'The State of Enterprise Security Posture Report' paints a bleak picture. Here's how to increase your posture.

In a recent report by Balbix and Cyber Security Insiders, it was their finding that cybersecurity teams are struggling with a lack of visibility into threats, endpoint devices, access privileges, and other key security controls necessary for a robust cybersecurity posture.

Further, their key findings are:

• A 64% majority of organisations are lacking confidence in the state of their security posture. This is driven by inadequate visibility.

• 90% of organisations believe that phishing and ransomware are the top threats facing their organisation, but only half have sufficient visibility into these challenges.

• 60% of organisations are aware of fewer than 75% of the devices on their network. This lack of asset awareness makes it difficult to improve security posture.

• 80% of organisations provide more access privileges than are necessary for users to do their jobs; 17% even say most or all users have too many privileges.

• Cybersecurity leaders struggle to communicate their security posture to the board and senior management.

The stronger the organisation’s security posture, the lower the cyber risks. Understanding the organisation’s security requirements and prioritising areas of relevant risk is essential in building a robust security posture against cyberattacks.

So how do organisations increase their security posture? First they need to understand their as-is cyber security posture, or maturity. There are many online tools and methodologies that can be used to determine this level of maturity. Here's my first piece of advice; any cyber security professional worth his salt will be able to do this review themselves, but I caution against this. It can add it built in bias, and be seen as a one sided exercise. Get someone outside of the security department to do it, either an internal auditor or an external organisation. They need to create a quantifiable score.

Take the findings and create a prioritised grid. This will allow you to quickly visualise which items can be fixed quickly, which will need a defined project plan and how much they will cost. Therefor low cost / high priority items will have a significant (positive) impact and increase the posture quickly.

Create a target score that you would hope to achieve within a specified timeframe, usually 6 to 12 months. The target should be something that is achievable, but not impossible. You can work with your auditors on this.

Next write a detailed change statement for each item on your list, this will allow you to quickly move from the conceptual phase into an actionable change / project plan.

Lastly execute, then re-evaluate your Cyber Security Posture / Maturity 6 to 12 months later to see to what degree your posture has improved. 

In summary:

1. Determine your as-is cyber security posture / maturity. Done by external party. Have a quantifiable score.

2. Create a prioritised grid. 

3. Create a target score.

4. Create a detailed plan for each item.

5. Re-evaluate to see if you have achieved your target.