Editor’s note: The concept of cybermaturity has gained increased attention in recent years, while still not being well-understood in many circles across the industry. Kelly Hood, CISSP, CDPSE, Cybersecurity Engineer at Optic Cyber Solutions, recently visited with ISACA Now to provide her perspective on cybermaturity – why it matters and how organizations can make and measure progress on their cybermaturity journeys. The following is a transcript of the interview. For more cybermaturity resources, find out about ISACA’s CMMI® Cybermaturity Platform.
ISACA Now: Why is the concept of cybermaturity so important for organizations?
KH: It’s important to consider the maturity of an organization’s cybersecurity program to gain an understanding of the sophistication of the capabilities they have in place. There are many ways to implement cybersecurity capabilities and it’s clear that one size does not fit all. Cybermaturity provides a mechanism for companies to define the “right-size” for their specific needs and demonstrate growth in their cybersecurity practices. It’s important for organizations to consider their unique risks and determine the “right-sized” capabilities and processes needed to manage their cybersecurity risks at the appropriate maturity level.
ISACA Now: What tend to be some of the most common gaps organizations have in their cyber capabilities?
KH: When implementing cybersecurity capabilities, companies need to consider their people, processes, and technologies to ensure they have a comprehensive and reliable program. Many companies focus primarily on technology practices since they often provide very tangible results and can be automated to simplify workflows. In recent years, we have been seeing a more concerted focus on people, ensuring that personnel are aware of their cybersecurity responsibilities and are provided adequate training to prevent cybersecurity incidents. However, most companies tend to overlook processes, assuming that if the technology is configured appropriately and their personnel are doing good things, then documented processes are unnecessary. This causes issues in organizations because it often leads to inconsistent implementation of capabilities due to varying understanding of goals and priorities.
ISACA Now: How long does it typically take for organizations to make meaningful progress in addressing those gaps?
KH: Making meaningful progress towards maturing an organization’s cybersecurity program can often take multiple years. Small improvements can be made quickly, but program-wide maturity takes time. Typically, the hardest part of closing gaps and implementing improvements comes from achieving stakeholder buy-in to receive funding and training personnel to embrace the new culture of cybersecurity.
ISACA Now: What role can frameworks play in organizations advancing their cybermaturity?
KH: Frameworks play a meaningful role in maturing an organization’s program by defining desired cybersecurity outcomes. Frameworks typically define the “what” needs to occur, but it’s up to the organization to take that a step further by assessing their risk to determine “how much” or “how mature” they need to be. Often, cybermaturity is used as a scale to measure the implementation of capabilities from a cybersecurity framework.
ISACA Now: What type of reports do you consider to be most helpful and actionable for executives and boards in interpreting where their organization stands on this journey?
KH: The best reports on cybermaturity clearly define where an organization is today in comparison with where they need to be or where they came from. As with any large project, milestones and goals are important for measuring the progress of cybersecurity improvements. Establishing these milestones set the expectations as well as the pace of improvement throughout the organization. Monitoring and communicating these milestones helps organizations stay on track and aware of where they stand today. This can be done in many ways, from showing bar charts demonstrating maturity level comparisons, to a description of risk-based gaps in their cybersecurity program. As a specific type of report is selected, it’s important to remember what the executives are looking for and how your reports are related to their priorities in order to drive actionable outcomes that reduce cybersecurity risks.