Cyber systems maturity and actualization create resilience in an increasingly hostile and uncompromising environment.
Read any report, threat assessment, or other commentaries on cybersecurity today, and they will likely have two things in common. First, they will explain that cyber threats are increasing, becoming increasingly sophisticated, and often combine multiple types of attacks. Many types of entities, including public bodies and not-for-profits, are vulnerable. Attacks span all industries and geographic locations. Second, they will explain that governments and other regulators are increasingly using statutes and directives to protect customers and other citizens from the adverse effects of cyber incidents.
For instance, the Canadian federal government has recently introduced two bills that, if passed, would materially change the cybersecurity landscape. Both have only passed first reading. Bill C-26, An Act respecting cyber security, includes safeguards to protect critical cyber systems that are vital to national security or public safety. Bill C-27, Digital Charter Implementation Act, 2022, would change significant parts of the federal privacy regime that safeguards personal information that organizations collect, use, and disclose. Additionally, organizations that pay ransoms after ransomware attacks should remain cognizant of anti-money laundering, anti-bribery, and similar statutes. These statutes make it an offence to pay money launderers, terrorists, and other sanctioned or sanctionable persons or entities.
In short, the cyber environment is increasingly hostile and uncompromising—bad actors exploit the cyber-vulnerable; governments and regulators increasingly demand cyber protections for their constituents.
Organizations with the most mature cybersecurity environments will typically fare better from a compliance and security perspective.
Cyber maturity is reminiscent of Abraham Maslow’s hierarchy of needs. Maslow was a psychologist who developed the hierarchy to explain human motivation. Organizational theory and behaviour disciplines have used the hierarchy to explain employee motivation. The theory is that humans have five hierarchical needs that drive their motivation. The needs form a pyramid.
Food, shelter, and other basic physiological needs are at the pyramid’s base. As individuals progressively satisfy lower-level needs, they are motivated to move closer to the pyramid’s apex and meet higher-order needs or aspirations. At the apex is the need for self-actualization, which is the fulfilment of one’s potential. Actualization is the level at which the individual has the resources and opportunity to be the best person they can possibly be.
Cyber maturity models, like the Cybersecurity Framework from the National Institute of Standards and Technology (NIST), evoke similar ideas. There are lower-level or foundational requirements to achieve some level of cybersecurity. Progressively robust practices are goals that best-in-class organizations aspire to achieve for the most mature, best-equipped, or actualized cyber systems. Like the hierarchy of needs, NIST’s Cybersecurity Framework is a pyramid with five levels.
At the first level of the pyramid, akin to the basic need for food, shelter, and other physiological necessities, a primary need is the ability to identify cybersecurity risks. An organization at this level has a governance approach to cybersecurity, practices risk assessment and management, and has an information and technology asset management program.
An organization that has not reached this level of the pyramid scores a negative integer on the cyber maturity scale. Like a person without food, shelter, or other basic physiological needs, that organization’s very existence is in peril because it may not survive a cyber incident.
An organization at the second level of the pyramid can protect itself by safeguarding mission-critical functions. Its safeguards include identity management and access controls, data security, protective technology, a maintenance program, training and awareness programs, and other defined policies and procedures.
At the third level of the pyramid, the organization can proactively detect cybersecurity events, incidents, and threats through continuous security monitoring, technologies that identify, report on, and create alarms for anomalies or events, and other tools.
At the fourth level of the pyramid, a more mature organization is well-equipped to respond or take corrective actions in response to a cyber incident. Policies and procedures for response planning, communications, analysis, mitigation, improvements, and other responses will be effective.
By the fifth level or the apex of the pyramid, the organization has such mature cyber systems that it is resilient and can bounce back or recover after a cyber incident. Instead of being reactive, the organization can proactively deter or neutralize potential security events before they materialize. Given their procedures for recovery planning, communication, continuous improvements, and engagement with the broader cybersecurity industry, mature and actualized organizations are adept at preventing cyber incidents. Their track record for compliance is excellent. And they can resume normal operations very quickly and efficiently if a cyber event causes a disruption.
IT professionals will recognize the above as the Identify, Protect, Detect, Respond, and Recover functions in NIST’s Cybersecurity Framework.
Like the hierarchy of needs and a true pyramid, the control items at the pyramid’s base are necessary foundations that support activities at the apex. For example, organizations without risk management processes and defined policies and procedures from the identify and protect levels are unlikely to have the continuous improvement or engagement needed for resilience and recovery at the pyramid’s apex.
The pyramid shape reflects the reality that fewer organizations may be at the apex of maturity and actualization compared to lower levels of achievement. The pyramid shape might further suggest that cyber maturity is exclusive and difficult to achieve for unmotivated entities. Like employees climbing the hierarchy of needs, maturity and actualization should be motivating factors behind cybersecurity activities.
Meeting your duty of care
Achieve cyber maturity and actualization. Start by implementing a cybersecurity framework. Apply policies and procedures related to privacy, data security, disaster and incident response, and recovery. See SPP IT 8.04 – Confidentiality and Privacy, SPP IT 8.06 – Managing a Security Breach, SP IT 8.07 – Cybersecurity, SPP IT 11.12 – System Recovery and Reconstitution (an upcoming policy), and many other policies in Information Technology PolicyPro.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Operations and Marketing PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, Operations and Marketing PolicyPro, and Information Technology PolicyPro, here.