In recent years, ‘compliance’ has become a bit of a buzzword within the cyber security sphere. However, whilst companies have been concerning themselves with ticking regulatory boxes, they have lost sight of the outcome.
Compliance measures if a control is in place, but it does not measure the effectiveness of the control. As a result, businesses ask the wrong questions and make poor investment decisions — blinded by shiny new technologies and the coveted stamp of compliance.
An outcome-driven approach
Instead of conducting box-ticking exercises, organisations should be driving information security priorities and investments with an outcome-driven approach that takes their capabilities into account.
All too often, businesses assume they can quickly adopt new, sophisticated cyber security schemes where no such capabilities have been before. But this is not the case. Information security programs have to go through a maturation process, and these improvements take time.
A Capability Maturity Model (CMM) assesses an organisation’s effectiveness at achieving a particular goal and helps to distinguish whether cyber security is baked in or merely bolted on. For business leaders, this is an excellent way to measure the progress made in embedding security into strategic and day-to-day operations.
There are different levels of maturity ranging from non-existent (Level 0) to optimised (Level 5). A CMM will typically describe a range of capabilities you would expect to see in organisations at various stages of information security maturity.
The different levels of maturity
At Level 1, capabilities and maturity can exist as rudimentary controls with a person as a gatekeeper or a manual process. Level 1 means functions are ad hoc and loosely organised, and the company has an inconsistent or reactive approach to meeting the objective. At Level 2, businesses progress up the maturity curve with a consistent overall approach (although this is still primarily reactive and undocumented) and technology as a basic capability. That technology can be enhanced or extended further at Level 3, where the organisation has a documented, detailed approach to meeting the objective.
High degrees of automation are then introduced at Level 4. At this stage of the maturity curve, companies use an established risk management framework to measure and evaluate risk, integrating improvements beyond the requirements of applicable regulations. Organisations with Level 5 maturity capabilities dynamically adapt to the business risk and have significantly refined their standards and practices — improving their capabilities in the most efficient and cost-effective manner.
Typically, 10% of organisations have no real security control and are at Level 0, whilst 20% of companies are at Level 1 with initial capabilities established. Around 25% of businesses are at Level 2 with repeatable processes and capabilities; however, most organisations (30%) are at Level 3 with a defined ISMS (information security management system) and progressive capabilities. Only around 10% of companies make it to Level 4 with extensive automation — and even fewer (5%) make it to Level 5, where security is adaptable and dynamic in real-time based on business risk.
As an organisation progresses up the maturity curve, control efficiency increases and residual risk decreases, which is highly beneficial. How far companies go depends on their appetite for change as there is a significant step-change from one level to the next.
Understanding the assessment process
There are two approaches to assessing a business’ maturity in the context of cyber security. One involves comparing the organisation’s past practices against those described in the levels of each capability to track improvements over time.
The second approach involves comparing a company with its competitors (also known as ‘benchmarking’). Benchmarking is an important indication for organisations to appreciate what level they should be targeting. If their peers are significantly better, it could give them a competitive advantage; if the company is better than its peers, it could potentially relax some controls to take advantage and capture a larger percentage of the available market.
The overall assessment process typically involves five stages. During the initial discovery stage, interviews and onsite workshops should be conducted to understand the current state of the organisation’s IT security. It is quite possible to be ISO 27001 certified at a Level 1 CMM; however, this is not necessarily the effectiveness a business may wish to portray to customers, partners and stakeholders. So, it is crucial to define desired outcomes, too.
Next, organisations should baseline the current state across technical, data and business environments — measuring the capability and maturity of each domain and function. This data can then be compared against suitable peer data and average peer data scores at the next stage to make observations on the differential. Through these observations, it is then possible to finalise gaps and identify improvements needed before creating a roadmap to achieve the desired maturity state. Key stakeholders should then be consulted during the final delivery stage of the assessment.