In today’s digital age cybersecurity has never been more of a critical component to any organisation’s strategy. This is particularly driven by an increasing dependence on a variety of digital technologies that are at risk of disruption or compromise by cyber-attacks.
The UK Government defines ‘Cyber Resilience’ as an ability for an organisation to prepare for, respond to, and recover from cyber-attacks and security breaches. It highlights that maintaining robust cyber resilience is key to maintaining operational resilience and business continuity.
We spoke with Sapphire, one of our strategic services partners, to gain insight into the current trends they’re observing among their customers regarding regulations and frameworks.
Gareth Pritchard, Chief Technology Officer at Sapphire said, “We are seeing a concerted effort to move and evolve from established foundational cybersecurity frameworks such as DSP Toolkit for NHS and combinations of frameworks such as Cyber Essentials (Plus) and ISO27001 for local government as two examples. This is a result of direction coming from central government and guidance from NCSC for organisations in those sectors to develop beyond the established norms (DSP Toolkit/CE/CE+) to put into place security measures that further ensure operational resilience. The DSP Toolkit for example is itself moving to align to the CAF.
However, with all control frameworks it can be difficult to understand what to do in a prioritised, risk-based approach in line with budget availability and to ensure maximum return on investment. We help organisations establish a baseline of their maturity and develop and implement improvements aligned to the CAF. We start with conducting a Gap Analysis of the current organisational maturity. Conducting a Cyber Assessment Framework (CAF) gap analysis is a recommended, and almost necessary, first step for organisations seeking to align with CAF or to transition from Cyber Essentials to CAF. A CAF gap analysis provides a thorough assessment of an organisation’s current cyber security posture against the four overarching CAF principles and guidelines. This analysis identifies areas where existing controls meet the CAF standards and highlights gaps that need to be addressed. By systematically evaluating these gaps, organisations can prioritise their cyber security efforts, ensuring a focused and efficient approach to achieving full alignment with the CAF.
Sapphire’s CAF gap analysis covers the four key objectives of the framework, offering a detailed roadmap for improvement.”
Kobi Hunn, Solutions Engineering Manager at Distology, added, “Now more than ever, organisations and their security teams are applying a risk-based approach to their cybersecurity strategy. The CAF is a great way to measure that risk and to help uncover what potential risk exposure they have. The latest iteration of the NCSCs Cyber Assessment Framework is a comprehensive way for organisations to assess the policies, procedures and technologies they have in place.
It’s noticeable that security policies are now being pushed from the top down to promote an informed security culture. I think we will start to see this increasing more due to government policy and advisories coming from the NCSC. Boards and Executives are now being held accountable for not only the privacy of the data they hold, but also the operational and digital resilience behind the services they provide.
I’m also seeing security and IT teams apply more focus to understand their current exposure levels within their attack surface, which can be difficult when focusing on large and complex OT and IT environments, largely due to legacy system and sprawling flat networks.
In my opinion, it’s important that organisations do not try and undertake assessments by themselves, as having a partner like Sapphire to walk them through it will provide a better perspective and decades of experience – and it’s never a good idea to mark your own homework.”
What is CAF?
The CAF, which was developed by the UK National Cyber Security Centre (NCSC), provides a systematic and comprehensive approach to assessing the extent of an organisation’s ability to maintain cyber resilience from a principles-based approach.
Who is it for?
The CAF is for all organisations. While organisations within Critical National Infrastructure (CNI) sectors may be legally required to align with CAF, it’s applicable to any organisation that values cybersecurity and their responsibilities towards maintaining the cyber resilience of their organisation. SMEs, large enterprises, and public sector bodies can all benefit from adopting CAF guidelines. The core principles of CAF are; Managing Security Risk, Defending systems against cyber-attack, Detecting cybersecurity events, and minimising the impact of cybersecurity incidents.
Why is it important?
The CAF can help organisations with the preparation for, response to, and recovery from cyber incidents and ensures business continuity. Furthermore, aligning with the CAF objectives demonstrates a commitment to responsible cybersecurity, often required by regulators, partners and clients, as well as providing your customer’s organisation with a structured approach to identifying, assessing, and mitigating cyber risks across the board.
For more information about the CAF, other regulations and frameworks, and how we can assist your customers in meeting them, please reach out to us.