What is a Cybersecurity Maturity Model?
It is a framework of security controls combined with a standardized way of measuring the maturity of each area or pillar. It is repeatable and conformed to a process. Because the process is repeatable, the system can be used for measurement. The process of measuring the areas of maturity is referred to as ‘maturity level’.
The other nice thing about a maturity model is that you and your company can decide where your ideal targets are across the framework to represent your specific model that represents a successful security program. Over time you can see if you’re progressing toward that ideal security state that matches the risk tolerance of the business.
A maturity model uses two things:
- A Security Framework
- A Measuring Process
Security Frameworks
Who offers security maturity models?
Any security framework can be used, but the two we see most leveraged are NIST and The Department of Energy.
Department of Energy – Cybersecurity Capability Maturity Model (C2M2)
The Department of Energy combined a security controls framework with a process of measuring against it. The product of this is their Cybersecurity Capability Maturity Model, otherwise known as C2M2. The C2M2 is free for public use and can be downloaded at www.energy.gov (https://www.energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf) The Department of Energy defines ‘maturity models’ in this product as:
“A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline.”
Enery.gov uses a scale of maturity indicator levels from 0 – 3. The organization assesses its maturity against this model will score their current security controls across the following ten domains:
(The following domains from energy.gov – Cybersecurity Capability Maturity Model Version 1.1)
Risk Management
Establish, operate, and maintain an enterprise cybersecurity risk management program to identify, analyze, and mitigate cybersecurity risk to the organization, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders.
Asset, Change, and Configuration Management
Manage the organization’s IT and OT assets, including both hardware and software, commensurate with the risk to critical infrastructure and organizational objectives.
Identity and Access Management
Create and manage identities for entities that may be granted logical or physical access to the organization’s assets. Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational objectives.
Threat and Vulnerability Management
Establish and maintain plans, procedures, and technologies to detect identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (e.g., critical, IT, operational) and organizational objectives.
Situational Awareness
Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information, including status and summary information from the other model domains, to form a common operating picture (COP).
Information Sharing and Communications
Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase operational resilience, commensurate with the risk to critical infrastructure and organizational objectives.
Event and Incident Response, Continuity of Operations
Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.
Supply Chain and External Dependencies Management
Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities, commensurate with the risk to critical infrastructure and organizational objectives.
Workforce Management
Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.
Cybersecurity Program Management
Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with the organization’s strategic objectives and the risk to critical infrastructure.
The guide does a great guide to help organizations make a decision on how to score these areas.
NIST Cybersecurity Framework
(https://www.nist.gov/cyberframework)
The NIST Cybersecurity framework is not a maturity model but can be used as one. This is because, as our definition explained the beginning of this article, is a model requires a framework and repeating measurement process. NIST offers a framework but doesn’t include a measurement process.
We, at Asher Security, use the NIST framework to perform our Security Maturity Assessments. To do this we leverage an industry standard process for measuring called ‘Systems Security Engineering Capabilities Maturity Model’ or SSE-CMM for short.
When you combine the NIST Cybersecurity Framework with SSE-CMM you get a clear picture of your cybersecurity program posture. You are able to measure where you are, and you can use it to apply where you ideally want to be. This will show specific program enhancements across the pillars and sub control groups.
The NIST Cybersecurity framework uses five pillars:
Identify / Protect / Detect / Respond / Recover
This is very different from the ten pillars we see in the CM2M model. Here are the five pillars defined by NIST:
Identify
The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Protect
The Protect Function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
Detect
The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events.
Respond
The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
Recover
The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.
What’s an example of a cybersecurity maturity model?
Here is an example of a security maturity model. For our example let’s make it simple by using three security controls and use the C2M2 measurements.
| Pillar | Control | Current Score: | Desire | Delta |
| Vulnerability Management | Identify missing security patches | 2 – Documented, and supported | 2 | 0 |
| Threat Management | Industry-specific threats are identified via treat intelligence | 0 – No current practice | 2 | 2 |
| Identify Management | Privileged Access is reviewed | 1 – Ad Hoc, no formal process | 2 | 1 |
If this were our model, we could clearly see upon completion that we’d like to drive improvements in maturity in the areas of Threat Management and Identify Management, with the priority focus being on the largest delta on Threat Management.
Because the same score system and framework can be used ongoing this scoring provides a current benchmark and future goal that can be reviewed again in the future to track progress on cybersecurity strategy and initiatives.
If this is a maturity model, what is a cybersecurity maturity assessment?
The process of taking a security framework and performing the work of assessing where you are at and your current and desired maturity score, is the process called ‘Cybersecurity maturity assessment’. This is usually a workshop style assessment. Depending on the industry you’re in and the access to key partners that are required as part of this assessment, we can usually perform the assessment in three days, and provide the results in two weeks.
Three Goals of the Cybersecurity Maturity Assessment
- Benchmark your current security capabilities
- Set desired goals relational to your companies risk appetite
- Compare where you are to industry standard
Can I perform a cybersecurity maturity assessment myself, like a self-assessment?
Yes, absolutely. The Department of Energy’s C2M2 comes fully equipped and package to help you self-assess your security capabilities. For companies that currently base their information security program on the NIST framework, it is more beneficial to use the cybersecurity 2.0 framework as your model for assessment. Because this framework doesn’t include the process model and measurements, you’ll have to invest time in building this process out. This includes designing and building the relevant and appropriately worded questions that map to the controls. You’ll also have to design and build out your measurement answer criteria so that your audience and key partners can answer appropriately in a measured and repeatable way. You’ll want to save your questions, your measurement system, and your score as a benchmark so that you can repeat this process later.
The benefit of hiring an outside cybersecurity consulting firm to perform a cybersecurity maturity assessment is:
- Non-biased answers
- Read to go, proven question methodology
- Industry approved and standards answers
- Ability score and report – bring top issue san challenge’s to the forefront
- Compare you to industry peers.
This all translates to cost savings, integrity, and value.
How can the results of a cybersecurity maturity assessment be used?
There are usually three outcomes from a maturity assessment:
- Drive internal initiatives
- Plan external consulting initiatives
- Plan budget
- Report to board
- Drive Internal Initiatives
The biggest problem we see from our perspective as external security partners is a staff that is frustrated, confused, and feels overwhelmed. The IT or security staff often care a lot about the security of the company, but they have so much going on, don’t have enough budget, don’t’ have the training they need, and can’t get enough done.
This problem is all related to focus.
The output of a cybersecurity maturity assessment can provide clarity on how IT security staffs should focus their time, training, and budgets. When the priorities are clear it adds peace and elevates this frustration that is common in IT security staffs today as they face an endless list of ‘should do’s’.
- Plan External Consulting Engagements
External consultants can be beneficial to the company by providing skills and efficiently. The two areas that this can benefit the most is niche or high technical skills, and temporary problems. Take a firewall for example. It’s a niche product that performs a very specific job and requires someone trained and familiar with the product. If you upgrade your firewall once every three years, this might qualify for an external consulting engagement.
- Plan Budget
As we showed earlier in our example assessment, the biggest deltas are going to rise to the surface for attention and review. When the priorities are agreed upon, scoping and estimates can be gathered to work on these priorities. These numbers can be added to the budget for planning.
- Report to Board
So often the board of directors wants to know the security health and maturity of the company. They’ve seen what can happen to a company that doesn’t address risk appropriately. Cybersecurity maturity assessments are great tools and resource to provide to your board. Often, they are more valuable when performed by an outside consulting firm to they are non-biased and include industry comparisons.
Conclusion
Performing a cybersecurity maturity assessment is something we recommend every business with any measurable risk perform on an annual basis.
Using the publically available tools and methodologies this discipline has become highly available and accessible to businesses.
Bringing in a specialized outside cybersecurity consulting firm can greatly reduce the burden of performing a self-assessment, provide a non-biased approach, and be additionally beneficial for providing to the board of directors.
The output of a cybersecurity maturity assessment provides a clear benchmark of your current cybersecurity capabilities and can be used to build a roadmap and strategy to where you want to get to base on your risk appetite. In addition, the out provides clear and actionable results that make for a happier IT security staff, provide budget numbers, and a plan for improvement that is agreed upon.
If you want to take the next step, please contact us and we will schedule a time to meet and discuss your current program and what you’d like to get out of this assessment.
Recent Comments