What’s Your Cybersecurity Maturity

As organizations mature their cybersecurity, their capabilities related to each of these three pillars deepen and strengthen.

Stage one: Reactive mode

Virtually every organization starts off stuck playing whack-a-mole with threats as they break into the enterprise environment, responding to situations after the fact. Organizations in reactive mode have low visibility. They don't have a complete handle on the assets and data they need to protect, they can't see their complete attack surface in sufficient detail, and they don't fully understand the threats they face. Because of these factors, their ability to prioritize and mitigate threats tends to be heavily constrained.

Here are some key indicators that you're in reactive mode:

• Your security teams are overwhelmed by incidents and alerts
• You have too many tools serving up siloed data
• You manage IT assets with spreadsheets and your inventories are incomplete, out of date, or both
• You rely exclusively on common vulnerability and exposure (CVE) scores to decide what to patch

Stage two: Tactical mode

The first step out of reactive mode is start integrating security and IT workflows-increasing visibility and responsiveness by knocking down silos-and to adopt some way of prioritizing vulnerabilities and threats. In other words, it's about getting a better handle on your attack surface.

While this is surely an improvement in terms of cybersecurity maturity, tactical mode is still largely reactive and slow-moving.

Here are some telltale indications that you're in tactical mode:

• Security and IT have fewer silos, though they still exist
• Cybersecurity processes are still mostly manual
• Security patches still tend to be out of date, not caught up to the real-world threat landscape
• Prioritization isn't consistent or based on any real assessment of risk, but instead on external measures like common vulnerability scoring

Stage three: Risk driven

As the term implies, the next major milestone in the cybersecurity maturity journey is to orient more of your overall approach towards identifying and addressing risk. In tandem with this-and because risk assessment is an intensive, continuous activity-you'll need to increase automation within your security operations. Specifically, you'll want solutions and capabilities that can give you a real-time view of attack surface conditions.

You've reached the risk-driven stage if you have:

• Risk-based security frameworks and prioritization approaches
• Automated cyber risk scoring and cyber risk quantification, which give objective measures of relative risk and the potential damage each risk could do
• Automated remediation
• Automated compliance management

Stage four: Proactive mode

The first two stages of cybersecurity maturity have a lot to do with increasing your visibility. Being risk-driven builds on those visibility gains to radically improve your ability to prioritize threats and cybersecurity activities.

Proactive mode consolidates all of the previous stages and emphasizes continuous mitigation. This means discovering and assessing risks, and taking strategic steps to minimize them-not only by dealing with threats and vulnerabilities but also by changing your attack surface conditions to reduce your exposure to risk. This gives you the ability to anticipate risks and address them preemptively before they can do any damage.

Here's how to tell if you're in proactive mode:

• Your protection measures are highly automated, taking advantage of machine learning and AI
• Your cybersecurity activities are aligned strategically with your business objectives
• Cybersecurity is part of risk management at the corporate board level