KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our equipping call webinar approaches and elements of maturity benchmarking in information security. My name is Martin Kuppinger I'm founder and principal Analyst at Cole. And I will be your presenter today. Before we start with the webinar, some information around about giving a call and somehow keeping information for the webinar, and then a short period of time, we will directly move into the topic.
So, so being a call, we are an Analyst company. We are providing enterprise it research advisory, decision support, networking for it professionals. We offer this through our research services. So our reports, etcetera, through advisor services, where we support customers, where we do things such as maturity assessments and through our events, these events consist of our online life events, such as this webinar and several onsite events.
Two of them, I want to quickly mention one is the upcoming IRS, the information risk and information security summit, which will be held November 27 and 28th and Frankfurt. It's a one and a half day event focusing on information, risk management, information, security management, and five key topics within that. I think it's a very interesting event, very well worse to attend. It will be focused very much on peer networking.
So really peers exchanging with each other and the Analyst with some so leadership input into this sessions, it's a very interactive, very much focused on peer tope and you shouldn't miss this event. The other event you clearly should not miss the European identity and cloud conference 2014, which will be held as in the seventh or eight time. It's time in Munich may 13 to 16. It's about solid ship and best practice and digital idea. Anti management, cloud security chair see all related topics.
So have a look at our event website for these two events regarding the webinar itself, some guidelines for this webinar, you are muted centrally, so you don't have to mute on mute yourself. We are controlling this features. We record the webinar on the podcast. Recording will be available later tomorrow to queue, and the a session will be at the end, but you can answer questions at any time using the questions feature in the go to webinar control panel, you will find this feature. So this question feature at usually the right set of your screen and the go to webinar control panel.
And if trust, can I questions? In some cases, I might pick a question during the webinar. In most cases, I will do it towards the end. The agenda for today is RA simple. I will do my presentation. We'll Have the Q and a session. So I will talk about approaches and elements of maturity, benchmarking information security, look at the various ways to do that. So looking at maturity maturity for us, it defines how good, how mature her robust you are and what you're doing and information security and various areas of information security. So you always can, can look at specific aspects.
So you can for sure do an identity access management, the cloud security benchmarking, etcetera, all of these par all of, all of these are parts of this maturity benchmarking stuff. So by looking at how to do benchmarking, there are various ways to do benchmarking amongst these ways. There are the KPIs and K, so the key performance indicators to key risk indicators, I will go into detail on all of these areas later you can do on benchmarking by auditing, be its through internal or external auditors.
You can benchmark yourself towards the trends and the key topics which have been identified for the information security market or subsequent of this market. You can do it by, by reviewing your strategy. You wrote map your execution of the IM program and you can do it by external benchmarking, the maturity benchmarking done by external parties. I will talk about all of these five areas, but the question I want to touch before we go into detail is why does this become increasingly more important? And it's interesting to see when I look at what we are doing in our advisor business.
When I look at what we are seeing as requests from our customers, then a lot of customers currently are stepping back and, and asking, are we really mature? Are we spending our money? Right? Are we doing the Rio things? And I think there, there are good reasons for that change. So there are good reasons why organizations are, are currently increasingly looking for information security benchmarking for I IM broker benchmarking cetera.
And when I, when I look at, at our sort of the standard could a coal slide currently the computing dry, then I think the challenge many organizations are facing, is that the way we need to do information security changing? So this traditional scope information security, which was focused very much on our internal it systems on our internal users and traditional devices, this traditional scope of information security is not sufficient anymore. We have to deal with more users. We have to onboard external parties. We have to secure cloud services. We have to allow access for mobile devices.
So the world for information security, this code of information security is changing. And that means that this is a good point also to step back and think about how do we have to do those things in future? Are the things good enough we have today? Are we still mature enough if we spend our money, right, etcetera, et cetera. And as I've said, there are various areas to do this. And I want to start with the KPIs and K, which are probably one of the most common familiar approaches to do some mature benchmarking. So KPIs and K, these are then indicators.
So ways to measure specific aspects, to look at specific types of, I, we could say controlled and to, to look at whether they, they meet or pass specific threshold, which is in a positive for negative sense in the sense of performance. Yes, we are good enough in the sense of risk or the risk is too high or it's not too high. So there are a lot of indicators. There are a lot of groups of indicators.
And so when, for instance, looking at the area of identity, access management, access governance, and indicators there, then in our approach and in our research, we have identified as six groups of indicators. So the classification of applications and information. So starting with knowing what you have there, identity management, doing the administration rights, the authentication, the allocation and reviews, or the access entitlement stuff, privileged access management and the overall monitoring stuff. And you can do that clearly for any area of information security.
And there are a lot of redefined preconfigured KPIs and KRI out, not only for information security or particularly for IM, but for all areas. There's one report out for a call, which focuses on KPIs and for identity management and access governance, which you will find at our website also have link at the end of the presentation or the title and the number of this report available so that you can easily find this and working in KPIs and Ks is I think a very important aspect when we think about maturity benchmarking in information security.
The reason why from my perspective is that risk is something which is well understood in business risk is sort of our common language, but not only for it, but especially for business businesses used to sink in risks. And I think it's helps us very much to, to understand, okay, these are the it risk.
We have a, a set of risk indicators. We monitor these risk indicators and we, them can go out to the business say, okay, these are our risks. We can know what to mitigate, to apply which compensatory controls cetera. And it also helps us to say, okay, you know, for instance, business requests, new service, there are various ways to do it. These are risks. We can main the risks rate risks, allow business to decide about these and take the risk. And this is the point where the K KRI, the key risk indicator really comes down into play.
Again, we get them can set up a governance process, which monitors all this risks over time. So risks and K clearly are very important aspect. And when we look at Ks, for instance, IM access governance, or for other areas of information security, then there are various types of resource at the end. We can and should sort of associate them with the strategic, with the operational risks. So reputation at the end is also strategic or strategic or operational or both.
So, but when we do to you, we do a little bit more in detail. So there are security risks. For instance, you can look at cost risks. So the risk of unnecessary cost or too too much spending over spending the performance risks, the efficiency, risks, availability, risk compliance, risks. So various types of risks we can look at K is help us to do that. And when we think about maturity, Ks and KPIs, both of them are a means to, to have an continuous approach on understanding how are we making progress? Are we still good enough?
Are we getting worse in some areas, are some indicators going up or down? What does it mean? So this is clearly one part. And as I've said, we have one product which defines a series of RIS and KPIs. For instance, for information, for access management and access governance, you can't do it for virtually any other area of information security as well. In our research, we defined the indicator, the group, the unit type, the direction, what is the, so what should we do minimize its whatever, what is the optimum? How can we measure it, etcetera, etcetera.
So this is that case, for instance, a ratio or often accounts, the overall number accounts and defined directory. And when following this still just gives us a view on the maturity. So if we can de decrease the number of Orhan accounts or that ratio, if this indicator becomes lower or over time, then clearly we are working.
We, we are a little bit more mature that area. So this is one of these areas. The second area is audit and audit is also one of the element. When we look at maturity, when we look at measuring maturity, understanding maturity, cetera, it's, it's not audits dealing, not mainly are focused on maturity, but they are from my perspective, RA good indicators, RA good information, or provide good information around how much are we simple as that, the less findings, the more mature we are overall, it's not, not a perfect way to measure maturity, but it's an indicator.
It's a very good indicator for a lot of things. Especially when we look at information security, which is a common target of maturity and this aligns to, to, to the way, and it's not only for I am and she C it's for everything, which is audited.
When, when we look at this audits, one of our targets must be that we, we understand that when we are a mature organization, we shouldn't end up with a picture like that. So this is sort of an immature approach. It means all the time we have an audit finding, we start investing, we switching to panic mode and then we go back.
That's, that's another curve. The cost curve we should end up with. We should end up with one, which is more depth thought. Maybe even a little bit later, ideally seen, but what we should do is working continuously on these things. So improving ourselves, improving our information security programs, etcetera, becoming better on over time instead of having all the audit findings as a driver. So simply set the first line.
So this actually line clearly says, okay, we have no maturity because we have a lot of findings and all these findings lead to a lot of activities in our organization, a lot of costs, etcetera. We are not working strategic. And so maturity clearly means to be, become good enough to have few findings, to have a overall stable and, and, and strong environment. So this is the way to do it. So two areas we have touched.
One is K KRI KPI, which was very important as a more continuous, ongoing way to look at maturity audits, which allow us to understand it from an external or internal perspective for depending on who is doing the audit. The third one is a little bit less, less tangible, maybe because it's about understanding how do we perform compared to trends to the, the, the major revolutions, the major things to do. So going back to what we have defined this year, after talking at our, the keynote of our European identity conference, I've been talking about top 10 information security tasks.
When looking at these top 10 information security tasks, there are things such as implement information, your, your organization. So really have a concept of managing information in a well defined way, understanding your risks to spend focus.
So having a risk concept, define a bigger picture, having a, a clear view on where is your, what is your big picture for, for information security and for the different areas in, so which elements will you need over time on where to start with some more specific things such as contacts and risk based access management run the it department as business department. So define your processes, support the extended enterprise, implement privilege management, cetera, cetera.
So we're looking at such lists and there various, these lists out there, and I will go to a top front list later and the next slide, but when looking at these lists, I think it's interesting and important to understand, yes. That also can help me to raise my own maturity at least to some degree, but I stepping back and saying, okay, how good are we in these areas? Did we start with this at all? Or didn't we start with it? And if we started, where are we? Are we really good in it or not?
However, self-assessments always have some tendency to, to be biased. And nevertheless, it's something which you might use when thinking about maturity and measuring your maturity, saying, okay, I use some, some of these lists, which are updated for instance, once a year. And then I have a look at this and look at where are we? Are we good enough or not? Do we cover these topics? And do we look at these trends, which Analyst such as our company might have identified. So here in that slide, they are the top trends in IM cloud computing information, protection, privacy.
There are Analyst as well. So again, as I've said, there are various ways to do it. And this is yet another approach to, to, to look at how mature am I. This is probably the most car grain approach we have in that area. But nevertheless, it's one way to do it. Another tool we have here is our Cub called CIO GPS, which we will find out your, at our website. There's a lot of information, detailed information on these nine areas where we say, okay, so what are the, the matrix things to do that it spend optimization business, it alignment and strategic procurement.
These are sort of the long running challenges organizations are facing in it. And on the other hand we have, from our information security perspective, we have the governance part. We have the privacy and data protection part.
We, the overall security department, we've identified nine areas for sort of smart investments. So the GPS about finding your path through using in investments. And this is another approach where you can, which you can use to sort of step back and say, okay, where are we here? How a good are we? Do we address this? Do we not? Do we don't we address this? I think it's basically the same as strengths etcetera. Another tool we provide at our website is what we call the business impact indicator, which shows for various areas. So what is the business impact?
Again, helps you to understand the impact of various technologies, for instance, for compliance, fulfillment, cost saving for business alignment. So doing your current business better or business enablement, so allowing you to, to serve new business needs.
So again, this is way limit our website. If you look for the PII stuff, so there are various ways to do it. And this is sort of absurd area, probably the less the least tangible, the, the most cost grain one. Nevertheless, I think it, it's, it's an element and it's an interesting element of sort of maturity benchmarking approach.
When you look at what do you want to do for maturity benchmarking, then doing this in a cons team use and consistent way once a year, for instance, stepping back and looking at various of these things in the workshop internally might be something which really brings you forward by realigning. And that's that also, I think is title related to the next, which is around roadmap, broker definition, strategy, definition, and execution of these things.
So when looking at things such as the trends, the business impact indicators, etcetera, GPS, we have defined, then this is very helpful in, in, in understanding and reviewing whether of your, your strategy, your big picture is still correct, and you should have an information security, big picture. You should have big pictures for various areas in information security.
So, so one of these pictures I've pick picked up here is the one we are currently using for the area of identity, access management and identity access governance, which then looks at the four areas, administration, authentication, authorization audit, and the essential building blocks there you need to have. So, so having a big picture and understanding what you want to do, what you need to do in these areas over time is from my perspective, another important element. When you look, when you think about maturity assessment. So in that area, it's about several steps you need to do.
So the first step is you need to define your big picture and you need to be clear about the fact that every big picture is sort of a moving target. The second thing is you need to, you need to define your roadmap based on the big picture. So defining your way towards that instead of a program within your information, security probably was an information security that will be various programs for various areas, but they have to be tightly align.
So if you have a big information security picture, you have to split it up into various areas, understand where they are depend on what you need to Def first, how to prioritize cetera. So since such a program, you need Toor, you need to define the steps you need also to think about the benefits for the business without it will be hard to, to gather money for the dependencies, etcetera. And then it's about executing. And then it's about reviewing and you, for instance, can do a program status reviewed in quarterly.
So every three months you go through and check, where are we in our program ever use it back and step back and say, okay, I do the big picture review is still the right way. We are moving ahead. How do trends cetera impact this entire thing?
Again, this is sort of an internal approach or maturity assessment. And then there's as the fifth area I want to talk about today, there's the really external support of it. So the maturity assessment in the sense of someone is really reviewing your status for information security overall, or for particular areas of information security, such as cloud security and cloud assurance, or for identity access management, IDT, access governance, maturity, etcetera, etcetera. That's one of the things we are doing as cooking a code. So we have a standardized product.
We call Casey map for the maturity assessment program, where we do these things. And so several of the following slides are showing some aspects of what we are doing in such assessment, rather lean assessment. So it's something where we try to do it based on our experience and our rather rapid, but nevertheless SAF way, identifying the most important areas and providing information back where you are compared to others compared to sort of the ideal world state and where you should start investing in. So what does it need for maturity assessment? I think this is an important thing to do.
So if you want to do a maturity assessment very much in that beyond the KPI, KRS K stuff, or beyond just going back, stepping back and looking at what you're doing, comparing it with some external information, then it needs in depth, knowledge of the status of the technology market segment the programs are related to. So you have to look at what is the, the status you could potentially achieve in a certain area. Just a second point, a knowledge about a status of other organizations, both in the industry, a few organization and another industries.
So clearly this is also one question, and it's a question which also pops up frequently when you're asking for, for, for some budgets in your organization, for information security, then your, your board might ask for what you others to. Are we spending too much or are we spending not enough?
Or just, how do we compare to others? So clearly, clearly you frequently, if we are at least student less, we don't need to spend much more and understanding this. I think it's important. That's something which you only can do with an external view. And it also requires good understanding of trends that will have an impact on the program and investments. One of the things we did, we have various documents and, and various maturity level metrics is they are at closely, they are known not closely. They're a little bit oriented around the classical maturity level stuff.
So we have also five levels define various access governance levels. We did definitely find the characteristics for instance, here for access governance. We did it for other areas. I didn't seen access management governance overall. And so on. We are working on more of these things for other areas of information security. And so it's about identifying a level, the characteristics, the technologies involved, et cetera, which says, okay, this is a specific certain maturity level.
And there's an ideal level sort level five, which few organizations currently average, clearly this is also sort a moving target. So when we review these maturity level definitions, once a year or over two years of at least, then we usually increase what we expect in a certain level because the organizations are moving forward, the requirements are changing. So we also are adapting these maturity levels. So there are various of these. Another one is this identity, access management identity access governance. So this is one of the elements we, we, we see here we are using.
So using maturity level definitions, you will find several of them. So once we have to find as far as others and another, think we then bring in as good knowledge about the market. So what are the players in the particular market? I stayed with the excess governance market as one example for maturity assessment. And one of the things we are doing here is we are, we have our own type of documents. We call the co a co-leadership compass is leadership compass. In that case, it's only about the horizontal direction.
So it's the followers, ERs the leaders, the more to the right and organizational, the better it's the overall rating, or in that case, it's a product leader rating. It says these are the areas vendors in a particular space, the more to the rights, the higher rating. So we have, as part of our research, we continuously reviewing the vendors. We know a lot about what is going on, what products potentially can. And this is I think, a very important element as a benchmark, as the bar, we compare them current implementations with them, this leadership compass documents and provide various views.
So for instance, also, when you're looking at an integrated approach where you say, okay, I want to have one tool which supports provisioning, access governance, and as good as a tool or world. And we have a metrics which goes far deeper into detail. So I think having this product knowledge, knowledge, and this market knowledge is a very important thing to do rating some our approach done. For instance, to give you an example, our approach focuses on 12 areas, that case for cloud services, we do it as well for, for anti access management, for many other areas.
And these 12 areas we, we have here, six of them are always organizational and six of them are technical. So organizational, when we look at cloud services, whose ability and acceptance that, what is your way to, to deal with cloud services? Is it visible? Is it accepted in your organizations or are they just bypassing you? How could, are your guidelines or policies? How well defined are your processes?
Do you, do you have an organization structure in place to work with this etcetera, and then technical aspects? Like, do you have a technical master plan to deal the cloud overall information security approach for the cloud business, continue to data return, etcetera. And what we then can do. And what we are doing here is, is we compare it with various benchmarks. And one of these benchmarks is our Metro to level five benchmark.
So do, do you really reach what we expect as to level five? It's rather unlikely that you're extremely good in that area because our, our level five is, is rather high. We compared just the best in class, the good in class and with current average. So the average might be below the good in class. Usually it's below the good in class. And that gives you an indicator of where are you compared to what the agreed defining as defining to be the class. It could be, your industry could be overall, could be organizations overall. And that helps you then to understand where are you cream?
So where are you really good? Where are you not a bad, or where are you significantly below what art is doing so good and glass on the other hand might not be good enough.
And lot of you, we then provide on this is comparing it in that type of spiral di where, where you then can quickly identify, okay, what are the areas where we probably have to do most it's in fact, compared to good and class, and for that organization, for that sample, it would be okay, the compliance controls rise a good, higher, certain lack of a technical master plan, risk awareness, not to the overall risk model risk organization is not at that level. It should be coping coverage is too small. So this IST a way to do it.
And as I've said, these are various elements of what we are using for an external maturity assessment, an external benchmarking of the maturity in various areas of information security or for the information security program, overall, which from our perspective, and also requires some, several specific areas of knowledge and expertise to do well, including knowing what the others are doing when looking at these five areas right now. So we're looking at these five areas of information, security benchmarking. Then I think it makes a lot of sense to do sort of comparison here.
So this comparison added looks at four dimensions for, for factors. So is it more an internal view? I think doing it as an internal, you have some clear advantages, an internal view has the ranks that you usually can go more into detail. You know, a lot of about your organizations, what you're doing in detail, external views on the other hand, bring in another angle, another viewpoint, but they usually usually are at as fine, right? As the internal view, unless you want to spend amount sums of money.
But on the other hand, even a well defined course claim, you can have a significant additional well view because as I said, it's, it's a different angle. It can benchmark with others. It's a different way to do it. And if an auditor is auditing you, then he also sort of benchmarking with others. Maybe not as, not as specifically, explicitly as we are doing it, but he's doing it.
In fact, then the third area is the frequency. So how frequent are these things done? So where KPIs and KRI are sort of the continuous approach audits are also a little bit more frequent. Whereas for instance, on external benchmarking usually is done maybe every two or three years. I think it makes a lot of sense to do it than over two or three years to also see how you made brokers, etc. Then there's the detailedness. So how detailed are these various things? There's not the perfect approach on information security, maturity benchmarking. There's not a single approach which can serve all.
So you can't just only rely on external benchmarking or audits. You need something continues such as KPIs and KRI within your overall governance and risk management process. You need to review the strategy and roadmap. So ideally it's about bringing these things together and understanding what do I need when and how do these things grip into each other? So KPIs K is something you should set up. Audit audits is something you will do or will have to do. Anyway. The Analyst three areas ideally come flow. So trend and key topic, spread roadmap.
They come, they are tightly totally related and they can also relate very well to the external benchmarking. So this is just as an information, the way we see this topic of information, security, maturity benchmarking, as I've said, especially when it comes to external benchmarking, but also when it comes to stretching roadmap definition, these are areas where we can support you where we can provide services such as our KC map program or some of the brokers where for strategy, roadmap, definition, areas, areas, information security.
So this is sort of information, security, maturity benchmarking, and viewing at a different approach is the ways to do it. What does it need for what to look at? And right now it's time for Q and a. So if you have any questions, you should enter these questions right now, as I've said, you can use the questions who go to webinar control panel and then start to do is. So I wait a little and in the meantime, trust again, hinting on, we have these upcoming events, our IRS information, risk and security summit, and the European identity and cloud conference. And there's a very long list.
I've picked several of them, a very long list of co a call reports, which are related to the topic of maturity benchmarking in one way or another. So for instance, for advisory node, 70 2204 key risk and performance indicator fry and PRC and various others.
So, so one of the questions I just got right now is, is around the, the question of, of K KPIs and where do, where can you get these K and KPIs? So, as I said, one of these says, we have to done for instance, for IM and RC, probably some of the, the consulting groups of the auditors, cetera will have their own approaches on that. And then there are various websites where you will find a series of such K and KPI. So there various sources probably best is to look at it.
However, one thing I'd like to add, and one thing I'd like to notice that it's not only about having these K and KPIs, it's about having the entire governance process in place to deal with these K and KPIs. So it's really is not only a indicator stuff. It's about the entire GRC approach in the organization. Another recruit, a call report, which might be worse to look at in this context is the GRC reference or architecture we've published, I think back in 2009 nine, but which is still very well at because it's about understanding on how TRC overall looks like.
And payer I KPIs are part of this process to where significant decree. Okay. Any other questions? Okay. If there are no first questions, then I, first of all, I want trust, want to mention again, we have a broker called Casey map on that we provide services and that don't hesitate to ask us. There are upcoming events and side of that. Let me thank you for attending. This could be on call webinar. We have a series of upcoming webinars within the next few weeks. So have a look at our website and all these upcoming webinars and other types of events. Thank you for your time and have a nice day.
Bye.
