Cybersecurity posture is a term used to describe the cybersecurity capabilities of a country, organization or business. There are several tools that have been used to assess cybersecurity posture. An example of such a tool is the International Telecommunications Union's Global Cybersecurity Index (GCI). According to the ITU (n.d.), the GCI is a capacity building tool that assesses countries' commitment to cybersecurity and identifies their cybersecurity posture and areas for improvement. Countries' cybersecurity posture can be evaluated based on their development in the five pillars (legal, technical, organizational, capacity building, and cooperation) identified in the ITU Global Cybersecurity Agenda. Particularly, countries receive GCI scores based on their level of commitment to the five pillars. These scores include initiating (i.e., beginning steps demonstrating commitments to the pillars), maturing (i.e., have commitments to the pillars) and leading (i.e., high commitments to the pillars) (ITU, 2017, p. 13).
The results of the 2017 Global Cybersecurity Index survey survey revealed that half of the responding countries did not have a national cybersecurity strategy (ITU, 2017). The results of the 2017 Global Cybersecurity Index survey also revealed great variation in cybersecurity commitments among states within and outside their regions. The results further revealed that the strength of countries' cybersecurity commitments varied by pillar (i.e., countries scored high in some pillars, and average or low in others) (ITU, 2017; for detailed information about the results, see ITU, 2017). Nevertheless, for efforts to be effective, cybersecurity commitments are needed in all pillars.
The Global Cyber Security Capacity Centre (GCSCC) of the University of Oxford developed the Cybersecurity Capacity Maturity Model (CMM) to assess countries' cybersecurity posture (i.e., maturity of cybersecurity capacity) by examining countries' efforts in "cybersecurity policy and strategy," "cyber culture and society," "cybersecurity education, training and skills," and "legal and regulatory frameworks," and "standards, organisations, and technologies" (Global Cyber Security Capacity Centre, 2016, pp. 10-13). This evaluation informs countries of the state of maturity that they are at: start-up (i.e., no cybersecurity or just starting to develop); formative (i.e., some cybersecurity); established (i.e., cybersecurity in place; minimal consideration of allocation of resources); strategic (i.e., deliberate and calculated choices made about cybersecurity); and dynamic (i.e., cybersecurity adapts to changes in environment and needs) (Global Cyber Security Capacity Centre, 2016, p. 7). The CMM has been used to evaluate numerous countries all over the world individually or as part of a regional study (Global Cyber Security Capacity Centre, 2018). In addition to the CMM, the Global Cyber Security Capacity Centre developed the Cybersecurity Capacity Portal , which includes cybersecurity capacity-building material, best practices, and facilitates information sharing in order to assist countries in enhancing their cybersecurity posture.
Countries have also implemented frameworks to assist public and private sectors in enhancing their cybersecurity postures. A case in point is the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (published in 2014; revised in 2017 and 2018), which provides guidelines, standards, and best practices to assist public and private sectors in improving their cybersecurity posture. In 2017, the US Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was passed, which directed federal agencies to utilize this framework to enhance their cybersecurity posture. The framework has also been adopted and/or adapted by private companies and organizations within the United States, and some other countries (e.g., Italy, Uruguay, and Bermuda) (NIST, 2018). The Information Systems Audit and Control Association (now only referred to by its acronym ISACA) developed an audit programme to test the efficacy of the cybersecurity measures that companies, organizations, and agencies implemented utilizing the NIST Framework (ISACA, 2017). Similarly, the Chinese Government regulations such as the Special Regulation on Commercial Bank Information Disclosure and the Measure of Internet Information Security Incident Reporting and the Taiwanese regulation such as Guideline on Reporting Significant Contingent incidents of Banks and Measures on National Information and Communication Security Incident Reporting and Responses are regulations to facilitate the public-private collaboration on cybersecurity (Chang, 2012; Chang et al., 2018).
Recognizing that cybersecurity posture is dependent on the quantity and quality of the cybersecurity workforce, the United States also implemented the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework in 2017. This framework is part of NICE's strategic goals to develop a cybersecurity workforce through the identification of the knowledge, skills, and abilities needed for different cybersecurity positions, and to provide guidance to academia and employers on the creation and implementation of academic programmes and professional training. The worldwide deficit in quantity and quality of cybersecurity professionals drives home the lesson that attention needs to be paid to developing the cybersecurity workforces of most countries (Frost & Sullivan Executive Briefing, 2017).