DeepSec 2022 Talk: Cyber Maturity Doesn’t Just Happen. True Tales Of A Cyber Maturity Concept – Uğur Can Atasoy

Having a proper(!) security posture is more challenging than ever. Implementing the bare necessities for usability and security is scalable (literally), but the reality is always full of surprises. Dozens of assets, services, tools, requirements, workforce, risks and threats. How to keep the balance between usability, security and reputation while being honest with yourself?

Many enterprises suffer from “keywords” and “trends” and have to pretend to be “proactive” by implementing the “latest” trends and approaches instead of solving the problems on “bits” that need “change”.

When you look at enterprise-level security incidents, you can quickly notice that they have the latest tools, technologies and services, implemented the “Zero Trust Security” model, achieved base standards and compliance requirements, and hired the experts. Literally, they are prepared for almost all possible risks and threats, but they had a security incident, and the effect is usually more significant than the acceptable risk.

There is no silver bullet for security architecture design and management. Also, it is hard and takes time to create better cyber maturity and cyber readiness/resilience. But there is a simple way that leads to achieving those: self-assessment!

In this talk, I will discuss how enterprises fail to go beyond the “manageable cyber maturity level” that operates in critical sectors with real-life stories. With this presentation, I want to raise awareness of proper cyber maturity implementation and self-assessment requirements. My presentation will cover three different incidents and two real-life example cases.

We asked Uğur Can Atasoy a few more questions about his talk.

Please tell us the top 5 facts about your talk.

1. The Cyber Maturity concept is more than a standard assessment process like audit, compliance and certification renewal. It is a live and continuous self-assessment ability that requires “change”. Maturity programmes are meant for the instrumentation of the whole cyber domain of an organisation.
2. Various academic and technical frameworks, models, certification programs and services focus on the Cyber Maturity concept. However, it is not standardised well yet. Therefore most enterprises and SMEs struggle to choose a suitable method of implementing the concept.
3. The rate of the availability of known and basic security weaknesses shows that all type of businesses struggles to take effective actions on the “bits that need change”. Existing literature and recent incidents prove that some basic attacks can still be successful. Most of these attacks are easy to implement, should be detected with basic security measures, and are expected to be known by technical and non-technical users.
4. Cyber Maturity programmes should be appropriately tailored for the target organisation and implemented with management and technical skillset. Successful programme implementation should be like a comprehensive medical assessment; each detail must be handled specifically.
5. Cyber Maturity is a hybrid concept. Creating/choosing, tailoring and implementing the most suitable programme requires the collective work of the management and technical teams.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I came up with the idea while creating and implementing cyber maturity programme assessments for companies. The field experience with multiple clients in multiple domains showed me a lot. I also noticed uncertainty and a lack of proper implementation of this concept while doing academic research. Therefore I wanted to raise awareness of appropriate cyber maturity design and implementation and self-assessment requirements.

Why do you think this is an important topic?

The Cyber Maturity concept is the instrumentation of the whole cyber domain. No matter what kind of achievements, implementations and preparedness is done, if the design, implementations, and operations are not synchronised well enough, unwanted results are inevitable.

Is there something you want everybody to know – some good advice for our readers maybe?

The cyber maturity concept is not practical well enough yet. The concept needs to be identified, practicalised, implemented and admitted as the same as the standard information security standards, services and requirements (regulations, certifications, and operational services like penetration testing and security monitoring).

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The number of “Cyber Maturity Assessment” services and tools that help measure and implement the current cyber security posture will increase. Also, the importance of the ability to do a “self-assessment” will be more impactful and a must-to-have skill.

There are existing courses, certifications and regulations covering common best practices from the Cyber Maturity concept. I expect to see more standardised approaches (e.g. ISO 27001) and certification programs (e.g. US DOD’s CMMC) in the near future.

Ugur Can Atasoy works as a content engineer at TryHackMe. His work and interests are focused mainly on blue and purple teaming. He believes in hybrid approaches and works to produce outcomes from synthesising the technical field and academy. Before that, he worked as a security specialist and trainer in the higher education, media and defence industry. He provided consultancy services to many businesses in multiple domains, mainly penetration testing, threat hunting, threat intelligence, technical training, vulnerability and cyber maturity assessment.