A survey of nearly 100 companies found that most had nascent or developing cyber risk management capabilities, with 45% at the nascent level and 34% at the developing level. A robust level of maturity requires both qualitative and quantitative risk evaluation and defined security governance with clear accountability. Most technology executives say that cyber threats are increasing faster than their ability to defend against them and struggle to manage security capabilities holistically. As cyber security becomes more embedded into business functions, controls can be tighter with less friction while protecting high value assets.
1. 34
Nascent Developing
45
16
5
Mature
0
Robust
Score <2.00 2.00–2.50 2.50–3.00 3.00–3.95 >3.95
A large majority of surveyed companies had nascent or developing
cyber risk management capabilities.
Percentage of companies at each maturity level of overall cyber risk management based on
a scale of 1 to 4, where 4 is the strongest.
At minimum, a robust level of
maturity includes:
• Qualitative and quantitative approaches
to evaluating and mitigating cyber risks
• Defined cyber security-governance
model with clearly identified individuals
accountable for each asset
windstreambusiness.com
7 BEST PRACTICES: INTEGRATING CYBER SECURITY
FOR INCREASED EFFECTIVENESS.
If the scope and nature of emerging cyber threats
are prompting your enterprise to reach out for
specialized assistance, you’re not alone.
Eighty percent of technology executives interviewed
recently by McKinsey & Company and the World
Economic Forum admit that the sophistication and
pace of attacks will increase somewhat more quickly
than their institutions’ ability to defend against them.
Moreover, these engineers are struggling to manage
their cyber security capabilities.1
The management challenges are as diverse as
the companies themselves. But the core issue is
the lack of a holistic network security plan that
accomplishes two overarching goals:
Integrate into every business function
where value is at stake; and
Scale to meet new types of threats.
SOURCE: 2013 McKinsey Global Survey on cyber risk-management maturity, including nearly 100 institutions across Africa, the Americas, Europe, and the Middle East
1. Risk and responsibility in a hyperconnected world: implications for enterprises, McKinsey Company, January 2014.
2
1
2. Network security moves from control function to embedded
Low High
LowHigh
Extent of controls
Embedded cyber security
functionfunction
2014-2020
Clear alignment with business
on what to protect and how
Cyber security risks implications
integrated into business
decision-making
“Security inside” for most
elements of IT environment
Increased business integration
enables tighter controls, with
less friction
Cyber-security not a priority
Pre-2007
Cyber security under-funded
Little insight into business risks
or technology vulnerabilities
Protections focused on the
perimeter
Few consequences for violating
policies
Insecure application code and
infrastructure configurations
common
functionfunction
Cyber security as a control
function
2007-2013
Increased governance authority
for cyber security team
End user environment “locked
down,” but users frustrated with
reduced flexibility
Architectural reviews reduce
risks, but slow introduction of
new capabilities
Most institutions are operating
in this model
Places the responsibility
for security mostly on the
security team
Backward looking – puts
protections in place against
yesterday’s attacks
Dependent on manual
interventions – not scalable
Dependent on checks and
double checks
Increasing tension between
security and innovation
and flexibility
DegreeofintegrationwithbroaderITandbusinessfunctions
windstreambusiness.com
Transform security from a control function
to an embedded function that integrates
into the very fabric of your operations
and adapts to new threats. A trusted
advisor can guide your organization as it
moves from an internal capability toward
a more robust proficiency—the hallmark
of a truly cyber-resilient enterprise.
The right partner is prepared to protect
its high-value assets against even the most
sophisticated cyber threats.
These 7 best practices will get you where
you need to be.
Engage Leaders
Enterprise-Wide
Involving senior leaders throughout your enterprise is a prerequisite to establishing a holistic
security plan. Without their active engagement, cyber security cannot be integrated into business
decision-making. Engaging a third-party security provider can be the catalyst for initiating this
type of enterprise-wide conversation.
1
SOURCE: Perspectives on Enterprise Cyber Security and Cloud Infrastructure, McKinsey Company, February 2015.
7 BEST PRACTICES: INTEGRATING CYBER SECURITY
FOR INCREASED EFFECTIVENESS.
3. windstreambusiness.com
Protect
Business Value
Accordingly
Integrate
Security to
Enhance
Scalability
Rank Assets
Based on Risk
Once you’ve determined what information assets are most valuable to your long-term interests,
it is time to assign differentiated security control functions—encryption standards, robust
passwords—that become more rigorous as the value of the asset increases. With the assistance
of a knowledgeable security partner, your enterprise can use this protection-prioritization exercise
to improve your productivity, focus your efforts and protect those assets you value the most.
Current enterprise security models suffer from a perimeter-based defense concept that
depends on the limited functionality of “bolted-on” security applications and manual tasking.
By deeply integrating security into your enterprise’s total technology environment—from
application development to hardware upgrading—an experienced security provider can
provide you with a flexible, scalable capability that quickly adapts to unexpected threat levels.
Prioritizing information assets based on the risk is an activity that clarifies your enterprise’s
assessment of what information assets you are willing to protect and to what extent.
Collaborating with senior leaders helps clarify the financial ramifications if proprietary data is
lost or a new initiative is delayed. A trusted security partner can help facilitate this ongoing
coordination and bolster overall security.
3
4
2
7 BEST PRACTICES: INTEGRATING CYBER SECURITY
FOR INCREASED EFFECTIVENESS.
4. windstreambusiness.com
Educate
Employees on
Data Value
Embed
Cyber-resistance
Into Processes
Develop and
Deploy an
Active Defense
Frontline personnel who routinely work with multiple information assets may not always be
aware of the assets’ true value to your enterprise. Moreover, these users unknowingly
represent your enterprise’s most significant security vulnerability because they can casually
click on links they shouldn’t or choose insecure passwords. Educating these individuals on
the value of the data they touch is imperative.
Manage cyber security like any other enterprise-level risk. Embed assessments of possible cyber
attacks into your risk management and governance processes along with other risk analyses.
Present them in management and board forums for evaluation and discussion. Work with a seasoned
network security provider to embed diverse cyber security implications into relevant enterprise/
administration functions, such as HR, vendor management and regulatory compliance.
The massive amounts of intelligence available about emerging cyber threats, attack vectors
and successful techniques can be daunting for even the most proactive enterprise. Making
use of specialized resources to establish an active defense strategy can mean the difference
between needing to adjust your defensive posture and being caught entirely off guard.
6
7
5
7 BEST PRACTICES: INTEGRATING CYBER SECURITY
FOR INCREASED EFFECTIVENESS.
5. Our skilled engineers can provide the information needed for customers requiring
compliance and certification, including:
windstreambusiness.com
HIPAA/HITECH: Health Insurance Portability and Accountability Act
SOX: Sarbanes-Oxley
GLBA: Gramm-Leach-Bliley
PCI DSS: Payment Card Industry Data Security Standard
SSAE 16/ISAE 3402: Statement on Standards for Attestation Engagements No. 16
Safe Harbor: European Commission’s Directive on Data Protection
ISO 27001: International Organization for Standardization
ITAR: International Traffic in Arms Regulations
FedRAMP: Federal Risk Authorization and Management Program
FISMA: Federal Information Security Management Act of 2002
NIST 800-53: National Institute of Standards and Technology
Make Windstream Your Trusted Network Security Provider
7 BEST PRACTICES: INTEGRATING CYBER SECURITY
FOR INCREASED EFFECTIVENESS.
Windstream can make your network less vulnerable to network security threats.
To learn how, visit windstreambusiness.com.