Lawrie Kirk asks if we are there with Cyber Security - and suggests how CDCAT® can help
You have ensured compliance with required cyber standards, employed specialists to undertake technical reviews and created an extensive risk register. But has this investment provided an agreed strategy and understanding of where you stand as an organisation in relation to cyber risk and what the potential blockers are, to improving cyber capability?
This is a very realistic question that CEOs and Risk Committees are asking; we have spent a lot of money on this cyber protection so “ Are we there yet? “.
Compliance is essential but it is just like having a drivers license. My license indicates that I can drive a car, a bus and a truck. I am compliant and can drive in Australia and other countries; in fact my license is about to be renewed for 10 years. Showing a car rental company that piece of plastic with my license details allows me to drive any of their vehicles; yes I am compliant. The only question that is asked is 'have I been convicted of a drink driving offence'. But, am I competent, how mature is my driving? What are the areas where I am deficient and what training might I need to regain competency?
It has been nearly 35 years since I have driven fully laden trucks and 30 years since I have been a bus driver, and since then no one has questioned my capability, I am compliant. It has been assumed that I am mature enough in the controls needed and have nearly 40 years of driving experience that will ensure competency, but how do you know? My initial assessment was nearly 40 years ago when I did not have glasses and my reflexes were a lot faster; these characteristics have not been reviewed or even questioned.
2017 has been a year when experience and compliance in the area of cyber protection are being questioned; not questioned for their value but for their relevance as cyber breaches are still occurring. We need experience and compliance but we also need to have independent assessment of where cyber risks are. Imagine this scenario, it is Monday morning and there has been a breach of your security system; not major but still something serious enough to indicate there is a significant weakness. The Risk Committee is meeting on Wednesday and the CEO has requested a new agenda item, a report on the breach, where the organisation weaknesses are and the blockers to improvement. The Chief Information Officer has been asked to table this report at Wednesday’s meeting.
So you have a day and a half or at best two days as the meeting is on late Wednesday afternoon. Impossible? not really.
Cyber attacks require an organisation to be proactive, nimble and flexible. This is a time for a highly structured and repeatable approach to assessing risk that has impeccable credentials, enables data to be collected in a repeatable and user friendly manner and can be used to generate reports against a range of standards.
This approach does exist and is available in the Cyber Defence Capability Assessment Tool or CDCAT®. My first exposure to CDCAT ® made me realise that here was an assessment tool that does three unique things:
1. It combines the IT service life cycle with a cyber protection life cycle – finally we have a way to ensure that the actual implementation of IT service delivery is recognised as a vital activity and contributor to the implementation of cyber protection;
2. An overall cyber maturity assessment is provided – a detailed 1-5 maturity assessment is developed based on years of experience from the UK Ministry of Defence (MoD). Now anyone can allocate a maturity score within a 1-5 scale but CDCAT ® ensures that you have to substantiate this with evidence and observations to support this assessment; maturity scores are based on proven evidence. This approach also outlines the blockers to improving maturity; and
3. Once data is entered you can instantly generate reports against a range of standards. This is a bonus when you need to generate reports for operations that work across different countries. And all this assessment process can be done in half a day.
The automation that CDCAT ® provides, allows you to also benchmark the data and set up comparisons, vital if you wish to measure the actual benefits of this investment and answering that CEO’s question of “Are we there yet?”.
CDCAT ® reports will provide that CEO (in this case by Wednesday) with an overview of the maturity against a range of accepted controls, the blockers to improving controls and a plan of action (with metrics on how to measure).
For me it is the ability to look at all of the controls and cross reference the blockers that represents the true strategic value of this assessment tool. The Risk Committee is provided with an overview of the following blockers to each of the controls that are needed;
- Management (policy, process, instruction),
- Infrastructure, and
- Logistics (including finance).
And this is where the value of CDCAT ® really shows; a lot of these blockers to improved cyber maturity overlap with blockers that are common to improving the ability of the organisation to manage their change initiatives either at a programme or a project level. The Risk Committee is therefore provided with an assessment that can be integrated with other activities of the organisation.
If we are ever going to close the gap in cyber protection, cyber protection cannot be seen in isolation as an IT responsibility, it must be integrated as an organisation wide capability improvement programme.
CDCAT ® is much more than a cyber risk assessment tool, it is the catalyst that will bring together different parts of an organisation to objectively look not only at the why and what (where the weaknesses are) but also the how – how are we going to improve our cyber protection to an acceptable level of risk for our organisation.
Further information on CDCAT ® can be found at https://apmg-international.com/product/cdcat
CDCAT® is a registered trade mark of The Secretary of State for Defence, Dstl. Dstl © Crown Copyright, 2017; Dstl © Crown Database Rights, 2017; This work was sponsored by the MOD ISS NTA.