# Opener

The Path to Continuous Cyber Improvement, Step 3: Evaluation of Progress and a View into the Future

Published by Axio

In parts 1 and 2 we spoke about assessing your current state and road-mapping for improvement as well as benchmarking. In part 3, we’ll look ahead and dive into how to measure the progress you make and prepare for the future.

In order to make critical decisions, leadership needs a trusted and succinct summary of progress. A consistent evaluation system gives insight into efficacy and informs decisions that impact the future. It’s necessary for organizations to set targets for the future as technology advances and threats grow. Cyber risk assessments can inform plan creation and program maturity.

Evaluation Inconsistencies Lead to Laborious Tracking

Inconsistent measurement and reporting are major discrepancies in the cybersecurity landscape. Reporting and evaluation of progress is needed in order to make informed cybersecurity decisions. Frequently documenting changes allows organizations to track their progress and identify areas that still need improvement. They can focus on improving from the previous baseline without having to start from square one.

Organizations often manage cyber risk assessments across a series of disconnected tools and systems such as GRCs or spreadsheets that can lead to inconsistent reporting and evaluation. This makes it laborious to manage improvements, so organizations end up sticking with once-a-year assessments. Once-a-year assessments go stale very quickly and can be ineffective since your cyber risk varies throughout the year.

Axio360 is There for Your Major Milestones

Cyber risk assessments can be long and hard to communicate to leadership. To support consistent and effective reporting, Axio360 provides you with the ability to share a single number (out of 1000) with leadership to summarize your risk posture. This score is visualized within a wheel that is divided into functions. This graphic allows you to dive into these functions and understand the strengths and weaknesses. You can easily focus on a specific weakness within a function and develop action items for improvement.  Axio360 captures your journey of improvement in real time. You can easily check off action items as they are completed and establish milestones to identify major improvements to your system.

Establishing Attainable Goals Can Be Difficult

Now that you can assess where you are and how far you’ve come, it’s time to look at where you’ll go. Organizations need to plan for the future in order to continue this path of improvement. A vital step in the journey to continuous improvement is setting targets. It’s impossible for an organization to invest in every control and defend against every cyber event. Teams have a limited amount of time, money and resources to allocate across the needed investments.

Axio has found that clients find it useful to deliberate on each practice and set appropriate targets in a workshop setting. Before deliberation, teams should consider what is feasible within a 24 to 36-month period. The 24 to 36-month outlook makes the deliberation more manageable and helps frame what is realistic and reasonable.

Planning for the Future with Axio360

Axio360 makes it easy to set and adjust targets for continuous cyber improvement. Users can set targets, practice by practice, as they are completing a cyber risk assessment. They can add action items that would help in reaching that target and assign them to teammates right in the platform as they are completing the assessment. Users can also add notes and link evidence in order to communicate with their team through the platform. Our platform makes re-evaluating and adjusting your program easy with our previously mentioned Kanban Board.

Clients can ensure consistency across different business units within their company using target profiles. Organizations can set up a target profile by completing an assessment reflecting a company-wide or even industry standard and share it with each department for reference. Axio360 comes with target profiles reflecting standards set by widely used cybersecurity frameworks like C2M2 and NERC CIP that you can apply to your assessment. Axio360 allows easy communication of requirements and expectations across different business units. In addition to current state benchmarking mentioned in our previous blog, clients can also compare their targets with that of their peers to ensure that they are heading towards the right direction.

Axio360 has you covered whether it’s assessing your current state, progression or future state of your cyber risk program. We are dedicated to our client’s continuous cyber improvement. Get started with Axio360 today regardless of where you are in your cybersecurity journey. As mentioned previously, we support a variety of frameworks such as C2M2, NIST CSF, CMMC, RC3 and more.

In part 4, we’ll discuss how Axio360 can integrate other systems you may use to offer a holistic view into your cyber risk program.