The 5 stages of cyber security maturity (according to KPMG and BT)

The 5 stages of cyber security maturity (according to KPMG and...You have probably heard of the five stages of grief. It’s a concept that’s regularly relied upon in TV and films to show the emotional rollercoaster that many people go through after suffering a tragedy.


The process has scientific roots; it is known as the Kubler-Ross model of grief and usually comprises denial, anger, bargaining, depression and acceptance.


Well, KPMG and BT recently borrowed the idea and have put together a report outlining their own five stages model of cyber security maturity.


Their framework doesn’t quite follow the traditional steps, but it could prove useful for businesses trying to assess where they stand in terms of cyber security preparedness.

Stage 1: Denial

No changes here. KPMG and BT’s first stage is no different to the Kubler-Ross model. The report claims that many organisations still don’t believe the hype when it comes to cyber threats.


Despite most research pointing to a rise in malicious attacks, many businesses – particularly smaller ones – have an ‘it will never happen to us’ mentality. However, 55 per cent of SMEs suffered an attack last year, while 50 per cent experienced a data breach, according to Ponemon Institute figures.


Organisations that are in the denial stage should start by getting the basics right, including:

  • Raise awareness from the top down;
  • Ensure firewalls, anti-virus software and password security is up to date and relevant;
  • Provide some training on basic cyber security measures;
  • Inventory assets and focus attention on protecting the most sensitive information.

Stage 2: Worry

Apparently, ignorance is bliss, because business owners and boards begin to worry once they become aware of the threats that cyber criminals pose.


Questions about where and how to spend cyber budgets start to arise. Difficulties in choosing between various security offerings also rear their head, with organisations often facing a range of technology solutions, many of which will be beyond their area of expertise.


At this stage, businesses are likely to make their first cyber security hire to ensure the right systems and processes are implemented.


KPMG and BT advise boards and company owners to ask themselves three questions when embarking on the initial stages of cyber security maturity:

  • Do we have the correct balance of technology, skills and processes?
  • Have we decided what’s crucial to protect? And who made these decisions?
  • Is there a strategy in place to deal with potential attacks?

Stage 3: False confidence

After investing in new people and systems, businesses could be forgiven for thinking they’ve done enough to protect themselves from internal and external threats.


Unfortunately, this may be a false sense of cyber security. The measures implemented in previous steps should tackle the majority of attacks on your systems, but they are unlikely to repel more sophisticated efforts.


Security policies must be regularly updated to account for the evolving cyber landscape. Business owners and boards also need to embed the right security culture across the workforce and supply chain, including cleaners, canteen staff and interim consultants.


KPMG and BT therefore recommend that organisations check their assumptions to ensure their processes really are fit for purpose.

  • Perform regular security reviews;
  • Conduct scenario-based testing;
  • Check policies are adequately enforced among third-party suppliers; and
  • Promote flexibility for evolving threats.

Stage 4: Reality sets in

The report calls this stage ‘hard lessons’, and it refers to when organisations aren’t just battle-ready but also battle-tested.


Following a cyber incident, the media spotlight often focuses on an organisation’s failings. Big-name brands usually face the most scrutiny, but SMEs aren’t immune to reputational damage.


Figures from Kaspersky Lab recently found that large enterprises spend US$200,000 (£147,500) on average repairing their brand name in the wake of a severe data breach. SMEs foot an US$8,000 bill.


“Unfortunately, your risk appetite the day before the incident is very different to your risk appetite the next morning,” Glen Attridge, head of cyber defence and security response at Royal Bank of Scotland, told KPMG and BT.


After a successful cyber security attack, organisations should:

  • Consider outsourcing security if the task is to big or challenging to perform in-house;
  • Ensure everyone can use technologies that have been purchased and implemented;
  • Be clear over service level agreements and review them regularly;
  • Invest in the right insurance for situations where all else fails.

Stage 5: Industry leadership

KPMG and BT’s equivalent of the ‘acceptance’ stage is industry leadership. True leaders have a more holistic approach to cyber security, recognising that criminals don’t play by the rules and organisations need innovative methods to stay ahead of the curve.


The most important part of cyber security leadership is the ability to understand that people – not technologies or processes – are at the heart of the issue. Training can only go so far; businesses have to know how people behave so they are able to spot unusual occurrences before they snowball into serious problems.


Is your organisation a cyber security leader? According to KPMG and BT, the best in the business can answer ‘yes’ to many of these questions:

  • Are we ready to play a part in the wider security community by sharing experiences, intelligence and good-practice lessons?
  • Do we understand the full range of potential threats to our operations?
  • Is cyber security mainstream in our business? Are we using it to help us identify new opportunities?
  • Have we got the right balance between exploring new digital channels and assessing the inherent risks?

Cyber security maturity may be a long and arduous road, but with the right strategy in place, organisations can not only protect their own business but also become role models for the wider corporate community.


Our 2017 Compensation and Market Trends Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.


Image: Matej Moderc via iStockADNFCR-1684-ID-801840219-ADNFCR