Javier Dominguez, CISO at Commvault, discusses the five different levels of cybersecurity maturity. “At the earliest stage, security may be in the hands of individuals who are simply order takers,” he says, “whereas at the most advanced level, CISOs are liaising with the board to ensure cybersecurity is built into every aspect of the business.”
CISOs are shouldering an ever-growing burden of responsibility as cyberattacks reach record numbers, according to Check Point Research. It revealed the number of global cyberattacks in the third quarter of 2024 had risen by a staggering 75% compared to last year.
Despite this massive hike in threats, a recent Commvault survey found only 13% of global organisations were ‘cybermature’ enough to effectively mitigate and rebound from an attack. These few were able to recover 41% faster from an incident compared to respondents at the lowest end of the scale.
Making this significant difference in speed of recovery were a number of key resiliency markers. They determined why some businesses were able to restore data quickly and resume normal operations, and others could not. Notably, there was emphasis on having security tools that could provide early warning about risk, including insider risk, with defined runbooks, roles and processes for incident response.
Vital too, was having a reliable clean dark site or secondary backup system with an isolated environment to store an immutable copy of critical data. Equally important was frequent testing of cyber-recovery practices so processes remained fit for purpose and up-to-date.
Determining CISO maturity levels
With the onus on CISOs to make sure these critical measures are in place and regularly tested, it begs the question whether business leaders know if they have the right individual, supported with the right resources, running their security operations?
Organisations rely heavily on their CISOs to protect operations from cyberattacks, yet their level of authority varies considerably, impacting the overall cybermaturity of an organisation. At the earliest stage, security may be in the hands of individuals who are simply order takers, whereas at the most advanced level, CISOs are liaising with the board to ensure cybersecurity is built into every aspect of the business.
To understand where an organisation fits in this maturity cycle and how it affects cybersecurity risk and resilience, the stages can typically be broken down into five phases.
Check box security
In the least mature organisations, those tasked with security are seldom policy makers, and most do not have a dedicated CISO role. Instead, cybersecurity is often handled by part of the IT team, reporting into a mid-level IT manager or possibly the CIO. The responsibilities are often combined with daily routines required to keep the technical infrastructure running, such as configuring servers, installing software updates and setting up laptops.
Usually these organisations are small, often private companies with no obligations to shareholders and fewer regulatory pressures.
Other demands on the business often take precedence, such as sales and commercial functions. Consequently, important safeguards like multi-factor authentication may not be implemented as they are seen as restrictive. In some cases, cybersecurity is perceived as a hindrance to productivity and relegated to a check box activity.
- The right time for a CISO
As a business grows, inevitably its attack surface expands, becoming a potentially lucrative target for hackers. More employees, customers and suppliers equate to additional processes and applications which in turn create more vulnerabilities for attackers to exploit.
At this point cybersecurity is rising higher up the management agenda, and businesses start thinking about recruiting a senior cybersecurity professional or CISO. In this early stage, the role is often described as a technical appointment with an expectation the incumbent will spend a proportion of time coding alongside development staff. There is often little or no scope for the CISO to plan and implement an overarching cyberstrategy.
Additionally, compliance requirements start to receive more attention, with the deployment of formal monitoring and auditing capabilities, using internal resources or external expertise.
This is the time when IT and security should establish effective communication channels to ensure security objectives are mutually agreed, which prevents a gap growing between the two functions. If the CISO and CIO interact and communicate regularly, then this bodes well for productive co-operation between their teams.
- Beyond a technical CISO
Before long, it becomes evident the CISO needs increased autonomy to evaluate and deploy security controls and procedures across an organisation. At this stage, decision-making power may still be restricted to recommending technology for defending, detecting and recovering from attacks. Whereas CISOs need the authority to implement more wide-ranging measures to protect areas such as cloud security and control access to all corporate systems with access management solutions.
While other executives may express concern about security initiatives slowing down time to market, this is the juncture where business leaders must back the CISO and support essential, new cybersecurity initiatives.
Although IT and security are now separate teams, the CIO and CISO should continue to work closely to balance IT goals with security requirements. This on-going alignment is vital for the security and smooth running of the business.
- The empowered CISO
When organisations near full maturity the CISO is participating in strategic meetings with the board of directors, advising on cybersecurity risks, resilience and recovery capabilities. Working with the leadership team, the CISO proactively determines the organisation’s tolerance for risk and provides analysis to demonstrate changes in the organisation’s risk profile. In addition, they devise the appropriate strategy and security policies to stay within agreed tolerances.
At this advanced level, CISOs are also advising the board about the advantages and concerns surrounding emerging technologies such as AI. Cybersecurity is now an established element of strategic, as well as operational planning.
- Secure by design
For organisations that reach the ultimate stage, security is imbued within the fabric of the organisation. Following secure by design principles, employees enterprise-wide adhere to security processes and policies. It’s the point where cybersecurity is built into the foundation of everything a business does. Continuous testing of corporate systems is expected, and teams are well-practiced at incident and data recovery.
Planning the maturity cycle
It’s safe to say when it comes to cybersecurity, no two organisations are alike. Each has its own unique technical infrastructure, ways of working and strategic goals. Public companies will have different objectives to private ones. And large businesses will have different resources and obligations compared to smaller entities.
Therefore, calculating the speed of progress through the cybersecurity maturity cycle is not straightforward. However, by understanding the characteristics of each stage, CIOs and business leaders can better align development of internal candidates or the recruitment of a CISO with the right skills and qualities for their specific needs. This will help build a level of maturity that matches their own organisation’s tolerance for risk, as the onslaught of cybersecurity attacks continues unabated into 2025.
