Skip to main content

CMM: cybersecurity beyond compliance

security
(Image credit: Shutterstock / Rabbit_Photo)

In recent years, 'compliance' has become a bit of a buzzword within the cyber security sphere. However, whilst companies have been concerning themselves with ticking regulatory boxes, they have lost sight of the outcome. 

Compliance measures if a control is in place, but it does not measure the effectiveness of the control. As a result, businesses ask the wrong questions and make poor investment decisions — blinded by shiny new technologies and the coveted stamp of compliance.

An outcome-driven approach 

Instead of conducting box-ticking exercises, organizations should be driving information security priorities and investments with an outcome-driven approach that takes their capabilities into account. 

All too often, businesses assume they can quickly adopt new, sophisticated cyber security schemes where no such capabilities have been before. But this is not the case. Information security programs have to go through a maturation process, and these improvements take time. In much the same way you would teach a child to walk before teaching them to run, organizations’ cyber security programs have to grow up — mature — steadily, taking one cautious step at a time. 

To understand how ‘mature’ a company’s information security is, cyber security specialists will often use a Capability Maturity Model (CMM) during assessment consulting engagements. 

A CMM assesses an organization's effectiveness at achieving a particular goal and helps to distinguish whether cyber security is baked in or merely bolted on. For business leaders, this is an excellent way to measure the progress made in embedding security into strategic and day-to-day operations.

The different levels of maturity 

There are different levels of maturity ranging from non-existent (Level 0) to optimized (Level 5). A CMM will typically describe a range of capabilities you would expect to see in organizations at various stages of information security maturity. 

If an organization is at Level 0, there is no evidence of meeting the objective and functions are not applied at all. At Level 1, capabilities and maturity can exist as rudimentary controls with a person as a gatekeeper or a manual process. Functions are ad hoc and loosely organized at this level, and the company has an inconsistent or reactive approach to meeting the objective. 

In today’s cyber security climate — where there is an ever-increasing threat landscape — scoring at this initial level is unacceptable for any organization that owns and manages IT assets, or which owes any duties to shareholders, investors, regulators or taxpayers. Yet, despite this, there are still many large corporations, government agencies and universities that sit at these levels.

Developing and defined maturity 

At Level 2, businesses progress up the maturity curve with a consistent overall approach to meeting the objective (though this is still primarily reactive and undocumented). They do not routinely measure or enforce policy compliance, although they do have technology as a basic capability. However, whilst companies at Level 2 may have some security processes operating effectively and multiple initiatives under development, they tend to be weak in basic domains such as identity and access management (IAM) or networking zoning and perimeters. 

The technology used at Level 2 can be enhanced or extended further at Level 3, where the organization regularly measures its compliance and has a documented, detailed approach to meeting the objective and technical controls. Implementing sophisticated data loss prevention (DLP), security information and event management (SIEM) or privileged access management (PAM) features tends to be difficult until basic IT functions like IAM, asset management and service ticketing are mature enough to support them. But once the basic process and technology infrastructure is in place, risk management, vulnerability management, SIEM, PAM and other programs can go into high gear.

Managed and optimized maturity  

High degrees of automation are then introduced at Level 4. At this stage of the maturity curve, companies use an established risk management framework to measure and evaluate risk, integrating improvements beyond the requirements of applicable regulations. organizations with Level 5 maturity capabilities dynamically adapt to the business risk and have significantly refined their standards and practices — focusing on ways to improve their capabilities in the most efficient and cost-effective manner. 

Typically, 10 percent of organizations have no real security control and are at Level 0, whilst 20 percent of companies are at Level 1 with initial capabilities established. Around 25 percent of businesses are at Level 2 with repeatable processes and capabilities; however, most organizations (30 percent) are at Level 3 with a defined ISMS (information security management system) and progressive capabilities. Only around 10 percent of companies make it to Level 4 with extensive automation — and even fewer (5 percent) make it to Level 5, where security is adaptable and dynamic in real-time based on business risk.

As an organization progresses up the maturity curve, control efficiency increases and residual risk decreases, which is highly beneficial. How far companies go depends on their appetite for change as there is a significant step-change from one level to the next.

Understanding the assessment process 

There are two approaches to assessing a business' maturity in the context of cyber security. One involves comparing the organization's past practices against those described in the levels of each capability to track improvements over time. 

The second approach involves comparing a company with its competitors (also known as 'benchmarking'). Benchmarking is an important indication for organizations to appreciate what level they should be targeting. If their peers are significantly better, it could give them a competitive advantage; if the company is better than its peers, it could potentially relax some controls to take advantage and capture a larger percentage of the available market.

The overall assessment process typically involves five stages. During the initial discovery stage, interviews and onsite workshops should be conducted to understand the current state of the organization's IT security. It is quite possible to be ISO 27001 certified at a Level 1 Capability Maturity Model; however, this is not necessarily the effectiveness a business may wish to portray to customers, partners and stakeholders. So, it is crucial to define desired outcomes, too. 

Next, organizations should baseline the current state across technical, data and business environments — measuring the capability and maturity of each domain and function. This data can then be compared against suitable peer data and average peer data scores at the next stage to make observations on the differential. Through these observations, it is then possible to finalize gaps and identify improvements needed before creating a roadmap to achieve the desired maturity state. Key stakeholders should then be consulted during the final delivery stage of the assessment.

Richard Menear, CEO, Burning Tree