Cybersecurity Maturity Comparison Between U.S. and EU
July 27th, 2017
Ed Snodgrass, CISO
The last few months have been busy at our firm, Secure Digital Solutions. The exposure to, and interest in, our TrustMAPP platform is increasing rapidly. Interestingly enough, much of this interest is coming from across the proverbial pond so we began to look at cybersecurity maturity comparison between the U.S and EU. European organizations are looking to leverage the power of cybersecurity maturity as a primary method to measure and manage the performance of cybersecurity programs. Working closely with both US and EU companies has given us a great vantage point from which to see the similarities and differences between cybersecurity philosophies and practices – specifically around the value of cybersecurity maturity as a strategic performance metric. As a result, I decided to take a step back, look into how our industry and view the comparison between the two regions and overlay some of our direct observations.
There’s a plethora of research, analysis and observation out there and a few pieces stood out to me, but for the most part, there doesn’t seem to be a general consensus on which region demonstrates a higher level of cybersecurity maturity. There does, however, appear to be a consensus on the differences in cybersecurity philosophy upon which cybersecurity programs are built. In a nutshell, the accepted view appears to be that the US is more proficient at security operations while the EU places more focus on frameworks, standardization and processes. In addition, the EU is typically governed by more stringent reporting requirements. While we have observed similar trends in this regard between companies in the two respective regions, we’ve also observed a clear distinction between the two regarding the value and use of cybersecurity maturity. The EU clearly places a higher emphasis on this KPI.
Frameworks such as NIST, ISO and the EU Privacy Regulations form the strategic basis by which security functions and processes are built. Resources and technology are implemented to support and enhance strategic risk mitigation objectives. Conversely, US companies focus on security operations – most notably – incident response and detection, and address the threat landscape in a progressive, layered approach. EU organizations implement additional security based on increased risk. US companies implement additional security based on increased threat.
The result is that both approaches have strengths and weaknesses. Neither is all-encompassing. The optimum state of the security program would clearly be a quantified hybrid of the two methodologies, and working with organizations on both sides of the pond is giving us the insight and practical experience necessary to help our clients build world-class security programs. In addition, the ability to share practices between security teams in the US and EU is proving invaluable. It strengthens the industry, making all more resilient to cyber threat.
At the end of the day, who demonstrates a higher level of cyber maturity? It’s yet unclear. What is clear is that operational countermeasures must be aligned with, and support, strategic objectives. Conversely, strategic objectives must map to people, process and technology that’s actionable. Both must have KPIs that reflect the true state of the security program and are palatable to the board of directors.
TrustMAPP is providing security leaders with the KPI’s to be successful in adition aleviating any questions around budget and resource requests.