Cybersecurity is a technical topic. If technology is not your primary area of expertise, it can be difficult to assess how your firm’s current security measures stack up.
My Tri-State Assessment Matrix can help.
The assessment matrix avoids the techie bits and focuses on what you see on a day-to-day basis in your role. This should be enough for you to form an initial opinion on whether your IT cybersecurity defences could be described as:
- Comfortable, or
The Tri-State Assessment Matrix
[Click the image to view as a PDF]
How to Use the Assessment Matrix
- I assume you are accountable for IT in your firm, but IT is not your primary area of expertise. This is why the initial questions stay away from the in-depth techie stuff. If we were doing this assessment together (something we would do as part of the FREEin45 workshop), I would dig a little deeper with you and get into the nuances of your answers. But the high level presented here should still be useful to you.
- The language used in the assessment matrix assumes IT is outsourced to an external IT Managed Service Provider (MSP). If IT is provided in-house, or through another firm in your group, the questions still apply but may need to be phrased differently.
- This is a continuum – Most firms do not fit neatly into one state. However, a firm is seldom hopeful in some scenarios and provable in others.
Answer Three Questions
The assessment asks for your gut feeling on three areas:
- Technical defences: How do you feel about the strength of your technical security, and the quality of your IT provider’s security skills?
- Human defences: How do you feel about the awareness of your staff, given the role they play in the majority of cybersecurity incidents?
- Regulatory alignment: How do you feel about the Central Bank calling tomorrow to ask about your cybersecurity measures? Do you know what their guidance states? Can you prove how you are aligned to this guidance?
How to Assess Your State
If you compare your answers to the examples shown in the matrix, you should get a sense of where your firm stands in the continuum between Hopeful, Comfortable and Provable.
Guilty unless you can prove innocence.
Non-compliant unless you can prove compliance.
Ideally, you should strive to be in a provable state. You need to comfortable that your security measures are appropriate, but you also need to be able to prove that this is the case.
Cybersecurity is not a once-off activity – It requires ongoing monitoring and continuous improvement, and evidence of these ongoing activities should be available.
Unless you have evidence, you should assume there are significant gaps.
At a minimum, you need to be comfortable that security measures are in place and they are being managed by someone who knows what they are doing.
When I work with firms that believe they are in a comfortable state, I usually find blind spots and areas for improvement. But at least we are starting from a baseline that can be improved upon.
Hope is not a strategy
You are in a hopeful state if you assume but do not verify.
It is a fatal error to assume that your IT provider is also managing your cybersecurity or to assume that your staff couldn’t be fooled by a malicious email.
You do not want to be in this state. You’re an easy target.
It’s Deeply Flawed
Many cybersecurity experts have told me how flawed the Tri-State Assessment Matrix is – and I completely agree with them:
- It fails to get into the detail, and it’s the detail that will come back to bite you.
- It is not a scientific methodology as it is only based on your gut feeling.
- Cybersecurity involves technology. It can’t be assessed without talking about technology.
And Yet Really Useful
These shortcomings must be addressed during a more in-depth assessment of security measures – Something I recommend as Step 1 in my roadmap.
However, before any in-depth assessment, a reasonable assessment can still be made by considering a small number of plain English questions.
How you do anything is how you do everything
The Tri-State Assessment Matrix is deeply flawed and yet really useful.
By asking for your gut feeling about a few security measures, it may give a strong indication of how all the IT security measures probably look within your firm.
The next question: What are you going to do about it?
About the Author
Sam works with the CFOs and COOs of regulated firms who are responsible for IT, even though IT is not their primary area of expertise.
They are frequently under pressure to deliver capable, secure and compliant IT solutions that align to the risk appetite of the firm’s internal stakeholders and to the expectations of regulators.
It’s not about technology. It’s about business outcomes.