AS THE business and consumer world face continuous disruption from technology, governments around the world are exploring ways to develop smart nations and cities by adopting these disruptive technologies.
There is no question as to the opportunities created by these new technologies. However, this also inevitably opens the door to the risks of technology and cybersecurity that can hinder innovation and business transformation.
Consequently, the regulatory environment is starting to tighten up, with more legislation around cybersecurity to deal with technology and the increasing pace of change in the business landscape. In order to protect citizens and businesses, governments are also working with international bodies and industries to standardise cybersecurity policies and practices to address any risk that may arise from these disruptive technologies. Now more than ever, it is paramount to ensure that the foundations and infrastructure of any digital business is secure and sound.
For example, as financial institutions continue to become more data-driven and move into a digital mode of business, the cyber maturity of the organisation becomes a critical success factor for these organisations and their business functions. Therefore, it is highly recommended that organisations adopt a “cyber maturity model” to assess and improve on its current capabilities.
A Cybersecurity Maturity Framework is a set of standards and best practices from the industry, professional or international bodies with a logical structure for organisations to benchmark their current capabilities. This framework is a risk-based approach to manage cyber risk that complements an organisation’s existing risk management programme, specifically to manage cyber-related risks. In this case, the maturity model also defines a framework that enables decision-making on areas of improvement and investments to enhance prevention, detection and response to cyber-attacks.
However, this is not a one-size-fits-all approach for managing cybersecurity risk as all organisations have unique risks. There are a number of frameworks available and, depending on each model, the approach to achieve the desired maturity level may differ.
Here are some Cybersecurity Frameworks or Maturity Models that are available:
National Institute of Standards and Technology (NIST) Cybersecurity Framework: This is a voluntary framework, based on existing standards, guidelines and practices, for critical infrastructure organisations to better manage and reduce their cybersecurity risk. In addition to helping organisations manage and reduce risks, it was designed to foster risk and cybersecurity management communications among both internal and external organisational stakeholders.
Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool: The assessment is a voluntary tool to determine inherent risk and cybersecurity preparedness of a financial institution. It was developed in conjunction with the NIST Cybersecurity Framework. The Financial Service Sector Coordinating Council (FSSCC) collaborated with the Financial Services Information Sharing and Analysis Centre (FS-ISAC) to develop an automated version of the assessment tool.
Information Security Forum (ISF) Maturity Model: The ISF Maturity model helps organisations assess their current information on security maturity, translate business objectives into a target maturity and develop actionable plans to achieve it.
Hong Kong Monetary Authority Cyber Resilience Assessment Framework (C-RAF): This is a structured assessment framework for authorised institutions (AIs) to assess their inherent risks and the maturity levels of their cybersecurity measures against a set of principles set out in the C-RAF, called “control principles”. Through this process, AIs will be able to better understand, assess, strengthen and continuously improve their cyber resilience.
These frameworks and models have a common theme, which is to build capabilities to reduce cybersecurity risks, at the same time balancing the needs of the business to ensure a practical approach for the organisation to pursue profitability without compromising security.
Understanding the dependencies between technology and business performance can support decision-making in risk acceptance, investment of resources in innovation versus security, and development of new products or services. In the modern enterprise where digital trust must be established with customers, as infrastructure and IT services are increasingly externally owned, managing technology risk and cybersecurity are a critical part of enterprise value delivery.
Organisations will need to continue to progress and mature in their cybersecurity posture to realise that there is an acceptable level of digital risk as business units innovate. It is important for businesses to discover what their security needs are and make necessary adjustments according to what they can afford.
PARICHART JIRAVACHARA, partner, risk advisory, Deloitte Thailand contributed this article.