To accomplish this, you must understand your starting point and your market position. Wavestone’s cybersecurity maturity assessment framework, which currently has the support of over 100 international organisations, was developed with this conviction.

Discover how the CyberBenchmark works with Anthony GUIEU, the Cybersecurity Manager at Wavestone.

Hello Anthony. As a start, can you present CyberBenchmark in one sentence?

The CyberBenchmark is a comprehensive tool that allows companies to assess their level of cybersecurity, position themselves in relation to the market, and establish a roadmap- thanks to a questionnaire and a database of nearly 100 customers worldwide.

Why did you create the CyberBenchmark when there are already many frameworks in the market?

We created the CyberBenchmark because many of our clients were concerned about where they stood in relation to the market. Historically, our clients were looking for absolute ratings against known frameworks such as NIST or ISO. But now, they are very much interested in knowing their relative position within their ecosystem. Our CyberBenchmark allows them to deal with both of these approaches simultaneously.

CyberBenchmark also enables to come up with slightly different angles of attack: there are issues that our clients are not mature as per the market and prioritising these actions can make them progress. On the other hand, there are areas where they are not good and the market is also not mature, here the subject’s urgency must be put in context. Companies such as Gartner and Forrester provide general trends on major cyber issues, to which we add a concrete perspective based on our field observations with clients.

As soon as we built the CyberBenchmark, we realized that numerous competitors offer their own augmented versions of cyber security questionnaires. Our real added value is the market comparison: to date, nearly 100 clients have trusted us and been evaluated using this reference framework!

How does the CyberBenchmark work?

To have a coherent framework, we based ourselves on the existing frameworks, i.e., the security standards as per the market: ISO 27001/2, NIST, etc. This was necessary because our clients used these standards for assessing themselves. We added a questionnaire with our own feedback from the field to refine the maturity levels by theme. 

One of the added values of the CyberBenchmark is the granularity of the evaluation. It allows precise perimeter measurement in relation to their level of maturity. In concrete terms, it is possible to distribute the level of maturity for a given question with different levels: for example, 30% level 2, 60% level 3 and 10% level 4, which may be due to heterogeneous perimeters, initiatives in progress, etc. This enables us to quantify the value of projects that take a longer time to complete and are complex to implement over several perimeters: particularly in large groups by materialising their progress.

Subsequently, each evaluation gives rise to a report in two parts-

• One part is for top management with budgetary ratios, human resources, and the level of maturity in relation to international standards.
• Second part is for the operational security staff, who identifies good and bad practices as well as the actions to be launched as a priority. The objective is to develop recommendations and concrete measures to elevate the level of the organisation.

When should the CyberBenchmark be used?

• In my opinion, this tool will be ideal for an organisation that wishes to rapidly identify its cybersecurity priorities
• The first results are quick: within a month itself, we were able to produce a deliverable for the Executive Committee that included specific action proposals
• It is one of the few tools in the market that offers a comparison with competitors
• Unlike the traditional frameworks, our questionnaire addresses both governance and operational concerns

The CyberBenchmark is also adaptable to all requirements and budgets

• The “quick” approach requires only a few interviews. It is based on a declarative evaluation to quickly determine the company’s level of maturity and the projects to be launched
• The “complete” approach is based on an in-depth audit, dozens of interviews, a review of the evidence, and even additional technical tests (intrusion tests, Red Team, etc.)

Can you provide an example of a specific application of the CyberBenchmark?

To illustrate the “rapid” approach, we recently used it to support a large industrial group in initiating a security process and challenging its executive committee. After 2 months of work and 5 workshops, we were able to provide a clear vision of the structure’s cybersecurity level and project a target level for 3 years, which got accepted by the Executive Committee.

In terms of a comprehensive approach, over the last few months, we have been working with a British bank for assessing its general cybersecurity posture and level of compliance with the reference frameworks. We mobilised a team of 10 consultants in 3 different countries for conducting more than 50 workshops and collecting evidence. With this we were able to provide concrete and reliable feedback on the level of security as well as for identifying market-related investment priorities. Likewise, these elements are utilised in exchanges with their main regulators.

A final word?

Wavestone’s CyberBenchmark provides a broad view of the market’s level of maturity while delving deep into its specific technical subjects. This is what makes it a differentiating asset for our clients, as they could position themselves against competitors within their sector on each of their topics. The priorities in terms of cybersecurity would then emerge clearly for the client, allowing them for an effective cyber budget. It is a real cyber strategy accelerator, that has been tried and tested by numerous clients!

We can easily generate statistics and trends using CyberBenchmark’s exclusive data: how many companies have deployed a security tool (EDR, bastion, probes, etc.), where they stand in terms of deployment, who is leading the market, and so on. According to the latest study on the maturity of French companies, the general level of maturity on our benchmark based on international standards (NIST CSF Framework and ISO 27001/2) is… 46%. Each year, we formalise our market knowledge and forecast strong sector and technical subject trends.

Finally, as you would have understood, the CyberBenchmark evolves and develops as it is used by new companies. We now have a database of over 100 companies, which will enable us to open a new category in January: “Luxury goods & Retail”, with more than ten companies with which we can refine the sector-specific analysis.

If you are interested in positioning your organisation within the market, please do not hesitate to contact me or one of our experts. We will be able to guide you through this process.

Cet article One month to assess your cybersecurity posture! est apparu en premier sur RiskInsight.

But these projects are not only the work of systems security managers. These projects also come from executive committees who seek a 360 view of the security of their institution to better evaluate potential risk. So, what are key success factors that we have seen in the field?

Step 1: Know the purpose and expectations of your evaluation

Evaluations can be entirely different levels of depth. From a high-level interview with the Chief Security officer to an in-depth assessment of the security mechanisms and processes of all the subsidiaries of a multinational group, everyone can choose their areas of focus and advance step-by-step.

Our first advice is to keep in mind the objectives of your evaluation. This will allow you to orient yourself toward the right security benchmarks and ultimately define the depth of the evaluation. Do you only want to measure the security maturity of your subsidiary’s information systems or also its efficiency? Perfectly documented security processes and an ISO 27001 certification can unfortunately hide problems on the ground that can expose you to vulnerabilities. It can be judicious to combine a technical test (pentest, red team, etc.) to the evaluation in order to avoid situations that seem fine on the surface but hide underlying issues.

Step 2: Find and mobilize the right people at the right level, easy to say but harder to do…

The next difficulty that you can encounter in your assessment is to succeed at meeting the right people. From experience, we advise you to confirm your list of the necessary collaborators as soon as possible.

Logically, this list will certainly depend on the granularity of the analysis but also on the organization of the business. For example, the necessary people will differ if the security staff are at the group level and function as a service center or if they are merged into each entity and service. Consequently, if you want to have a high-level estimate first, it could suffice to only have a half day exchange with the Chief Security Officer, who generally has a sufficient and global vision of the subject.

The second stage of analysis can be performed in gathering information from all actors involved in cybersecurity at the group level. In this group, it can be interesting to meet a large group of people involved in information systems and the cloud.

Finally, when the assessment must be thorough and exhaustive, it becomes necessary to widen the list of collaborators to all of the concerned entities. Obviously, you should expect a larger workload, so do not skimp on preparation and tools to help you in your work. It can also be the right moment to think about your presentation format: face-to-face, distance, strategic, operational, etc.

Step 3: Equipment, finding the right balance between too much and not enough

Choosing the right tools is one of the main assessment challenges that you will face. The more complete the assessment, the more it will require tools that ensure simplification and understanding of the whole project. Indeed, for large evaluations, the consolidation and restitution of results are two of the great challenges that you will encounter. In particular, commonly used tools don’t take into account the organizational complexity of large groups or the effectiveness of allocated resources. It is for these reasons that, from our side, we have chosen to develop a specific tool.

A good tool also allows you to position yourself against your competitors and understand your exposure to current attack trends and points where your COMEX is particularly sensitive, ensuring you can legitimize the assessment.

So it begins! It’s time to get your hands dirty and start the work of collecting information! There is a classic phrase that applies to these situations: entirely feasible from a distance. Be aware and transparent about the limits of the exercise: those questioned will sometimes have the impression that the assessment is too theoretical and this is normal, according to their objectives. During this phase, it will also be necessary to be able to juggle between the various unknowns because it is not uncommon to have people who are ultimately absent for long periods of time, added parameters, changes in methodology. Make it a point of honor to remain agile.

Step 4: Reforming at the right level to act, everything is a question of the point of view

A good habit to keep is to honestly adapt each reform to each person. From the managerial summaries where we talk about trends without much detail to presentations for technical teams that are highly detailed, adapting the discourse to the necessary format is important to convey the right messages to the right people.

Usually, we start the reforms in terms of the organization’s budget and workforce dedicated to cybersecurity. These very concrete points allow you to attract attention and be able to then analyze the situation from four different angles:
· Compliance with different global benchmarks (ISO/NIST)
· Assessment of the level of maturity of different entities compared to others in the same sector or market
· Quantification of the effort reach the market level and/or the required level according to cybersecurity benchmarks
· Evaluation of the level of robustness of the organization against the last known cyberattacks

With senior management, the restitution is often going to focus on organizational and governance matters. However, there can always be surprises. In cases where businesses have already been hit by serious cyber attacks, we have had surprisingly precise and technical questions from executive committees. For example, we have been asked for details on encryption algorithms and “How secure is my active directory?”

Get started

As mentioned earlier, the maturity assessment is an effective means for measuring the effectiveness and progress of your cybersecurity roadmap. Consequently, even if you don’t want to immediately begin an assessment involving all security systems and dozens of teams at your business, we advise you to familiarize yourself with the approach and its usefulness in starting out with more modest goals.

At Wavestone, with years of experience and expertise, we have developed the W-Cyber-Benchmark, a multi-use tool that has been implemented by dozens of clients. We know that just writing about it isn’t enough, so don’t hesitate to contact us to discuss further!

Cet article How to effectively evaluate your cybersecurity est apparu en premier sur RiskInsight.