Skip to Main Content

insightsarticles

Beyond weathering the storm: How the gaming industry can succeed during economically challenging times 

12.14.22

Read this if you are a part of the gaming industry.

The gaming industry has bounced back during 2021 and 2022 following pandemic-related declines, but a potential economic downturn will likely impact consumer behavior and have effects for gaming businesses. Though recessionary concerns may prompt some consumers to rein in spending, several factors point to resilience in the gaming industry, including customer retention initiatives, the growth of digital gaming and sports betting, and the continued allure of experiences offered by casino resorts.

Instead of merely weathering a potential recession, gaming companies can position for sustained success by reviewing strategic plans and focusing on key business objectives. Financial discipline will be another priority, particularly if changes in consumer spending affect revenue growth during 2023.

Retention has a big payoff in a recessionary environment

Despite the rate of inflation in the US reaching levels not seen in more than 40 years during 2022, consumer spending has remained relatively strong. According to data from the Bureau of Economic Analysis (BEA), disposable personal income and personal consumption expenditures both increased slightly more than expected during September. Interest rates have continued to rise, however, and there are indications that some consumers are delaying the purchase of big-ticket items, which suggests a slowdown in some areas of spending.

To help mitigate the effects of a potential recession, gaming companies may consider shifting more attention to customer retention in addition to customer acquisition. That strategy could be especially important for sports betting, a subsector that has invested heavily in customer acquisition in recent years—and may not be as recession-proof as some had predicted. According to a TransUnion study, 54% of US sports bettors earn at least $100,000 per year, but even high-income earners show signs of cutting back on discretionary spending like gambling. Nevertheless, many sportsbooks have seen relatively low rates of customer churn this year despite inflation, which could be due partly to the growth in popularity of unique multi-leg wagers such as same-game parlays.

High costs for customer acquisition due to digital competition can pose challenges for companies trying to grow their consumer base, and recessionary pressures make it even more important to keep existing customers engaged. Fragmentation and evolving competition also complicate predictions for the lifetime value of a new customer. The longer a customer stays, however, the bigger the return on initial acquisition costs.

Retention strategies

Strategies that focus on retention can help reduce churn amid growing recessionary pressures. These strategies vary for different types of companies, such as online gambling (iGaming), land-based casinos, or a hybrid of online and on-premises gaming. Taking steps to improve customer experience and leverage data analytics can both help increase engagement. Such initiatives can include customized loyalty and reward programs based on a customer’s unique habits, as well as data insights about the most popular types of games and bets that enable cross-promotion. Reload bonuses, referral bonuses, free bets, and percentage back on losses are examples of other strategies to help keep existing players engaged. Critically, even small improvements in retention can have a significant impact on margins and profitability.

Growth potential remains, but a downturn would impact industry subsectors differently

If recessionary pressures prove to be a drag on consumer spending in the months ahead, it may affect some gaming sectors differently than others. Even if consumers reduce discretionary spending, casino resorts could still fare well because of their diversified offerings, but they also have much higher operating costs than dedicated iGaming companies. Land-based casinos in particular should practice financial discipline and manage labor costs. They can achieve this by maintaining balanced staffing levels, expanding electronic casino games, and adopting cashless gaming and digital payments.

Overall, casino resorts can provide a relatively affordable range of unique leisure experiences. People remain eager to travel after dealing with pandemic-related restrictions, and recent TSA checkpoint data indicates airport activity has been near or above 2019 levels. BEA data also indicates that consumer spending on services, such as travel and dining, has outpaced spending on goods in recent months.

Although research has shown flat levels of growth for casino gambling during previous recessions, the industry has seen several notable changes in recent years. Digital gaming remains a convenient option for consumers and has experienced a spike in adoption in recent years, which aids both digital-only operators and land-based casinos that offer a digital component. Casino resorts can also use data-backed insights to help convert their online customers into on-premises customers through targeted offers and other marketing initiatives.

Sports betting has also grown rapidly during the past five years, which provides an accessible platform for a much larger population of customers than previously. Before the US Supreme Court’s 2018 decision in Murphy v. National Collegiate Athletic Association, only a few states could claim partial exemption to the 1992 federal ban on sports betting. As of November 2022, more than 30 states and the District of Columbia allow sports betting, and additional states are considering similar legislation.

Recession-related shifts in discretionary spending may not impact gaming as much as other consumer sectors. A May 2022 YouGov poll of 16 countries shows that while monthly gamblers may cut back on betting, they are more likely to reduce spending in other areas to maintain their monthly budget. A recession would still likely impact growth, so it is critical for gaming companies to protect revenue during a downturn.

Other developments also hold promise for the gaming industry. Casino stocks recently surged following China’s announcement of eased travel restrictions that would allow tour groups into Macau, the world's largest gambling jurisdiction. Overall, publicly traded gaming companies have enjoyed relatively strong earnings during 2022 despite market volatility, and many analysts have maintained “buy” ratings. A downturn could also give well-capitalized companies an opportunity to gain market share through acquisitions and partnerships.

Looking ahead: A sure thing

To help guard against the impact of recessionary pressures, managing costs and finding efficiencies will continue to be priorities. However, cutting back spending across the board can constrain growth and exacerbate customer churn. By combining financial discipline with a business strategy tailored to the effects of a potential downturn, gaming companies can continue the pandemic recovery and even thrive during volatility.

Related Industries

Related Services

Consulting

Related Professionals

Principals

BerryDunn experts and consultants

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Article
Oxymoron of the month: Outsourced accountability

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG
: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG
: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG
: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG
: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG
: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG
: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

Read our next cybersecurity playbook article, External capacity: Cybersecurity playbook for management #4here.

Article
Tapping your internal capacity for better results: Cybersecurity playbook for management #3

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

Read our next cybersecurity playbook article, Tapping your internal capacity for better results: Cybersecurity playbook for management #3, here.

Article
Selecting and implementing a maturity model: Cybersecurity playbook for management #2

Good Practices Are Not Enough

When it comes to IT security, more than one CEO running a small organization has told me they have really good people taking care of “all that.” These CEOs choose to believe their people perform good practices. That may be true, but who defines good practices and how they administer them? And when? If “security is everyone’s job,” then nobody is responsible for getting specific things done. Good practices require consistency, and consistency requires structure.

From an audit perspective, a control not written down does not exist. Why? Because it can’t be tested, measured, or validated. An IT Auditor can’t assess controls if they were never defined. Verbal instruction carries by far the most risk. “I told him to do that,” doesn’t pass the smell test in court.

Why Does it Matter?

Because it’s not IT’s job to write policies. Their job is to implement IT decisions made by management. They’re not at the right level to make decisions that impact the entire organization. Why should small organizations concern themselves with developing policies and procedures? Here are two very good reasons:

1. Regulatory Requirements
2. Lawsuits

No matter how small your organization, if you have a corporate network (even cloud-based) and you store credit card transactions, personal health information, client financial information or valuable intellectual property, being aware of state and federal regulatory requirements for protecting that information is vital. It is the responsibility of management to research and develop a management framework for addressing risk.

Lawsuits happen when information is stolen and/or employees are terminated for inappropriate activities. If you have no policies that mandate what is and isn’t acceptable, and what the penalties are for violations, your terminated employee has grounds for a wrongful termination lawsuit: policy should not be written by the IT Department.

If confidential data you are responsible for is stolen and clients sue you, standing up in court and saying “We don’t have any written policies or procedures,” is a sure way to have both significant financial losses and a negative impact on your reputation. For a small organization, that could mean going out of business.

Even if data is stolen from a third-party vendor who stores your data, your organization owns the data and is responsible for ensuring the data is secure with the vendor and meets organizational requirements. Do you have a vendor management policy? If you work with vendors, you need one.

Consider, too, that every organization expects to grow its business. The longer management doesn’t pay attention to policies and procedures, the more difficult it becomes to develop and implement them.

Medium and Large Organizations Need to Pay Attention, too

A policy document provides a framework for defining activities and decision-making by everyone in the organization. A policy contains standards for the organization, and outlines penalties for non-performance. The organization’s management team or board of directors must drive their creation.
Policies also maintain accountability in the eyes of internal and external stakeholders. Even the smallest organization wants their customers and employees to have confidence the organization is protecting important information. By defining the necessary controls for running business operations that address risk and compliance requirements (and reviewing them annually), your management team demonstrates a commitment to good practices.

Procedures are the “How”

Procedures don’t belong in a policy. Departments need to be able to design their own procedures to meet policy requirements and definitions. HR will have procedures for employee privacy and financial information, finance must manage credit card, student, banking or client financial documentation, and IT will need to develop specific technical procedures to document their compliance with policy.

If all those procedures are in a policy, it makes for unwieldy policy documents that management must review and approve. Departments need to change and update their procedures quickly in order to remain effective. For example, a policy may mandate the minimum number of characters in a password, but IT needs to develop the procedures to implement that requirement on many platforms and devices.

What is a “Plan” Used For?

Consider that organizations commonly have a Business Continuity Plan as well as an Incident Response Plan. How is a “plan” different from a policy or procedure?

A plan (for example, an Information Security Plan, or Privacy Plan, etc.) is a collection of related procedures with a specific focus. I have seen these collections called “programs,” but most organizations use “plan” (plus, the Federal government uses that term). The term “program” implies a beginning and an end, as well as tending to be a little too generic (think “School Lunch Program”).

Three Ways Not to Develop Policies, Procedures and Plans

1.

Getting templates from the Internet. Doing a Google search delivers an overwhelming number of approaches, examples and material. Policy templates found online may not be applicable to your organization’s purpose, or require so much editing they defeat the template’s purpose. 

2.

Alternatively, going to organizational peers can endlessly replicate one poorly developed approach to documentation.

3.

Writing policies and procedures totally focused on meeting one regulatory requirement frequently necessitates a total re-write as soon as the next regulation comes along.

Consider the Unique Aspects of Your Organization

What electronic information does your organization consider valuable? During an assessment with a state university, we discovered that the farm research the agriculture school was performing was extremely valuable. While we started out with questions about student health and financial information, the university realized the research data was equally critical. The information might not have federal or state regulations attached to it, but if it is valuable to your organization, you need to protect it. By not taking a one-size fits all approach to our assessment, we were able to meet their specific needs.

Multiple Departments or Locations? Standardize.

Whether your organization is a university, non-profit organization, government agency, medical center or business, you frequently have sub-entities. Each sub-entity or location may have different terms for different functions. For example, at a recent engagement for another university, Information Security “Programs,” “Plans” and “Policies” meant different things on different campuses. This caused confusion on the part of all stakeholders. It also showed a lack of cohesion in the approach to security of the university as a whole. Standardizing language is one of the best ways to have everyone in the organization on the same page, even if the documents are unique to a location, agency or site. This makes planning, implementation, and system upgrade projects run more effectively.

Demonstrate Competence

No matter what terms your organization chooses, using consistent terms is a good way to demonstrate a thoughtful approach. Everyone needs to be talking the same language. Having documents that specify management decisions provides assurance to internal and external stakeholders. Good policies, procedures and plans can mean the difference between a manageable crisis and a business failure.

To receive IT security updates, please sign up here.

Article
Policies, procedures, and plans—defining the language of your organization

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG
: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG
: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG
: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG
: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG
: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG
: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG
: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

You can read our next chapter, Selecting and implementing a maturity model: Cybersecurity playbook for management #2here.

Article
Maturity modeling: Cybersecurity playbook for management #1