Quick & Snappy! … Lite Cyber Maturity Assessments

A lite cyber maturity assessment is similar to a full cyber maturity assessment, but with reduced scope of assessment for the purposes of either speed or reduced budget. To perform such a short assessment without compromising on quality, typically this is achieved either through a reduction in depth of assessment (e.g. we will interview stakeholders and review documentation, but not perform any sampling to assure what we have been told by stakeholders is reflective of real life) or a reduced number of security domains is covered.

These kinds of Lite cyber maturity assessments are a fantastic methodology in a number of circumstances. For example, for smaller organisations who don’t have the annual security/audit budget to afford £30-60,000 full blown cyber maturity assessments, then performing a slimmed down version (circa £20-30k) can get them the view on cyber maturity they need without having to blow the bank. Additionally, for organisations who for whatever reason need to act fast (e.g. report to a quarterly board meeting in only a few weeks time) then these types of assessments can be performed over 1-3 weeks and a view of cyber maturity provided as a result.

Whilst useful, there are a number of pitfalls organisations should be careful to avoid. Most of these, due to the significantly reduced timescales, almost all result in a catastrophic reduction in assessment quality and a complete loss of confidence in all of the assessment results. The main pitfalls are;

  1. Trying to do a full maturity assessment, just quicker – if scope is not reduced in any form the assessment is then just conducted in a rushed manner, resulting in possibly not meeting enough stakeholders, not meeting the right stakeholders or quite simply poor information collected from the stakeholders that will ultimately undermine the assessment results.
  2. Having the right people – performing lite maturity assessments requires a higher calibre of security professional. Not only do you have to cover the ground faster, but you have to do so in a manner that maximises the time you spend with stakeholders. By the very nature of a Lite assessment, it is fast and over quite quickly. There are not the usual luxuries you have in a standard assessment where if you’ve forgotten to ask the CISO or CTO an important question or set of questions, you can’t organise another session with them or send them an email. This may take another 2-3 days of time which you don’t have. As such, the security professional leading the assessment needs to have the ability to get to the answers they need quickly in each stakeholder interview/workshop and maximise their time with each and everyone involved. That means asking the right questions and being able to drill down into the detail where it is required, and knowing when it is not required and moving on.
  3. Trying to get the same level of assurance – do not think that you can get the same level of assurance from a Lite Maturity assessment as you can from a full assessment, you cannot. But this is not to mean that it is not valuable – just ensure that the foundational reasons why you are performing a lite maturity assessment align to the specific outputs that will be delivered. For example, if you do not need to test the operational effectiveness of your security controls but just need a high level view of security following a small breach or in the lead up to an annual board meeting, then yes a Lite assessment will deliver what you need. However, if you’re looking to use the output of the assessment to structure and drive out your entire security strategy and roadmap for the next 3-5 years, then it’s probably worthwhile investing the extra £30-40k in a full cyber maturity assessment.
  4. Accepting a Report that is Not Detailed At All if you have hired in external consultants to perform a Lite assessment and come reporting time you read it and think that this is so high level that it is not valuable, challenge them on the level of detail they are providing. Just because you are performing a Lite assessment, it does not mean the report is also Lite. It should be and can still be very insightful, but it is likely that they have fallen foul of one of the above pitfalls prior to reaching the reporting stage of the engagement. Always ask to see an example of the end report so you can familiarise yourself with the level of detail that’ll be provided, but also use it as a tool to keep the consultants true to their word.

By avoiding some of these fundamental pitfalls of Lite cyber maturity assessments you can successfully apply this useful assessment type, saving you both time and money in the process.