable us to open a new category in January: “Luxury goods & Retail”, with more than ten companies with which we can refine the sector-specific analysis.