An effective cyber security strategy is not just about technical preparedness – it is also a strategic factor that shapes the relationships with all stakeholders and a determinant for the effectiveness of your organization. An integrated risk and control framework embedded in the overall risk appetite is needed not only to effectively mitigate cyber threats, but also to create a competitive advantage. 

As part of Horváth’s risk solution offerings, we conduct a Cyber Security Maturity Assessment (CSMA), a useful instrument to optimize your cyber security strategy and program. It helps understand your governance, processes, and controls, and define where resources are most needed. We work closely with your teams to holistically assess current capabilities, from governance and cultural aspects, to employee skills, down to your cyber security infrastructure. The CSMA is an adaptable gap analysis and risk assessment that uses best practices in risk management and cyber security frameworks to answer the most urgent questions surrounding your company’s existing cyber security strategy and program. Such questions may be:

• Where does your company’s current security strategy and organization stand? 
• What elements need to be considered as part of a cyber security strategy and organization? 
• Where do you have training and awareness needs?
• What are your company’s biggest cyber security risks? 
• and how can you improve your governance, processes and controls to adequately mitigate these?
• Where are your competitors focusing their efforts, and where does your company stand in comparison?

The goal of our CSMA is to provide an overview of your company’s current cyber security governance and set-up, an objective review of existing measures, and a guide to strategic advancement and prioritization of further initiatives. It looks beyond pure technical preparedness, and thus goes beyond traditional cyber maturity assessments: it takes a rounded view of governance, processes, people and cyber security infrastructure. This will help your organization to develop strategic and tactical directions to further mature and strengthen your security program efforts. What is more, our CSMA allows your company to meet and exceed industry compliance standards by aligning your security program with the best practices proposed in our assessment.

We conduct individual walkthroughs with key stakeholders in your organization from executive to operational level. At the same time, we analyze the organizational effectiveness and maturity of internal governance, policies, and procedures and suggest operational best practices for each control area. Our CSMA can be tailored to align with several different recognized cybersecurity control sets, and frameworks based on your organization’s goals, industry, and maturity level. The CSMA combines compliance with various industry requirements, as well as the following frameworks and control sets:

Frameworks:

• NIST Cybersecurity Framework (NIST CSF) 
• ISO/IEC 27001:2013 (ISO 27001)

Security control objectives and sets: 

• NIST Special Publication 800-171 (NIST 800-171) 
• ISO/IEC 27002:2013 (ISO 27002)
• CIS-18: CIS Critical Security Controls (CIS Controls)

Each of these control frameworks and sets are coordinated and designed to provide a structure with which the effectiveness and maturity of a security program can be measured – for today’s as well as for future requirements.

Our CSMA provides insights to understand your current governance, processes, and vulnerabilities, identify and prioritize areas of remediation, and demonstrate corporate and operational compliance. Our CSMA turns information risk into business advantage. It will help you to support and achieve business objectives, manage risk, build trust, and measure performance by outlining the cyber capabilities that require the focus of the board. Our CSMA supports you in translating these capabilities into an operational, business-enabling function and brings among others the following benefits: 

The results of our CSMA help you compare your company’s cyber security maturity with your risk appetite and with peers of your industry over selected criteria. The results of the maturity assessment can be displayed in a spider web to demonstrate your biggest potential improvement areas. In the example below, the company has a high exposure to third party cloud providers, hence the recommended future state has assessed high. There is neither a dedicated third risk management team in place conducting standardized risk assessments (initial and ongoing), nor are third party providers categorized to adapt the security assessment and requirements based on the individual risk scores.

Today’s digitally connected business world increases the risk of cyber-attacks, which can lead to severe financial, legal and reputational damage for your company. Therefore, it is essential to take a deeper look at your cyber security strategy. 

Our holistic approach to cybersecurity provides your company with an overview of your cyber security’s strengths and weaknesses and compares them to relevant peers within the industry. It helps you shape your cyber security strategy and program to your industry, your risk profile and appetite and the continuously changing environment.

If you require any further information, feel free to get in touch.

Balmer, D. / Müllerschön, D. / Magagna, D.