Assuring Momentum
Assessing Maturity
& Risk
“This will allow (the client) to better evaluate the effectiveness of the new controls and technologies they have introduced.”
Background
One of our clients is a leading UK insurance provider, offering a wide range of services for home and business.
​
They asked us to conduct a comprehensive cyber security health check, encompassing both risk and maturity, aligned with the NIST Cybersecurity Framework (CSF).
​
The driver for this was an expansion of the organisation’s digital footprint, and a potential move into new markets, increasing their exposure to cyber security threats.
​
To safeguard their sensitive financial data, maintain their reputation, and comply with regulatory requirements, they wanted to review their current security position and compare their performance to two previous reviews.
Objectives
1. Identify and assess cyber security risks that could impact the organisation’s operations and customer data.
​
2. Evaluate the maturity of the organisation’s cyber security practices in alignment with the NIST CSF.
​
3. Compare the results against previous assessments, providing the information in a way that would let the organisation evaluate year-on-year performance.
​
4. Provide actionable recommendations to enhance the organisation’s cyber security posture and resilience against cyber threats.
Approach
Pre-Assessment Planning
Scope Definition: This was a complex organisation with responsibilities for cyber controls distributed throughout. It was important to understand what was being assessed, agree the required outcomes, and ensure alignment with previous reviews. To support this, we took time getting to know the business, their threats, and the regulatory environment they operate in. We believe this is crucial to success on any project.
Engagement: Organisations often struggle to identify the right people for us to engage with, so it’s important to establish this at the start. We engaged key stakeholders from the organisation’s IT, security, compliance, and business units.
​
It may also be necessary to work with third parties that manage controls on an organisation’s behalf. The more notice that can be given to them, the better the result.
Assessing Maturity and Risk
We strive to deliver excellent value for our clients. When we review organisations we use our own set of controls. They have been comprehensively mapped to NIST CSF, ISO, SANs, CCA, SoGP, and a number of regulatory guidelines. This allows us to provide extra depth by including controls in the assessment that are not part of an organisation’s existing framework.
​
In this instance, we could fill in gaps from previous reviews where controls were not checked. This ensured that for both maturity and risk, the organisation had a complete view.
​
Using the NIST CSF 4 Tier Maturity Model, we scored all the relevant controls and set about comparing them to previous results. The client had already decided on their target position, though we usually help organisations determine this. In addition, we provided an output view aligned to risk, ensuring the report’s findings could be more easily conveyed to the board.
Reporting and Recommendations
On completion of the health check, we delivered the following documents:
​
Comprehensive Report: This outlined our findings, risk scores, maturity levels, and specific recommendations.
​
Executive Summary: Created for senior management, this highlighted critical risks and our view on strategic next steps.
​
We also detailed any organisational barriers to better security. Controls themselves are vital, but how well they are operated is also key. Broader company issues, such as the working culture, can inhibit control effectiveness. We always include this information in our reports.
​
Action Plan: While the client did not require this from us, we reviewed their own planned activities and highlighted where additional control improvements were needed.
Client Case Study
Outcome
The client received a comprehensive view of their cyber security risks. They could also see which of those risks were outside of appetite and required action.
​
In addition, they had a much better understanding of their security maturity. There were a number of areas that had not been assessed in previous reviews. By addressing these gaps, they had a more complete view of their controls.
​
The client could see where they had improved, regressed, or stayed the same over time. A complete graphical view of this was provided.
​
We also took into account evolving changes to their threat environment. This will allow them to better evaluate the effectiveness of the new controls and technologies they have introduced.
​
Lastly, we provided them with activities they could undertake in order to enhance their security control position.
Conclusion
This engagement highlights the importance of comprehensive cyber security health checks for financial services organisations. By leveraging the NIST CSF and conducting both risk and maturity assessments, organisations like this one can better understand their cyber security landscape, prioritise critical risks, and implement effective strategies to protect their assets and maintain customer trust.