Cybersecurity: Maturity, Resilience, Standards and Self Assessments within Government and Public Contexts

Elements of cybersecurity benchmarking offer businesses, boards and government entities artificial assurance and confidence by means of simplistic scales of measurement when it comes to risk, resilience, protection and the current efficacy of what could be categorised as security management.

This benchmarking and reporting fallacy is most concerning in environments, contexts and government networks where even the most basic of cybersecurity or cyber resilience tactics and strategies are not universally applied or remain a varying, disparate levels of completeness or consistency... exposing the entire network to elevated risk, which is not declared or captured in maturity, resilience or self-assessment declarations.

Government Cybersecurity Maturity Models

For analysis and comparison, let's unpack the Essential Eight Maturity Model sponsored and developed by the Australian Signal Directorate (ASD) and the Australian Cyber Security Centre (ACSC).

First of all, it is important to note, that after a few years of reporting, attestations and self-authored declarations by a suite of Federal Government agencies, the model had to be revised and reintroduce "level zero" because it was known both publicly and privately that far too many organisations (read government agencies and public servants) where falsely (knowingly, deliberately or inadvertently) rating their current level/s of cybersecurity, which in fact was in reality sitting at zero.

What does Maturity Level Zero Mean?

Maturity Level Zero

This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below.

In other words, it is a polite way of saying you don't even make it onto the artificial scale we made up to chart organisations and risks.

But the rating is still self-authored, meaning you can manipulate or interpret the wording to suit your definition and steer away from opening admitting you are a concerning zero on an ordinal scale with only 4 levels, meaning you are in the bottom 25%.

Nudge it up a little to Level One... and you're in the bottom 50%, which may be far more palatable for the Minister, Public Servant or Executive curating the reporting scales and declarations.

As with all systems, humans 'game the results' by modifying what they want to be seen as or what collectors 'prefer' to see in results and reporting.

Fully, Partially and Mostly - Arbitrary Units of Measure

For a perfect example of vague measurements, weasel words and areas for manipulation and exploitation, look no further than the scale of measurement comprised of "fully, partially and mostly".

Ask 10 people and get 10 different results.

Especially when networks, value, assets, complexity, threats and vulnerabilities vary greatly within a cohort.

Eight simple tasks, done well, often and with adequate resourcing will likely result in a well protected and resilient organisation, network and infrastructure.

However, the world isn't as simple as that.

Complex open source coding configurations, third party suppliers, distributed networks, cloud computing, undisclosed breaches/vulnerabilities and weaknesses coupled with a lack of investment, resourcing and specific expertise in matters of cyber security and resilience make any and all cybersecurity ratings provisional, transient and prone to change at a moments' notice when a smart, adaptive and persistent threat (human, AI, bots, etc) finds and exploits even the smallest or seemingly benign of vulnerabilities within a system or a system supporting a network of clients, customers, users or data estates.

In sum, simple standards, benchmarking and self-assessed levels of cybersecurity, cyber resilience and risk seek to achieve an accurate view of the overall network and individual vulnerabilities so as to prioritise efforts and investments into the area/s of greatest need and likelihood of exploitation.

Paradoxically, what it tends to create is false, misleading and 'gaming' of reporting by qualified and unqualified actors so as not to embarrass their organisation, boss or department which further conceals vulnerabilities and weaknesses at scale.

This false sense of security and assurance results in greater weakness and decay, along with over confidence in current resourcing, people and degrees of 'protection', which all fall away once a bad actor or adversary gains access and runs amok within the system.

However, unlike the dramatic Hollywood movies and news headlines, some actors may go undetected or hide and navigate around systems for considerable periods of time....if ever detected.

This latter cohort and behaviour remains the thing of nightmares for governments, corporates and security professionals.

If you want to understand and measure your level of security, protection and resilience.

Don't look to collective 'maturity models', industry benchmarking or group feel good ratings.

Get professionals to evaluate you and your organisation.

Only then will you know, and even then it is never 100% absolutely accurate because we can't always be in the heads and minds of the bad actors, which makes us all vulnerable online and when connected.

As a final note.

Individuals, organisations, departments and government agencies should apply greater rigour in evaluating the individuals that submit and create these reports and attestations.

Shockingly, very few are actual cybersecurity professionals. Management consultants, generalists, engineers, lay people or short course hopefuls make up the vast majority of self authored assessments....making a further mockery of the results, scales and sense of protection expressed as 'maturity'...if even there were such a thing.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences