We hear the word “cybermaturity” tossed around quite often these days, but what does it mean? Cybermaturity is a state describing the sophistication, or rigor, of one’s cybersecurity capabilities and processes. In other words, it is the sufficiency of defenses that are put in place to protect from a breach of confidentiality, integrity or availability. However, to truly understand the level of sophistication required, we need to know how one becomes cyber-mature in the first place. This can be done using a risk-based approach to security.
Let us start with understanding what we have and what we are trying to protect – data. An essential step to knowing what data needs protecting is knowing what data you have. Every organization uses data in different ways. An analysis of what data an organization consumes, collects and produces will lay the blueprint for what data needs protecting as well as what data is most important. Since not all data is the same, the manner and care in which it must be protected vary depending on its importance to an organization (or an attacker). Identifying the value of organizational data allows for a better understanding of protection requirements. Like with anything of value, data comes with a risk of loss (e.g., financial, reputational). Determining the risks associated with data is the first crucial step in understanding how mature to build a cybersecurity program.
Risks to data are determined by analyzing the likelihood of an event occurring that will have a negative effect (e.g., ransomware, natural disaster, theft) and the impact that harmful event will have on an organization (e.g., lost revenue, degradation of customer trust). Once a risk determination is made, a benchmark for the desired state of an organization’s cybersecurity capabilities is developed, known as a target maturity level. Maturity models provide a tiered approach, each level building on the previous, to develop a comprehensive scale by which an organization can measure its cybersecurity program. The target maturity level provides a measure of the sophistication of the security capabilities needed to properly safeguard data and minimize risk. Some organizations will find that their maturity targets are lower than others. Remember, not every bank needs to be Fort Knox. The lower the associated risk, possibly the lower the maturity target, and conceivably the fewer capabilities required to appropriately manage risk.
With a maturity target and a direction defined for the cybersecurity program, an organization must gain insight into the current state of its capabilities. An assessment of the current state of a cybersecurity program provides awareness of existing defenses and develops an understanding of the current measured maturity level. Compare the measured maturity level to the target maturity level to discern the gaps between them. These gaps are essentially a roadmap for how to build a more robust, or mature, cybersecurity program to best manage risk and develop capabilities to achieve the target maturity level.
Once we understand how to measure cybermaturity, evaluate our target maturity and identify our current maturity, we can begin maturing our cybersecurity program. Maturing a cybersecurity program is an ongoing process. What data an organization possesses, what requires protection and what level of protection is needed are all aspects of an organization that change over time. This can often make assessing and managing the maturity of a cybersecurity program a challenging task. Not every organization may have the time or resources to fully analyze its program as some may simply lack the expertise. With that in mind, it is important to understand that there are tools available to assist organizations in assessing their unique cybermaturity level and provide insights into how to build stronger, more rigorous cybersecurity capabilities.
Maturity in a cybersecurity program has been around for some time now and various models exist to assist organizations in building a better program. The Capability Maturity Model (CMM) developed in 1986 is one such framework. Leveraging CMM, the concept of maturity has provided organizations a means to benchmark against industry standards, develop a roadmap to strengthen security capabilities and better communicate with stakeholders about the needs of the organization.
ISACA’s CMMI Cybermaturity Platform (CCP) builds on CMM and can help organizations develop sophisticated cybersecurity programs utilizing a risk-based solution established on industry standards. The CCP’s easy-to-use architecture simplifies security gap analysis and provides a risk-prioritized roadmap of improvements tailored to any organization. The roadmap helps organizations achieve their target maturity by identifying specific practices that must be implemented to meet maturity goals. The CCP also contains graphical representations of an organization’s measured versus target maturity. This allows effortless communication with stakeholders surrounding security needs required to close any gaps and enables clear visualization of the intended direction of the cybersecurity program.