Is Your Organization Cyber Fit?

I was reading a book by a legendary strength coach that had one of the best definitions of ‘Fit’ I’ve ever seen. According to him, “Fit” comes from a Norse word meaning” to knit together.” In his view as a lifelong athlete and trainer of champions, he felt that it was the best definition and went as far as to define the” fittest” athletes as martial artists, aerialists, dancers, and gymnasts. Why? Because they have a combination of strength, muscular development, stamina, and grace – it all flows together when they compete. There are no jerky movements or imbalances.

It got me thinking about cyber readiness, or, for the purpose of this article, being a “Cyber Fit” organization.

I believe the same definition applies. Organizations that have robust cybersecurity programs stand out from their peers. Their program operates such that all the elements are woven together; it just works.   However, finding a genuinely Cyber-fit company is becoming increasingly difficult. The landscape of digital assets, as well as privacy and security regulations, have grown over the decades. Companies no longer must protect what’s in their own four walls but deal with a global ecosystem of threats, adversaries, and legislation.

What tends to happen is that Cybersecurity becomes a patchwork of various tools and processes.  Some of these might provide value if they are used appropriately, but in their current state, the program cannot reap the benefits. It’s like being an athlete and having all sorts of muscle imbalances and mobility issues that are preventing optimal performance.

How do we fix this?

I believe the answer lies in utilizing Governance. Having a solid Governance program can solidify the effectiveness of Cybersecurity by identifying the gaps in your program and creating awareness and visibility.

The Governance program will have key performance indicators (KPIs) and Key Risk Indicators (KRIs) that demonstrate how well the program is working – or not. Some items to include are:

• Click Rate of phishing program (measures the success of security awareness training).
• % of assets scanned for vulnerabilities.
• Number of systems with Critical vulnerabilities.
• Average days to resolve Critical vulnerabilities on core systems.
• Results of the last disaster recovery testing.
• Unidentified devices on the network.
• % of key vendors that have been risk-assessed.
• Patching cadence.
• % of the workforce that had cybersecurity training.
• % of staff using MFA.
• # of security incidents.
• # of control exemptions.
• Cyber spend as a % of total IT spend
• Greatest / Emerging Cyber Risks

The above is not a complete list, but it’s one that I have used successfully with organizations to get them started down the Governance path.  It’s always amended to the specific needs and risk profile of the company. But the fact that a company uses tools and processes to produce this information puts them several notches above the rest.

The key is to present these metrics in an executive forum – such as at an Information Security Committee, a Risk Committee, or a Board meeting. This way, everyone can see the program’s strengths and areas for improvement. It also helps set priorities for the security roadmap and budgetary discussions.   

No cybersecurity program is perfect. But It’s only through Governance that you can help ensure your program has the best chance of becoming a functionally fit cyber organization to deal with the increasing threats.