To dive deeper into IAM, our experts have created an IAM maturity assessment tool.

Interview with Anatole CATHERIN, Manager and IAM expert for almost 10 years at Wavestone.

Hi Anatole, thanks for your time! First of all, can you explain what IAM really is?

Identity and Access Management (IAM) is a discipline that sits at the crossroads of three worlds:

1. Cybersecurity strengthening: It comprises managing identities, the rights granted to these identities and user access to company resources. Each user has access confined to the limits of their role within an organization. To successfully achieve this, organizations need to know who, within their information system, can perform which actions and why. IAM is therefore an essential component of cybersecurity, especially during implementation of a Zero Trust policy.
2. Business enablement: Identity and Access Management is also a business enabler and a facilitator for successful digital transformation within organizations as it increases operational process efficiency to employees and customers. For example, IAM enables the control and fluidity of arrivals, departures or mobility by ensuring that new employee benefit from accurate accesses. In case of subsequent mobility or departure, the relevant accesses are removed and no information is lost.
3. UX enhancement: IAM facilitates a seamless user experience for employees within an organization. Moreover, the best IAM systems operate behind the scenes to enable work on arrival and enhanced connectivity based on security requirements.

Why is it so difficult to build an IAM system that works?

As you can imagine, the challenge and complexity of IAM is striking (and maintaining) the balance between security and fluidity of navigation.

To successfully implement IAM, it is important to assess the current state. With good reason, clients have difficulty measuring the effectiveness of their existing IAM system. There is no dedicated benchmark in the market evaluation.. The NIST pillars are high-level and do not cover all the challenges related to IAM; the existing benchmarks only deal with the cybersecurity aspect of IAM and ignores the impact on the operational efficiency of an organization’s internal procedures and the fluidity of the user experience.

The goal in creating the IAM Framework was to create a framework that evaluates the entire discipline and that can be used to build an efficient roadmap.

Can you tell us a bit about the IAM maturity assessment tool?

More than a tool, it’s a framework and a tool-based methodology that supports customers and provides them an overview of their IAM maturity.

The Framework enables the understanding of an organization’s current state (which IAM perimeters are deployed (or not), which IAM axes require further work, etc.). It provides an overview, with the right framework, the right angle and the right resolution to cover all IAM topics.

The maturity assessment consequently allows the prioritization of workstreams that culminates in an IAM action plan!  Thanks to this framework, we can identify the main areas for improvement, while accounting for organizational nuances by introducing the notion of scope.

In short, it meets three objectives: Evaluate, Improve and Extend IAM to other perimeters (beyond internal and service providers, with customers or partners). It was intended to be exhaustive to highlight our customers’ shortcomings and subsequently measure their progress and the effectiveness of their transformation program.

Our ambition is to make it the primary evaluation standard, entirely dedicated to IAM, with a sufficient level of granularity to cover all issues!

How is it structured?

Concretely, our tool is composed of about fifty questions that cover the 6 IAM themes:

1. Governance
2. Identity management
3. Entitlement management
4. Access control
5. Privileged access management
6. Reporting and controls

It can be used in several cases, here are 2 examples:

Can you tell us about the last time you used it with a concrete example?

We tested the questionnaire in the field through several missions, during which the use of the IAM Framework helped accelerate the process. These missions comprised:

• the definition of an IAM roadmap for a large energy company
• the framing of a migration to an IAM tool for a banking group, which allowed the measurement of gaps between their existing solution and the new one
• IAM maturity assessment for an insurance company, to identify friction points and areas for improvement and to establish a roadmap

For these three projects, the assessment grid made it possible to identify all addressable topics (regardless of whether the client was aware of them at the outset) in order to provide an actionable roadmap covering all IAM issues. In other words, the Framework can be used as an analysis framework for the implementation of a project.

We plan to launch new missions on the subject and we are looking forward to supporting new customers in their journey to improve their IAM structure!

A final word?

I will end by reminding you of the key components of the Framework:

• It is “ready to use”: the fifty questions encompassed in the framework designed by Wavestone experts covers all IAM topics
• It offers a standardized and formalized vision of its maturity on the subject of access and identity management: this assessment is also an opportunity to involve all the key players impacted by IAM: cyber teams, IT teams, internal audit teams and business teams,
• It facilitates the prioritization of actions within a transformation program:as explained above, it can be used at different times and can therefore be used as a support for a broader reflection,
• Finally, it is a flexible means of use: It can be used at a very high level (a strategic level) or to develop very specific actions.

Want to evaluate yourself? Please contact us!

Cet article [INTERVIEW] IAM Maturity Assessment – Where do you stand and why is it crucial? est apparu en premier sur RiskInsight.

To accomplish this, you must understand your starting point and your market position. Wavestone’s cybersecurity maturity assessment framework, which currently has the support of over 100 international organisations, was developed with this conviction.

Discover how the CyberBenchmark works with Anthony GUIEU, the Cybersecurity Manager at Wavestone.

Hello Anthony. As a start, can you present CyberBenchmark in one sentence?

The CyberBenchmark is a comprehensive tool that allows companies to assess their level of cybersecurity, position themselves in relation to the market, and establish a roadmap- thanks to a questionnaire and a database of nearly 100 customers worldwide.

Why did you create the CyberBenchmark when there are already many frameworks in the market?

We created the CyberBenchmark because many of our clients were concerned about where they stood in relation to the market. Historically, our clients were looking for absolute ratings against known frameworks such as NIST or ISO. But now, they are very much interested in knowing their relative position within their ecosystem. Our CyberBenchmark allows them to deal with both of these approaches simultaneously.

CyberBenchmark also enables to come up with slightly different angles of attack: there are issues that our clients are not mature as per the market and prioritising these actions can make them progress. On the other hand, there are areas where they are not good and the market is also not mature, here the subject’s urgency must be put in context. Companies such as Gartner and Forrester provide general trends on major cyber issues, to which we add a concrete perspective based on our field observations with clients.

As soon as we built the CyberBenchmark, we realized that numerous competitors offer their own augmented versions of cyber security questionnaires. Our real added value is the market comparison: to date, nearly 100 clients have trusted us and been evaluated using this reference framework!

How does the CyberBenchmark work?

To have a coherent framework, we based ourselves on the existing frameworks, i.e., the security standards as per the market: ISO 27001/2, NIST, etc. This was necessary because our clients used these standards for assessing themselves. We added a questionnaire with our own feedback from the field to refine the maturity levels by theme. 

One of the added values of the CyberBenchmark is the granularity of the evaluation. It allows precise perimeter measurement in relation to their level of maturity. In concrete terms, it is possible to distribute the level of maturity for a given question with different levels: for example, 30% level 2, 60% level 3 and 10% level 4, which may be due to heterogeneous perimeters, initiatives in progress, etc. This enables us to quantify the value of projects that take a longer time to complete and are complex to implement over several perimeters: particularly in large groups by materialising their progress.

Subsequently, each evaluation gives rise to a report in two parts-

• One part is for top management with budgetary ratios, human resources, and the level of maturity in relation to international standards.
• Second part is for the operational security staff, who identifies good and bad practices as well as the actions to be launched as a priority. The objective is to develop recommendations and concrete measures to elevate the level of the organisation.

When should the CyberBenchmark be used?

• In my opinion, this tool will be ideal for an organisation that wishes to rapidly identify its cybersecurity priorities
• The first results are quick: within a month itself, we were able to produce a deliverable for the Executive Committee that included specific action proposals
• It is one of the few tools in the market that offers a comparison with competitors
• Unlike the traditional frameworks, our questionnaire addresses both governance and operational concerns

The CyberBenchmark is also adaptable to all requirements and budgets

• The “quick” approach requires only a few interviews. It is based on a declarative evaluation to quickly determine the company’s level of maturity and the projects to be launched
• The “complete” approach is based on an in-depth audit, dozens of interviews, a review of the evidence, and even additional technical tests (intrusion tests, Red Team, etc.)

Can you provide an example of a specific application of the CyberBenchmark?

To illustrate the “rapid” approach, we recently used it to support a large industrial group in initiating a security process and challenging its executive committee. After 2 months of work and 5 workshops, we were able to provide a clear vision of the structure’s cybersecurity level and project a target level for 3 years, which got accepted by the Executive Committee.

In terms of a comprehensive approach, over the last few months, we have been working with a British bank for assessing its general cybersecurity posture and level of compliance with the reference frameworks. We mobilised a team of 10 consultants in 3 different countries for conducting more than 50 workshops and collecting evidence. With this we were able to provide concrete and reliable feedback on the level of security as well as for identifying market-related investment priorities. Likewise, these elements are utilised in exchanges with their main regulators.

A final word?

Wavestone’s CyberBenchmark provides a broad view of the market’s level of maturity while delving deep into its specific technical subjects. This is what makes it a differentiating asset for our clients, as they could position themselves against competitors within their sector on each of their topics. The priorities in terms of cybersecurity would then emerge clearly for the client, allowing them for an effective cyber budget. It is a real cyber strategy accelerator, that has been tried and tested by numerous clients!

We can easily generate statistics and trends using CyberBenchmark’s exclusive data: how many companies have deployed a security tool (EDR, bastion, probes, etc.), where they stand in terms of deployment, who is leading the market, and so on. According to the latest study on the maturity of French companies, the general level of maturity on our benchmark based on international standards (NIST CSF Framework and ISO 27001/2) is… 46%. Each year, we formalise our market knowledge and forecast strong sector and technical subject trends.

Finally, as you would have understood, the CyberBenchmark evolves and develops as it is used by new companies. We now have a database of over 100 companies, which will enable us to open a new category in January: “Luxury goods & Retail”, with more than ten companies with which we can refine the sector-specific analysis.

If you are interested in positioning your organisation within the market, please do not hesitate to contact me or one of our experts. We will be able to guide you through this process.

Cet article One month to assess your cybersecurity posture! est apparu en premier sur RiskInsight.

After having made several dozen speeches to executive committees, audit committees and boards of directors, I wanted to share with you the essential steps for advancing the relationship over the long term. The first phase of this trip should make it possible to create an initial contact and raise the EXCOM’s awareness on cybersecurity issues. First step, awareness! The objective for these sessions is often to manage to attract attention so as to be able to trigger further reflection within the organization. Later on, we will see the following steps: presenting a balance sheet, obtaining a budget, monitoring the progress on the security level…

An essential prerequisite, knowing where you are starting from and who you are going to deal with

This may seem like a cliché, but it is certainly the most important element before going to meet an executive committee or a board of directors. Thanks to its wide media coverage, cybersecurity is often already present in executives’ minds. But their degree of digital literacy and their level of appetite for the topic can completely change the way the topic is raised. Will it be necessary to be very didactic (going so far as to re-explain the principle of data, applications, if any) or will it be necessary to immediately address complex points such as the latest attacks observed and their methodologies? You would be surprised to see the diversity of levels between companies, but also within the same EXCOM. And it is necessary to interest each of the stakeholders, at the cost of having comments that are not very helpful during the intervention.

It is therefore important to prepare this first meeting by talking with other members of the ECOM their deputies or with people familiar with this forum to determine the tone to be adopted and the level of the speech to be given. Obviously, the operating rules will also have to be known: is it common for questions to be asked as they arise? Can a member be questioned? Should subjects relating to the company be raised from the outset? Plan to clear the ground upstream! And even if there is no perfect recipe, I will give you below the elements I use most often to make these meetings useful and effective.

To start, draw the attention by revealing the behind-the-scenes of an attack…

The topics quickly follow one another during the EXCOM. The directors think very, very quickly, so it is necessary to be concrete and to give food for thought and experience. The element that I find most effective consists in presenting a recent attack, published in the press or having affected the sector, and deciphering the stakes and the background: what is the timeframe? what motivation for the attackers? what weaknesses in the company? what is the reaction internally? publicly? with the authorities? This will have the effect of mentally projecting the directors concerned into their role as if they were going through the same thing. We at Wavestone are fortunate enough to frequently manage major cyber crises and we use these elements, both as a benchmark but also by anonymizing them or in agreement with the victims, to give a very concrete meaning to our feedback.

Follow-up with a generalization about cybercrime

An case is good to understand, but it doesn’t explain everything! After zooming in on a case, it is a question of generalizing it by explaining what are the mainsprings cybercriminality ways of proceeding. We then analyze the motivations of criminal groups, their organizations, but also and perhaps above all how they make money!

For an EXCOM to know that it is a DDoS attack or ransomware that has done damage is of little interest, it is especially important to show them that cybercriminal activities are profitable, even very profitable. We have calculated the ROI of several types of attacks and I can tell you that when you explain a 600% profitable attack like a ransomware, the eyes of the directors are wide open. We then highlight very concretely why their structure could be attacked and especially how much money the criminals would make. This often puts an end to the question “but why would we be targeted by an attack? We’re not known/we’re small/we don’t do anything strategic”.

Explain the company’s current situation in concrete terms

This is the right time to present the company’s IT posture and its current organization in terms of security. It is then a question of presenting it simply, with clear and meaningful images: are you rather in an old-fashioned “fortress” model? Or have you already opened your doors as a result of the digital transformation and have you adopted a porch model where security is reinforced the further you go towards critical systems? This will help to make the situation more concrete.

After this phase of mobilization and explanation, comes naturally the phase of questioning by the members of the executive committee. “But then, where are we now, or are we facing this risk of a cyberattack? ». Faced with this question, either you are lucky enough to have a detailed maturity assessment and you can present it immediately, or you can bring in initial qualitative or even partial quantitative elements and explain that today you need to have more visibility. The elements that speak for themselves are the latest audit reports, the latest incidents, budgetary elements.

If it is difficult at the beginning of the process to talk about the budget and to compare oneself because of a lack of data, it is possible to use a simple and effective indicator, that of your staff dedicated to cybersecurity. We have a database on this point and we can quickly show a EXCOM where it is just by mobilizing its HR. It’s simple and effective to convince them!

Don’t leave emprty-handed

The major risk of this awareness is that everything goes well but nothing moves. Indeed, you may have a positive message, “thank you and see you in a year for an update”, you will be happy but you will not have helped cybersecurity situation moving forward. It is then necessary to prepare the next step by indicating from this presentation the main points of weakness or strength felt and how you would like to evaluate them more precisely.

Indeed, the second step is often the realization of a dedicated maturity assessment in order to know how to position yourself! If at this point the meeting has taken place, the EXCOM, intrigued and interested in the topic, will want to know more and will give an agreement in principle. Beware that this may not be a budget directly, it will certainly refer you to the CIO or the Risk Director to get it, but with their agreement you will have a great lever to move on to the next step! See you on the next episode.

Cet article Creating a relationship of trust with the EXCOM: first step, raising awareness! est apparu en premier sur RiskInsight.

But these projects are not only the work of systems security managers. These projects also come from executive committees who seek a 360 view of the security of their institution to better evaluate potential risk. So, what are key success factors that we have seen in the field?

Step 1: Know the purpose and expectations of your evaluation

Evaluations can be entirely different levels of depth. From a high-level interview with the Chief Security officer to an in-depth assessment of the security mechanisms and processes of all the subsidiaries of a multinational group, everyone can choose their areas of focus and advance step-by-step.

Our first advice is to keep in mind the objectives of your evaluation. This will allow you to orient yourself toward the right security benchmarks and ultimately define the depth of the evaluation. Do you only want to measure the security maturity of your subsidiary’s information systems or also its efficiency? Perfectly documented security processes and an ISO 27001 certification can unfortunately hide problems on the ground that can expose you to vulnerabilities. It can be judicious to combine a technical test (pentest, red team, etc.) to the evaluation in order to avoid situations that seem fine on the surface but hide underlying issues.

Step 2: Find and mobilize the right people at the right level, easy to say but harder to do…

The next difficulty that you can encounter in your assessment is to succeed at meeting the right people. From experience, we advise you to confirm your list of the necessary collaborators as soon as possible.

Logically, this list will certainly depend on the granularity of the analysis but also on the organization of the business. For example, the necessary people will differ if the security staff are at the group level and function as a service center or if they are merged into each entity and service. Consequently, if you want to have a high-level estimate first, it could suffice to only have a half day exchange with the Chief Security Officer, who generally has a sufficient and global vision of the subject.

The second stage of analysis can be performed in gathering information from all actors involved in cybersecurity at the group level. In this group, it can be interesting to meet a large group of people involved in information systems and the cloud.

Finally, when the assessment must be thorough and exhaustive, it becomes necessary to widen the list of collaborators to all of the concerned entities. Obviously, you should expect a larger workload, so do not skimp on preparation and tools to help you in your work. It can also be the right moment to think about your presentation format: face-to-face, distance, strategic, operational, etc.

Step 3: Equipment, finding the right balance between too much and not enough

Choosing the right tools is one of the main assessment challenges that you will face. The more complete the assessment, the more it will require tools that ensure simplification and understanding of the whole project. Indeed, for large evaluations, the consolidation and restitution of results are two of the great challenges that you will encounter. In particular, commonly used tools don’t take into account the organizational complexity of large groups or the effectiveness of allocated resources. It is for these reasons that, from our side, we have chosen to develop a specific tool.

A good tool also allows you to position yourself against your competitors and understand your exposure to current attack trends and points where your COMEX is particularly sensitive, ensuring you can legitimize the assessment.

So it begins! It’s time to get your hands dirty and start the work of collecting information! There is a classic phrase that applies to these situations: entirely feasible from a distance. Be aware and transparent about the limits of the exercise: those questioned will sometimes have the impression that the assessment is too theoretical and this is normal, according to their objectives. During this phase, it will also be necessary to be able to juggle between the various unknowns because it is not uncommon to have people who are ultimately absent for long periods of time, added parameters, changes in methodology. Make it a point of honor to remain agile.

Step 4: Reforming at the right level to act, everything is a question of the point of view

A good habit to keep is to honestly adapt each reform to each person. From the managerial summaries where we talk about trends without much detail to presentations for technical teams that are highly detailed, adapting the discourse to the necessary format is important to convey the right messages to the right people.

Usually, we start the reforms in terms of the organization’s budget and workforce dedicated to cybersecurity. These very concrete points allow you to attract attention and be able to then analyze the situation from four different angles:
· Compliance with different global benchmarks (ISO/NIST)
· Assessment of the level of maturity of different entities compared to others in the same sector or market
· Quantification of the effort reach the market level and/or the required level according to cybersecurity benchmarks
· Evaluation of the level of robustness of the organization against the last known cyberattacks

With senior management, the restitution is often going to focus on organizational and governance matters. However, there can always be surprises. In cases where businesses have already been hit by serious cyber attacks, we have had surprisingly precise and technical questions from executive committees. For example, we have been asked for details on encryption algorithms and “How secure is my active directory?”

Get started

As mentioned earlier, the maturity assessment is an effective means for measuring the effectiveness and progress of your cybersecurity roadmap. Consequently, even if you don’t want to immediately begin an assessment involving all security systems and dozens of teams at your business, we advise you to familiarize yourself with the approach and its usefulness in starting out with more modest goals.

At Wavestone, with years of experience and expertise, we have developed the W-Cyber-Benchmark, a multi-use tool that has been implemented by dozens of clients. We know that just writing about it isn’t enough, so don’t hesitate to contact us to discuss further!

Cet article How to effectively evaluate your cybersecurity est apparu en premier sur RiskInsight.