Driving Cyber Maturity: Cybersecurity Program Management
Cybersecurity program management helps IT and security leaders evaluate and improve their organization’s security posture to achieve cyber maturity. How are leaders implementing cybersecurity program management and what impacts have they seen so far?
One minute insights:
- Most surveyed leaders have already implemented cybersecurity program management
- Nearly all respondents report that cybersecurity program management has improved their security metrics
- Commonly reported challenges include a lack of available staff, skills gaps and risk management program deficiencies
- Third-party services for cybersecurity monitoring and management are widely used among surveyed leaders
- Most who have defined their program’s future state, or are working on doing so, say that there is cross-functional collaboration on this effort
The majority have implemented cybersecurity program management and agree that it helps their communication with leadership/the board
Nearly all (99%) of those who have implemented cybersecurity program management (n = 98) agree or strongly agree that it supports communication with leadership or the board as it helps them explain how business risk is impacted by program improvements and evolving threats.
Question: Do you have any final thoughts to share on cybersecurity program management?
This is for companies that have a high level of cybersecurity maturity. Like anything else, other areas within cybersecurity will be more important before you come to a point where you do [cybersecurity program management].
Industry-specific metrics and governance controls severely constrain maturity progress.
Threats are for real and much bigger than we initially thought. We can never be comfortable with what we have.
Cybersecurity program management improves security metrics but many face challenges with team availability and skills gaps
95% of surveyed leaders who have implemented (n = 98) cybersecurity program management say it had a positive impact on their security metrics, with about one-quarter (24%) reporting a significantly positive impact.
Among the same group (n = 98), the most commonly reported challenges faced in managing their cybersecurity program are a lack of available staff (46%) and skills gaps (45%).
About one-third are struggling with deficiencies in their risk management program (35%), inflexible governance processes (31%) and under utilized security tools or licenses (31%).
Question: Do you have any final thoughts to share on cybersecurity program management?
We have evaluated a few vendors, and we feel a solid cybersecurity program for email phishing is missing from the vendors we evaluated.
Quite complex to wrap security around the IT systems and implement governance.
Distributed visibility seems to be a major issue for us — delegating segmented access to groups/divisions. Reporting can do it, but isn’t interactive.
Many use third-party services for cybersecurity program management and over three-quarters conduct regular threat assessments
From the same group (n = 158), most respondents either currently or plan to conduct threat assessments (80%) or risk evaluations (72%) on a regular basis, and over half cited regular reviews for policy (58%), incidents (56%) or controls (55%).
Just over one-third say they regularly conduct or plan to conduct assessments for applications (38%), training program validation (35%) or issue remediation (34%).
Question: Do you have any final thoughts to share on cybersecurity program management?
Although we have external companies who test our cybersecurity program, we intend to strengthen this as a form of training for our staff by doing more social engineering.
Cyber risk is a difficult area because the greater visibility we provide over vulnerabilities or gaps in our solutions, the more noise occurs. Unfortunately, executive teams have gotten into the habit of cyber risk as a zero-sum game, and unless you can show you have mitigated every risk, they will raise concerns. Trying to get executive teams to document their risk tolerance has proven unsuccessful.
Some have both a defined target state for their cybersecurity program and a roadmap to reach it; cross-functional collaboration in this area is common
73% of those with a defined future state for their program (n = 82) have already developed a roadmap to achieve it.
70% of surveyed leaders who have or are in the process of defining the future state of their cybersecurity program (n = 181) report that staff outside of IT/security also participate in this activity.
Question: Do you have any final thoughts to share on cybersecurity program management?
Maintaining end-user awareness/engagement continues to be a challenge even with awareness reminders/content, phishing campaigns and awareness training. So while most tools/platforms may help reduce the potential attack surface, having security-conscious employees is a continual goal to improve and educate.
There is a lot of work to still do, but we are making progress.
Our cybersecurity program management is a shared responsibility between IT (1st line of defense) and the business's internal risk management group (2nd line of defense).
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.