By Dr. Silvia Knittl. In our current global PwC study “Global Digital Trust Insights Survey 2021 – Cybersecurity Comes of Age”, 31 percent of the survey respondents stated that their primary aspiration for transformation projects is to modernize their organizations with new capabilities. Although business capabilities cumulate much attention here,
50 percent of participants stated that they consider cybersecurity and data protection as part of every business decision. Nevertheless, 55 percent of those surveyed lack confidence that their cyber-expenditure is applied in accordance with their most acute business risks. Companies need to catch up.
We regularly perform assessments of cybersecurity for our clients and, in doing so, can observe the associated distribution of costs. Our experience confirms the results of the survey. Organizations often do not structure their cybersecurity capabilities in accordance with the risks most relevant to them or their most pressing business needs.
The majority of modernization and transformation projects usually result in new IT applications being defined, introduced and then passed on to the existing IT and IT security organizational functions as additional tasks. Most modernization and transformation projects thus lead to a larger number of tasks for the required supporting IT structures, including the structures for cybersecurity. New IT applications also require new processes, software and hardware. Therefore, the level of networking between these systems no longer undergoes linear growth, but rather grows exponentially. This means that cybersecurity must then take account of new and additional vectors of attack while the level of cyber-resources, especially personnel, often stagnates. When all these factors combine, such personnel are then pushed to the limit of their capacities.
We relieve such imbalances in our clients' IT security by assisting them with capability-based assessments and designs. Using our best-practice Enterprise Security Reference Architecture, we work top-down from the starting point of business needs to ascertain what characteristics the right cyber-capabilities should have. We use the aforementioned architecture as a template and, in addition to the technologies being used, take processes and organizational cyber-capabilities into consideration.
Depending on the organization, we consider either the enterprise security architecture in its entirety or, alternatively, focus on the domains of security architecture that are important for the organization concerned, e.g. their security operation center (SOC) and its sub-capabilities (such as incident detection, incident response or vulnerability management). While doing so, we interview the key stakeholders or hold a workshop in order to determine the current state of affairs. Our reference architecture facilitates the structured compilation and presentation of results by using maturity level models.
The results from various client projects demonstrate the benefits of a structured approach. For example, we are finding instances of tool duplications among our clients. This means that for one individual cyber-capability, multiple tools from different vendors are being used. In one case, we discovered more than ten tools from three different vendors in the area of access management. First and foremost, our recommendations here included the harmonization of vendors and reduction in their numbers so that the client concerned could achieve savings relating to maintenance, operations and other areas. In other cases, we found examples of inefficient tool usage scenarios. For instance, a tool was introduced that was only used in one department but was populated by many others, even though these other departments were using similar tools themselves. In such cases, we recommend a redesign in order to achieve more widespread usage and greater automation of maintenance.
With regard to resources, our study showed that 51 percent of companies are planning to increase their cybersecurity staffing levels within the next twelve months.
As was revealed in one of our client assessments, the sub-optimal usage of resources in the area of cybersecurity coupled with regulatory requirements results in the need to increase staff numbers in order to fulfill compliance requirements as best as possible. We have recommended restructuring measures in such situations. Here, the aim is to bolster existing well-established cyber-capabilities while improving those that are less effective through various forms of sourcing. By doing so, the organization concerned can develop and reorganize its cyber-personnel in a targeted manner and according to its business needs.
Templates such as our Enterprise Security Reference Architecture help us to consider cyber-capabilities in a structured manner. Because organizations often focus on only a selection of areas, such reference-based observation ensures that no cyber-domains are overlooked and that all cyber-capabilities receive the same type of attention.
Our structured analysis of the current situation and presentation of maturity levels serve to foster the balanced ongoing development of cyber-capabilities. By taking the aspects of cyber-technology, processes and organizational characteristics into account from the outset, we avoid topics relating to cyber-tools that would conventionally be dealt with in a highly isolated manner.
This article is part of the quarterly newsletter IT Security & Data Protection. The Newsletter IT Security & Data Protection News provides you with regular updates on the latest changes and developments in IT security and data protection.