With the development of diverse ICT technologies, enterprises are constantly facing various evolving cybersecurity threats. The cybersecurity unit within an enterprise has transformed from a support role to an important strategic unit. This trend has driven enterprises to develop assessment mechanisms for cybersecurity management maturity in order to ensure the operational continuity of the enterprise in the event of a cybersecurity incident.
Currently, most cybersecurity management maturity assessment frameworks are based on the Cybersecurity Framework (CSF) proposed by the National Institute of Standards and Technology (NIST). The CSF references six world-leading cybersecurity standards, including the globally popular information security architecture ISO/IEC 27001:2013, the US federal information system security and privacy standard NIST SP 800–53 Rev. 4, and the industrial control standard ISA 62443–3–3:2013, etc.
In May 2017, the Cyber Security Foundation (CSF) framework, proposed by NIST, was mandated by an executive order signed by then-President Trump, requiring all 190 U.S. federal agencies to fully comply with it. Originally developed by the U.S. government to improve the cybersecurity of critical infrastructure, this framework has since gained recognition from numerous organizations and businesses worldwide. It not only influences cybersecurity regulations for critical infrastructure in many countries but also serves as a valuable benchmark for businesses to strengthen their information and network security.
7 Steps to Help Enterprises Improve Cybersecurity Maturity
What sets CSF apart from other cybersecurity standards is its emphasis on first identifying cybersecurity controls that meet an organization's needs, then prioritizing cybersecurity risks across organizations and addressing the most serious vulnerabilities first. CSF's seven-step approach assists organizations in conducting cybersecurity risk assessments, determining cybersecurity maturity within its framework, establishing a complete management cycle, and gradually improving the overall cybersecurity maturity of the enterprise.
Step 1: Determine priorities and scope
Step 2: Confirm organizational goals and direction
Step 3: Describe the current cybersecurity status.
Step 4: Conduct a risk assessment
Step 5: Describe the target's cybersecurity status.
Step 6: Identify and analyze the gaps and determine their priorities.
Step 7 Implement the action plan
Five key aspects for establishing a risk management cycle
The CSF cybersecurity framework assesses an organization's level of protection and capabilities across five key dimensions: identification, protection, detection, response, and recovery. It also includes 108 subcategories of control measures, allowing organizations to select appropriate controls based on their cybersecurity needs and review their cybersecurity maturity. Its core principle is to provide enterprises with a sustainable maturity assessment framework.
- Identify: Establish organizational rules to manage network security risks to systems, people, assets, data, and functions.
- Protect: Establish and implement appropriate security measures to ensure the operation of critical services.
- Detect: Develop and implement appropriate actions to identify the occurrence of network security incidents.
- Respond: Plan and implement appropriate actions in response to detected cybersecurity incidents.
- Recover: Develop and implement appropriate measures to restore functionality and services damaged by cybersecurity incidents.
Cybersecurity maturity is beginning to emerge among Taiwanese industries.
In the past, it was common practice for organizations to promote and implement cybersecurity and introduce information security management systems. However, with the development of ICT and the changing trends of cybersecurity threats, in addition to internal ICT security audits and related cybersecurity drills, cybersecurity maturity self-assessment has also become an important concept for organizations.
The concept of cybersecurity maturity has gradually taken shape in Taiwan, even becoming a focal point in 2021. To implement cybersecurity, the Taiwanese government began promoting this concept as early as 2014. The National Cybersecurity Development Plan has continuously guided government agencies in adopting cybersecurity governance maturity assessment models. Recently, domestic policies have been introduced to promote this concept across various industries, especially manufacturing and finance. Many cybersecurity companies have also proposed cybersecurity maturity assessment mechanisms to provide corporate clients and suppliers with a reference for evaluating their own cybersecurity maturity.
In September 2020, SecPaas, a cybersecurity integration service platform developed by the Industrial Technology Research Institute (ITRI) under the Industrial Development Bureau of the Ministry of Economic Affairs, launched the "Cybersecurity Maturity Rating Service." Meanwhile, the Financial Supervisory Commission's (FSC) Action Plan for Financial Security, proposed in August 2020, also included new measures such as studying and establishing a methodology for assessing the maturity of financial institutions' cybersecurity governance, and encouraging financial institutions to implement such assessments.
Besides government agencies and large enterprises, the concept of cybersecurity maturity can also be helpful for small and medium-sized enterprises (SMEs) in the country. It allows enterprises to assess their current situation and set goals, thereby accelerating the targeted and continuous improvement of their cybersecurity capabilities.
With the rapid development of technology, industries have moved from digitalization to intelligentization. When facing significantly increased operational cybersecurity risks, the "effectiveness" of cybersecurity management should be the most important consideration. By introducing cybersecurity maturity and quantifying cybersecurity weaknesses based on the needs and risks faced by enterprises, and dynamically adjusting cybersecurity policies and regulations in a timely manner, enterprises can strengthen the digital resilience of their file security defenses and their ability to respond to threats.
The 2021 Industrial Innovation Ordinance added cybersecurity products and services to the investment deduction program.
The Industrial Innovation Act, promulgated and implemented by the Ministry of Economic Affairs in May 2000, has proven effective in promoting domestic industrial innovation and enhancing industrial competitiveness. To capitalize on the post-pandemic trend of smart transformation and improve the overall cybersecurity capabilities of the nation and its industries, the Executive Yuan approved amendments to the Act on November 25, 2021. These amendments extend the tax credit period for investments in smart machinery and 5G systems to the end of 2024, and include cybersecurity projects within the incentive program. The aim is to accelerate the adoption of cybersecurity tools across industries through short-term tax incentives, ensuring that Taiwanese industries gain customer trust in the international supply chain, respond to increasingly serious international cybersecurity attacks and threats, and achieve the desired effect of a domestic cybersecurity defense system. Furthermore, it will encourage cybersecurity suppliers to invest in innovative R&D, increase opportunities for cybersecurity companies to test their skills in Taiwan, develop domestic cybersecurity capabilities, and further penetrate the global market.
This amendment adds cybersecurity products or services to the investment deduction. For investments in smart machinery and 5G systems totaling more than RMB1 million but less than RMB1 billion in the same year from 2022 to 2023, the amount can be deducted from the corporate income tax. If the deduction is completed in the same year, the deduction rate is 5%. If the deduction is carried out in installments over three years, the deduction rate is 3%, not exceeding RMB30% of the tax payable.
If the combined investment amount of the above-listed projects reaches one million, it can be used to offset 50,000 of the profit-making business income tax in the current year.
The newly added investment deduction items are shown in the attached diagram for reference: (Source: Amendment to Article 10-1 of the Industrial Innovation Act, Ministry of Economic Affairs)
