Aggressive digitalisation which leaves IT users behind is not effective digitalisation.
Being a digitalised organisation does not mean paper notes were replaced with Microsoft Word documents which are then saved on the network. True digitalisation should improve work streams and efficiency, resulting in increased productivity. If the digital version of a workflow takes longer than the paper-based one, nothing has been gained.
Most often the main issue with large digitalisation projects is that they look to make many large changes all at once, and rarely take the skill of the workforce into account. This can result in employees becoming overburdened and stressed – not only the IT and project teams, but all the way to the frontline staff. Taking occasional large technology jumps causes much more impact than taking small, regular steps.
Efficiency > new systems
Cyber security is no different – buying a new system is often seen as “progress”. However, improvements can also be made by simply providing a good standard of guidance for IT systems. Much of the attack surface relating to staff IT activities originates from a lack of understanding of IT systems, and how to use them, which in turn leads to confusion and fear.
Knowing what to expect from a system is the first step to helping staff to identify potentially malicious behaviour as they will better understand what is unusual or unexpected. Knowledge gaps can also impact productivity as even if an organisation implements best-in-breed solutions, if they are not utilised correctly, any possible efficiency gains can be left unrealised. If digitalisation does not increase efficiency, then what was the point?
If the number of cyber security related systems in use by an organisation increases year on year but over the same period, the IT/cyber team has less resource to manage them, this will impact how well those systems are monitored and maintained on a day-to-day basis. This can in effect reverse any previous progress and result in a less secure environment.
It’s important to note that no organisation can ever be fully “secure”, and exposure levels move constantly on a fluctuating scale. Cyber security should not be viewed as a journey with a destination, instead, the aim should be for measured continuous improvements both administrative, physical, and technical using embedded, repeatable processes and frameworks. Understanding that threat exposure can swing from low to high within a 24-hour period, and that it’s possible to achieve cyber security compliance whilst still being poorly secured is key to understanding cyber security risk management.
Cyber security is not simply about preventing malware and recruiting more cyber analysts. It’s about culture, strategy and day-to-day business processes which have cyber security embedded at their core to prevent large scale cyber incidents. Well-implemented cyber security should improve efficiency and be almost invisible. The aim should be to be “secure by default”, also known as “secure by design”, and be as proactive as possible rather than reactive.
One of the best ways to implement a proactive strategy is to use automation for repeatable tasks which allows staff more time to focus on improvement work. To be able to automate a process effectively you should already understand the process, and have it mapped out. Automating new processes which have not been optimised can lead to poor performing automation which regularly encounters issues which require trouble shooting thereby negating any positive impact. Automating processes which are not fully understood and documented will also lead to issues further down the line if the process and thereby the automation needs to change. Automation should always be a maturity step to improve efficiency, and never seen as a short cut.
Measure maturity for your security
Q: How can we track our progress more effectively, so it’s not purely based on the IT/cyber security systems we have in place?
A: We can use a maturity scale.
Strong cyber security governance is required if an organisation wishes to move from a reactive maturity state to a proactive one. Well-implemented governance also leads to better compliance. When IT systems and controls are not assessed correctly prior to implementation, additional work is created for operational teams who are then forced into a constant state of reactive remediation. This also means the IT environment is constantly trying to catch up with itself to ensure security baselines are in place, or mitigating residual risk via excessive monitoring, or through labour-intensive checks.
Strong assessment and quality control helps to ensure that new systems have known risk accounted for and mitigations available during implementation. The introduction of new systems should be controlled to ensure that each has a justifiable requirement to avoid an excessive technology footprint which in turn increases the attack surface of the organisation and impacts already stretched IT teams.
Below is an example of a typical maturity model which provides an organisation with an overall maturity rating on a scale from “Unprepared – Initial” to “Anticipatory – Optimised”.
Better informed strategic decisions
With this type of model, organisations can make better informed strategic decisions by looking at the overall position of cyber security. It encourages a standard level of maturity across all areas rather than a few pockets of very mature areas offset by the majority being in a low maturity state. For example, if knowledge is too centralised and not shared, and an individual leaving the organisation has a large negative impact then we would be low on the maturity scale. The same would be true if any new system is not appropriately assessed by internal IT or cyber teams before implementation.
By using the maturity model, we move away from identifying the next technology, and instead focus on improving current processes, fine-tuning existing configurations and identify opportunities for automation. It also allows us to look at problems in a different way. Instead of focusing on the vacant cyber analyst role we may have had for 12 months, we instead look at the problem this role will solve and identify a different way to resolve the issue.
To find out more about how to assess your cyber security maturity, contact Cloud21. We don’t just understand cyber security, we understand NHS cyber security.