How to bolster cybersecurity defences with security maturity modelling

Businesses that evaluate their security program under a security maturity model will be far better placed to react to the unexpected

Every modern business faces risk on a near-daily basis, ranging from supply chain stability, to legal liability and acts of God.  But being aware of risk and actually taking steps to mitigate it are two different things, with the latter playing a key role in long-term success.

When it comes to cybersecurity, there’s been ongoing debate for many years about the role of security maturity models in helping to successfully mitigate risk, particularly when aligned with overall business strategy and information security programs.

Provided the right processes are followed and regular assessments carried out, businesses that evaluate their security program under a security maturity model will often be far better positioned to respond to sudden or unexpected events. There’s no better example of this than the ongoing pandemic and the unprecedented shift to remote working it’s caused.

Spoilt for choice

Any business looking for potential security maturity models to follow will be spoilt for choice. The earliest known examples date back as far as 1986, and today there’s a plethora of different models available, from a wide range of vendors, industry experts and analysts.

However, while there’s plenty to choose from, many of the models, perhaps unsurprisingly, share the same DNA. Primarily, they all focus on the same key concepts – people, process, policy, technology, procedures implementation – and the role each plays in overall security posture.

Not all models are created equal

While many of these models serve as a great conversation starter, a truly mature security program is ultimately about demonstrating competencies and ensuring a business has the processes in place to stay operational irrespective of what surprises may come its way. In this regard, using an appropriate maturity model to assess an existing security program can also help optimise any/all efforts to create an effective roadmap for the future.

Unfortunately, when it comes to practical use, the complexity and subjectivity of some models quickly sees them relegated to interesting, but mainly academic, discussions. Conversely, Forrester Research has recently updated its excellent Information Security Maturity Model, which is based on a rigorous review of the latest ISO, ITIL, NIST and SANS security standards.

Perhaps the biggest benefit of Forrester’s model is how straightforward it is to follow, condensing security maturation into a set of 20 essential activities that are organised around four key competencies: Technology, People, Process and Oversight. Not only does this help simplify a highly complex and expansive subject, it provides a much more pragmatic and actionable blueprint than many other models. In short, it is very user friendly. Below is a look at these four key competencies in more detail:

Technology

This competency focuses on a business’s ability to properly protect data throughout its environment. They must maintain the confidentiality, integrity, and availability of sensitive data wherever it resides – including in the cloud on servers, systems, applications, and endpoint devices.

Organisations need to be able to “protect proprietary or confidential content from being mishandled,” regardless of where it’s located or hosted, as well. Simply having the required technology in place isn’t enough; these tools need both process and people to oversee them and ensure they’re being run reliably and securely.

Fortunately there are numerous security vendors and specialists out there that can help businesses implement the technology and processes, as well as properly train security teams to ensure key security objectives are being met.

People

When it comes to effective security, people are always the glue that binds everything together. Even with the best technology and processes in place, any business without competent, well trained people is doomed to fail. Being able to set defined roles and communicate not just internally with the team but across the organisation is key here. Training employees to understand and follow security and risk management objectives is also essential.

Process

As the name suggests, this competency is all about putting processes in place that help to mitigate risk. Having a dedicated threat detection and remediation team that’s constantly assessing threats and monitoring potential security events is critical. So too is assessing third party vendors, cloud providers and service partners to ensure their own security standards are up to par. According to Forrester, businesses should aim to “increase quality through optimisation” of these programs, helping to minimise disruption in the face of unanticipated events.

Oversight

This final competency is rooted in setting and achieving objectives that support business goals and mitigating risk, mainly through the application of suitable policies and controls. Satisfying this competency also requires having an effective response to risk management, audits, and governance of third parties.

Just like anything, developing a robust security program doesn’t just happen in five minutes, it takes a great deal of time and effort to build up the necessary experience and proficiencies to do it properly.

With that in mind, having a strategy to follow that’s thorough and reliable will greatly increase your chances of success, enabling you to demonstrate maturity to both customers and the wider organisation.

While there are numerous models out there to choose from, the Forrester Information Security Maturity Model stands out as a straightforward and practical blueprint to assist you in advancing your security maturity as effectively as possible.

• Tim Bandos, CISO and VP Managed Security Services at Digital Guardian,