Cyber Security Capacity Maturity Model : cybersecurity beyond compliance

 



In recent years, ‘compliance’ has become a bit of a buzzword within the cyber security sphere. However, whilst companies have been concerning themselves with ticking regulatory boxes, they have lost sight of the outcome.

An outcome-driven approach Instead of conducting box-ticking exercises, organizations should be driving information security priorities and investments with an outcome-driven approach that takes their capabilities into account.

All too often, businesses assume they can quickly adopt new, sophisticated cyber security schemes where no such capabilities have been before. But this is not the case. Information security programs have to go through a maturation process, and these improvements take time. In much the same way you would teach a child to walk before teaching them to run, organizations’ cyber security programs have to grow up — mature — steadily, taking one cautious step at a time.

To understand how ‘mature’ a company’s information security is, cyber security specialists will often use a Capability Maturity Model (CMM) during assessment consulting engagements.

A CMM assesses an organization’s effectiveness at achieving a particular goal and helps to distinguish whether cyber security is baked in or merely bolted on. For business leaders, this is an excellent way to measure the progress made in embedding security into strategic and day-to-day operations.

The different levels of maturity

There are different levels of maturity ranging from non-existent (Level 0) to optimized (Level 5). A CMM will typically describe a range of capabilities you would expect to see in organizations at various stages of information security maturity.

If an organization is at Level 0, there is no evidence of meeting the objective and functions are not applied at all. At Level 1, capabilities and maturity can exist as rudimentary controls with a person as a gatekeeper or a manual process. Functions are ad hoc and loosely organized at this level, and the company has an inconsistent or reactive approach to meeting the objective.

In today’s cyber security climate — where there is an ever-increasing threat landscape — scoring at this initial level is unacceptable for any organization that owns and manages IT assets, or which owes any duties to shareholders, investors, regulators or taxpayers. Yet, despite this, there are still many large corporations, government agencies and universities that sit at these levels.



Developing and defined maturity

At Level 2, businesses progress up the maturity curve with a consistent overall approach to meeting the objective (though this is still primarily reactive and undocumented). They do not routinely measure or enforce policy compliance, although they do have technology as a basic capability. However, whilst companies at Level 2 may have some security processes operating effectively and multiple initiatives under development, they tend to be weak in basic domains such as identity and access management (IAM) or networking zoning and perimeters.

The technology used at Level 2 can be enhanced or extended further at Level 3, where the organization regularly measures its compliance and has a documented, detailed approach to meeting the objective and technical controls. Implementing sophisticated data loss prevention (DLP), security information and event management (SIEM) or privileged access management (PAM) features tends to be difficult until basic IT functions like IAM, asset management and service ticketing are mature enough to support them. But once the basic process and technology infrastructure is in place, risk management, vulnerability management, SIEM, PAM and other programs can go into high gear.



Managed and optimized maturity

High degrees of automation are then introduced at Level 4. At this stage of the maturity curve, companies use an established risk management framework to measure and evaluate risk, integrating improvements beyond the requirements of applicable regulations.organizations with Level 5 maturity capabilities dynamically adapt to the business risk and have significantly refined their standards and practices — focusing on ways to improve their capabilities in the most efficient and cost-effective manner.

Typically, 10 percent of organizations have no real security control and are at Level 0, whilst 20 percent of companies are at Level 1 with initial capabilities established. Around 25 percent of businesses are at Level 2 with repeatable processes and capabilities; however, most organizations (30 percent) are at Level 3 with a defined ISMS (information security management system) and progressive capabilities. Only around 10 percent of companies make it to Level 4 with extensive automation — and even fewer (5 percent) make it to Level 5, where security is adaptable and dynamic in real-time based on business risk.

As an organization progresses up the maturity curve, control efficiency increases and residual risk decreases, which is highly beneficial. How far companies go depends on their appetite for change as there is a significant step-change from one level to the next.



Understanding the assessment process

There are two approaches to assessing a business’ maturity in the context of cyber security service . One involves comparing the organization’s past practices against those described in the levels of each capability to track improvements over time.

The second approach involves comparing a company with its competitors (also known as ‘benchmarking’). Benchmarking is an important indication for organizations to appreciate what level they should be targeting. If their peers are significantly better, it could give them a competitive advantage; if the company is better than its peers, it could potentially relax some controls to take advantage and capture a larger percentage of the available market.



Advertisement

The overall assessment process typically involves five stages. During the initial discovery stage, interviews and onsite workshops should be conducted to understand the current state of the organization’s IT security. It is quite possible to be ISO 27001 certified at a Level 1 Capability Maturity Model; however, this is not necessarily the effectiveness a business may wish to portray to customers, partners and stakeholders. So, it is crucial to define desired outcomes, too.

Next, organizations should baseline the current state across technical, data and business environments — measuring the capability and maturity of each domain and function. This data can then be compared against suitable peer data and average peer data scores at the next stage to make observations on the differential. Through these observations, it is then possible to finalize gaps and identify improvements needed before creating a roadmap to achieve the desired maturity state. Key stakeholders should then be consulted during the final delivery stage of the assessment.

Tighten Up Your Cybersecurity — Contact an A-LIGN Expert Today

Source

Comments

Post a Comment

Popular posts from this blog

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

Image
  SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats. For organizations seeking a SOC 1 , SOC 2 , or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation. With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment. SOC 1 Report A SOC 1 report foll...
Read more

What is NIST 800-171?

Image
  Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171. Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information. National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. What is Controlled Unclassified Information (CUI)? CUI is information crea...
Read more

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

Image
  With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! CMMC 2.0Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0 , three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allo...
Read more