Where is your company on the cybersecurity journey?

Diego Samuel Espitia    5 May, 2022
Woman working on a computer. Photo: Unsplash

Although the cybersecurity path is not linear and each company has its own characteristics, experience has allowed us to classify companies into five levels of cybersecurity evolution.

The existence of these levels does not imply that all companies must reach the maximum (this depends a lot on the characteristics and size of the organisations), but they must reach an optimal level that reduces the probability of an incident.

In this article, we try to provide companies with a tool to identify where they are, what the challenges are and what they need to do to raise the level of evolution. The aim is to enable them to create their improvement action plan. It is not a definitive guide, but a useful aid to simplify some of the steps indicated by norms or standards without much context.

We will analyse each level in detail, taking into account the network security posture, device security, services and file management.


This kind of organisation makes information management decisions based on recommendations or best practices in the market. They usually see the acquisition of cybersecurity equipment as an expense or a compliance with an industry standard.

This means that the acquisition of cybersecurity elements is not coherent and is done with the sole objective of having minimal control or compliance. On the other hand, there is no security or information management policy that employees or third parties must comply with, therefore exposing their own and their clients’ information.

  • The corporate network usually has perimeter protection systems and browsing controls. This is managed by IT staff, meeting business rather than cybersecurity requirements. No segmentation or device access controls.
  • Remote access to equipment on the network is enabled with the sole control of a username and password, usually shared by several workers, to connect to internal equipment or services from home.
  • The organisation’s computers often have a non-enterprise anti-virus system, which cannot be monitored or controlled from a central system.
  • Operating systems are often not managed for proper updates or configurations, so it is common for computers to coexist with malicious software, undetected.
  • Information in these organisations is not controlled or classified, so any user on the network can access all information without restriction. Managers often generate uncontrolled copies of information and work is not done in teams or with traceability over access to data but is handled independently on users’ devices.
  • Cloud storage systems do not have access control systems enabled, nor are they encrypted. They are often used connected as an additional directory to the users’ operating system, so the main function is as a backup of information.


This kind of organisations start the process of integrating information security in the organisational areas of the company, understanding that in today’s world everything depends on the management of information and therefore cybersecurity is essential for the growth of the company.

The main characteristic of these organisations is that they have a security operations centre (SOC) service, either externally or internally. Allowing correlation and threat detection to be done reactively in the network and based on detection configurations.

  • Such organisations have many cloud services and multiple security devices in the network that send events to the operations centre for threat detection. In some of these cases, the threats that are monitored and alerted originate from external networks, but rarely are internal threats monitored with equal rigour.
  • Security management is usually the responsibility of the technology area, where network administration teams and core security teams are in place to take reactive action on SOC notifications.
  • Users have VPN access for remote connections, controlled through centralised identification systems such as the active directory and monitored from the SOC. However, the networks are not segmented and VPN connections have the same privileges and access as the organisation’s network.
  • User devices are managed from a central administration, which deploys control policies and access permissions, based on user classification, but there are usually local administrators on the machines and administrative users for management or network management.
  • Personal devices are allowed to be connected to the corporate network, allowing possible access by malicious software or the extraction of sensitive information. Given the lack of file controls, this is one of the main causes of information leakage.
  • Non-enterprise backup systems, such as external drives or shared folders in the cloud, have no guarantee of data recovery and are susceptible to data hijacking attacks.
  • Cloud storage systems do not have access control systems enabled, nor are they encrypted. They are often used connected as an additional directory to the users’ operating system, so the main function is as a backup of information.


These companies have systems and infrastructures that allow them to take anticipatory controls, which enables them to base all information security decisions on data and the timely detection of threats, for which they have a security architecture oriented to the challenges involved in information management.

Not only do they have a SOC, but they also carry out an analysis of the internal and external threats that are detected in these systems, in order to implement improvements in controls and corporate information management policies.

  • These organisations use identity management systems to initiate information classification processes and access control improvements. They control not only access to data, but also allow through multiple authentication factors to guarantee a user’s identity, mitigating the most common phishing attacks.
  • In order for this to work properly, corporate controls over network devices and users in the company are in place, allowing not only to detect existing threats, but based on the knowledge and behaviours detected on networks or devices, alerts and controls on suspicious situations can be generated. These implementations use indicators of attack, rather than indicators of compromise, to be proactive in applying control.
  • Another important feature is the level of staff awareness, trained on how to detect threats and which tools to use for business communications, always taking into account the categorisation of documents.

All of the above is managed by a dedicated cybersecurity team, with a management level that allows them to give their opinion and analyse corporate decisions with a vision of data protection and that allows them to have teams specialised in monitoring, incident response, identity management, security architecture, among others.


In these organisations, the platforms, network architecture and corporate procedures are aimed at protecting information and responding in advance to possible threats from the cyber world, generating information protection at any point where it is located and taking care of any way of communicating or connecting to it.

  • The company’s executive management is aware of the importance of information security, therefore, every decision made regarding suppliers, equipment, network deployment, use of cloud services and others, has a prior analysis of the information security area, which in turn ensures that policies and controls are aligned with business objectives.
  • Threat Hunting teams and Incident Response teams are essential in these organisations. In close collaboration with the company’s defence, monitoring and attack teams, they not only analyse alerts from various detection systems, but also, using the attack techniques and tactics disclosed by companies specialising in information security, generate mechanisms for detecting or analysing possible anomalous behaviour.
  • Document management and classification systems are closely integrated with identity management systems, allowing traceability of events on each corporate file and access control based on identities, not only of employees but also of computers or autonomous systems within the network that programmatically have access to company files.

All of this is orchestrated by the security team, which reports directly to the presidency or board of directors, comprising personnel trained in detection, monitoring, threat hunting, attack teams and defence teams, supported by specialised tools for each field and with advanced protection on user devices and network devices, which control access and allow the network architecture to be modified.


This is the highest level of corporate information security management. Its main characteristic is that, by having a solid structure and architecture, it is integrated with intelligent automation platforms, which allow orchestrating the various monitoring, detection and threat hunting systems, using deep learning technology and generating automatic reactions to the various threats or behaviours detected.

  • These companies base their information security operation on Zero Trust, which extends controls to all levels and instances where data is handled, managed, generated or manipulated, regardless of whether they are employees, suppliers, third parties, automated devices or anyone who has access to data.
  • In order to manage these orchestration and automation systems, it is necessary to have specialised cybersecurity personnel and aware employees, in addition to having clear security policies that are closely aligned with the business to avoid friction that can be generated in the application of control.

Leave a Reply

Your email address will not be published.