Unfortunately, most organizations only learn the value of maturing their security and integrating it into their culture after a costly data breach has occurred. According to IBM’s Cost of Data Breach Report 2020, this is could be a multi-million, or even billion, dollar mistake.
There’s also never been a more crucial time to assess and improve your cybersecurity maturity than the present. Not only are we facing an increasingly diverse landscape of cyberthreats with increasingly sophisticated tactics, but we’re also entering the hybrid/remote work era as well as facing a shortage of talent and leadership in the infosec space.
If you’re wondering what exactly is meant by “Security Maturity,” this security maturity model by the Enterprise Strategy Group lays it out:
According to ESG, roughly 20% of organizations fall in the Basic, 60% in Progressing, and the remaining 20% in the Advanced category.
This maturity model by ESG follows a more general approach to try and categorize the overall attitude and dedication towards security within an organization.
Using this model as a bar, you can establish your organization’s maturity level by assessing how closely your relationship with security matches one of the three categories. That being said, where do you go once you’ve identified your security maturity level?
Unfortunately, it does not go as far as to provide a framework for helping to achieve higher levels of maturity.
However, ESG does provide advice for organizations at each level:
Basic organizations must find immediate help: The first step on the way to progress is realizing that you have a problem. Once you identify your shortcomings, you should immediately try to proactively rectify them before an issue occurs. For many organizations, it may make more sense to partner with a managed security service provider than to blindly try to build up security teams, resources, leadership, and processes from the ground up.
Progressing organizations need to take a “big picture” approach: Organizations trying to improve their security maturity but have not yet done so will most likely face challenges in balancing this with their day-to-day core activities. These organizations need to play the long game and take the slow, but data-driven, approach. This means assessing their security needs, conducting penetration and live tests, and finding ways to align cybersecurity with business and IT.
Advanced organizations need a three to five-year plan: Unfortunately, cybersecurity is not a one-off deal. TTPs, malware, exploits and vulnerabilities, and the cybersecurity threat landscape is evolving and changing by the day. CISOs and other decision-makers need to recognize the inherent difficulties in integrating cybersecurity technologies and practices. However, they should also keep their eye on the prize and construct a medium-to-long-term plan to achieve their desired cybersecurity maturity level. This plan should lay out timeframes, phases, and metrics to assess to success of cybersecurity strategies.
The good news is that there are plenty of other paradigms that can help you analyze your current maturity and provide concrete steps to mature it further.
For example, the CREST Incident Response Maturity Assessment specifically helps assess the status of an organization’s cybersecurity incident response capability. It consists of 5 maturity levels: foundation, emerging, established, dynamic, and optimized. It also provides a roadmap that consists of 15 steps across 3 phases to improve your incident response maturity:
On the CREST website, you can even find spreadsheets and other resources to help you calculate the IR maturity of your organization.
No matter which model you end up employing, they typically involve a number of common steps:
- Assessing your current security readiness
- Set goals in terms of your target maturity level, including timeframes and phases
- Don’t view it as a set-it-and-forget-it solution but keep refining your cybersecurity through data collection, analysis, and iterative improvements
One thing demanded by all security models is that there is total buy-in across the organization as to why cybersecurity should be prioritized and integrated within the processes and culture of an organization. All stakeholders must be involved and have a part to play, even non-infosec personnel. This is the only way that the proper time, money, and effort will be invested to see results and truly meaningful change.
Sources:
Cost of a Data Breach Report 2020
Cyber Security Incident Response Maturity Assessment
