Page 24 - 78
P. 24
PREVENTION
well to achieve cybersecurity resilience, and this se so many cyberattacks start by exploiting vulne-
complexity can overwhelm executives and misgui- rabilities in employee behavior, education is also
de their focus (see Figure 1). critically important. Fewer than half the companies
we surveyed provide regular staff training on cyber-
The first place they look for solutions is usually security, and, far more surprising, only 55% provide
technology. Large companies use dozens of pro- adequate training for their cybersecurity professio-
ducts and services to meet their needs, and they nals.
invest in policies and standards to ensure that their Third-party risk represents another common vulne-
defenses remain proactive and up to date. The rability, but fewer than half of companies regularly
greater challenge comes in ensuring constancy so assess the security posture of their suppliers and
that policies and standards are applied appropria- partners.
tely across complex global organizations. Even ap- Most companies invest in audits to give leaders a
plying simple security patches can take large orga- sense of the state of their cybersecurity, but audits
nizations months or even years to achieve, leaving can also focus on superficial issues and lead to a
systems vulnerable in the interim. Some large brea- false sense of security once the identified vulnera-
ches in recent years were because of failures to bilities are addressed piece by piece. Audits should
update web servers against known vulnerabilities. help verify program delivery and outcomes; they
Technology is only one arrow in the quiver. Becau- should not serve as the primary input for defining
programs or cybersecurity strategy.
Investing in great technology Finally, executives struggle to understand how
is helpful, but it isn’t enough. much they should spend on cybersecurity. Reliable
industry benchmarks are difficult to find, so a lot of
“Companies can still leave cybersecurity teams try to align their spending with
themselves vulnerable through peers based on available information. Most com-
panies just roll their budgets over or add annual
a wide range of missteps, increases, but few take a zero-based approach to
such as failing to focus their their cybersecurity spending based on the actual
investments on their most threat environment.
important assets or not Building mature capabilities
supporting their people and
partners with good training While all of these aspects of cybersecurity need
to be addressed, none will build strong resiliency
Fig. 2: To build up their cyber resilience, companies need to develop capabilities in 20 key areas
Governance Processes
• Strategic management • Policy definition and compliance,
• Stakeholder management including regulatory
• Risk management • Tech standards and compliance
• Strategic initiatives support • Procedural definition and compliance
• Incident recovery • Vulnerability management
• Warranties and insurance • Third-party risk management
Organization Cybersecurity Technology
• Leadership and organizational structure capability maturity • Leading products and services
• Roles, responsibilities, decision rights • Configuration management
• Skills and sourcing • Rules and controls
• Agile and DevOps development • Workflow automation
• Security solution coverage
Note: Bain’s cybersecurity maturity framework incorporates elements from the National Institute of Standards and Technology cybersecurity framework, Sherwood Applied Business
Security Architecture, and ISO 27001
Source: Bain analysis
22 22 Impiantistica Italiana - Marzo-Aprile 2020
