Our transformation work starts with one principle: that cybersecurity is responsible for enabling an organisation to innovate and deliver value in a secure and responsible manner.
When achieved, a client's board feels more optimistic about business success, and sleeps well despite the growing number and sophistication of cyber threats. Unfortunately for many businesses, this is beyond reach while they maintain a maturity model for their cybersecurity strategy.
Talk to us about cybersecurity
Welcoming the end of the maturity model
For decades, the ‘maturity model’ has ruled cybersecurity. This approach essentially uses a checklist of capabilities or processes that must be built and used in order to achieve higher levels of 'maturity'. The theory is that the more capabilities and processes you build, the better protected you are. However, the maturity model requires the use of a single academic model for all organisations. The reality is that no model can work for every organisational scenario. In order to be applicable across all organisations it has to make extensive compromises. And the resulting limitations undermine the objective of enabling secure and responsible innovation:
- The maturity model applies itself evenly to the whole business, regardless of whether some areas are more critical than others.
- This leads to underinvestment in areas of concern, and overinvestment in areas in low risk.
- The IT department responds by attempting to make controls that apply to every part of the business, also suitable for the highest risks to the most critical areas.
- This leads it to create layer upon layer of process for the whole organisation.
- The IT team grows larger than necessary to meet the process needs, but still becomes bogged down in requests.
- The maturity model's flaws create a a damaging culture within IT departments. They begin to see their role as being the enforcement of process. And their ultimate goal as being the organisation's conformity to cybersecurity, instead of their enabling business delivery. This hampers innovation, and creates friction between departments and key stakeholders.
The risk based approach - a light at the end of the tunnel
At Hexocene, we have developed a data led risk-based approach to cybersecurity with the following benefits:
- Quantitative analysis gives the client an evidence based understanding of what is important and needs most protection
- Protective resource is focused on those business-critical assets and processes, making the business more resilient
- Less critical assets and processes are given only the protection they require
- Enablement resource is then dedicated to the value-adding parts of the business. This builds supportive partnerships between cybersecurity and the business, that speed innovation and delivery programmes where most beneficial
- Overall cybersecurity costs are lower than the maturity model, despite the business being better protected overall
Our approach ensures clients have a cybersecurity programme that effectively protects their business, giving them a good nights sleep. And enables our clients to innovate responsibly but at speed, bringing them a sense of optimism and energy.
