Cyber security
26.09 2021

Assessing the level of cyber maturity helps to see the big picture

Is your company’s cyber security up to standard, and are the risks mitigated? Often, it may seem to a manager that the company’s cyber security level is as it should be. Unfortunately, this is frequently a misjudgement, and the actual situation is not quite as good. KPMG’s management journal Foorum discussed this topic with KPMG’s cyber security expert Igmar Ilves.

Today, most transactions are done via the Internet, so it is increasingly important to make sure that your data is safe from prying eyes. This is where cyber maturity assessment (CMA) comes in handy – it helps to identify potential vulnerabilities and what can be done better to ensure security.

According to Igmar Ilves, when it comes to CMA, it does not matter whether an organisation is small or large. “People often think that if there is at least one IT specialist in the house, then cyber security is ensured. In fact, you have to think ahead and ask yourself what the consequences might be if that one IT professional doesn’t have sufficient knowledge in the field of cyber security, or what will happen if they have all the knowledge but suddenly decide to change jobs,” Ilves says.

This does not necessarily mean that you should hire an additional IT specialist. According to Ilves, there are other ways to mitigate risks, such as keeping your documentation up-to-date so that the information about specific passwords or company-owned computers is sufficiently detailed and clear.

Mapping the current situation begins with an interview with the client

To better assess a company’s or an organisation’s information security posture, KPMG’s Estonian cyber security team has developed an affordable service that provides an overview of your company’s capabilities for protecting information assets and responding to cyber threats.

This is not a traditional IT audit but a service focused on a wide range of security aspects based on the specific characteristics of the client and the information collected from them. This is done through an interview with the client’s employees, who will be asked questions about the company’s current safeguards.

Ilves stresses that the most important thing is to answer the questions as honestly as possible and to describe the situation exactly as it is, as this will help to create a clear and concrete picture of the current information security posture. It is not necessary to provide evidence to back up described operations or responses.

Plan, protect and prevent

Hence, the key activity of the assessment is the interview with the client, which usually takes between one and a half and two hours and comprises four focus areas.

The first one is planning, which focuses on planning a company’s information and cyber security activities, raising security awareness, and the responsibilities of management and other key personnel.

Next, we will examine the specific measures related to protection and prevention as regards safeguarding the company’s most important assets.

Questions on detection and response are aimed at determining whether measures have been taken to detect cyber-attacks and other threats and what those measures are.

The section on recovery examines what measures are in place to restore the company’s business operations following a potential cyber-attack, etc.

Conclusions drawn from CMA

All interview questions are based on international standards and methods used in the field, resulting in a separate assessment for each focus area and a final aggregate score. “Without mentioning any names, we will also give the client an idea where their company stands compared to other companies in Estonia,” Ilves says.

He adds that companies that perform IT auditing and security testing on a regular basis and have already implemented certain standards and information security frameworks fare better in the assessment.

“Generally, clients tend to think that their company’s situation is better than it actually is. However, the results of a cyber maturity assessment often confirm the opposite,” Ilves said.

Assessments take into account the specific characteristics of the company

Problems often start with the weakest link in information security, i.e. a human being, so all employees who deal with security issues on a daily basis should be involved in the interview. The assessor sends the questions to the company before the interview.

Cyber maturity assessment recognises that every company and organisation is different. “The aim is to map the actual situation in order to understand where things could be improved and what the biggest risks are,” the cyber security expert explains.

After the assessment, an analysis of the results is presented to the company’s representatives, and a report is drawn up, which, in addition to the assessment, includes an action plan to improve the situation. “It is important to understand that this is not an in-depth analysis or an IT audit, but a general and comprehensive assessment, which depends largely on the responses received from the client,” Ilves stresses.

So, although people are the weakest link in information security, they are also very valuable because the information they provide is essential for mitigating security risks.

Igmar Ilves
Senior Cyber Security Advisor
KPMG Baltics OÜ

Bolstering Cyber Resilience with High-Quality Red Teaming

The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..

Cyber security

KPMG recognized as a Leader in Cybersecurity Consulting Services in Europe

According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.

We are excit..

Cyber security

Cyber Security Expert: IT Hygiene Should Not Be Neglected During Holidays and Vacations

The line blurring between work and spare time, and the widespread use of remote work mean that peo..

Cyber security

A Company Must Not Be Bought Without a Pre-transaction IT Audit

It is a volatile time for economy, which always leads to businesses being purchased and sold. For ..

Cyber security

How To Prepare for Overcoming a Cyber Incident

It is no longer a question of if cyber incidents take place, but when they will take place. Based ..

Cyber security

Too Many Companies Underestimate IT Risks

Mihkel Kukk, Head of Cyber Security Services at KPMG, notes that, although great importance is att..

Cyber security

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: