evaluating the security maturity level of a company
TRANSCRIPT
Evaluating the Security Maturity Level of a Company
Brian Krebs (http://krebsonsecurity.com/) pondered the difference between organizations that really make cybersecurity a part of their culture and those that merely pay it lip service. When the phrase “security maturity” came to mind, Brian thought for sure he had conceived of an original idea and catchy phrase.
The graphic on the next slide, produced last year by the Enterprise Strategy Group (http://www.esg-global.com/), does a nice job of explaining why some companies just don’t get it when it comes to taking effective measures to manage cyber risks and threats.
Experience is the best teacher here: Data breaches have a funny way of forcing organizations — kicking and screaming — from one vertical column to another in the Security Maturity matrix. Much depends on whether the security professionals in the breached organization have a plan (ideally, in advance of the breach) and the clout for capitalizing on the brief post-breach executive attention on security to ask for changes and resources that can assist the organization in learning from its mistakes and growing.
http://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/
Security Maturity Level
http://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/#more-28831
Security Maturity Level
But the Security Maturity matrix doesn’t just show how things are broken: It also provides a basic roadmap for organizations that wish to change that culture. Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority. The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach.
At last week’s RSA Security Conference in San Francisco, Brian had a chance to meet up with Demetrios “Laz” Lazarikos, the former chief information security officer at Sears. Now founder of the security consultancy www.blue-lava.net, Laz spends a great deal of time trying to impress upon his clients the need to take the security maturity model seriously. Demetrios’ sliding scale, which measures maturity in terms of preparedness and expectations is on the next slide.
Security Maturity Level
Brian likes Laz’s models because they’re customized to every organization, breaking down each business unit into its own security maturity score. The abbreviations in the graphic below — SDLC and PMO — stand for “security development life cycle” and “project management office,” respectively. Dark red boxes (marked with a “1”) indicate areas where the organization’s business unit needs the most work.
Laz’s security maturity hierarchy includes five levels: Level 1 – Information Security processes are unorganized, and may be unstructured. Success is likely to depend on individual efforts and is not considered to be repeatable or scalable. This is because processes would not be sufficiently defined and documented to allow them to be replicated. Level 2 – Information Security efforts are at a repeatable level where basic project management techniques are established and successes can be repeated. This is due to processes being established, defined, and documented. Level 3 – Information Security efforts have greater attention to documentation, standardization, and maintenance support. Level 4 – At this level, an organization monitors and controls its own Information Security processes through data collection and analysis. Level 5 – This is an optimizing level where Information Security processes are constantly being improved through monitoring feedback from existing processes and introducing new processes to better serve the organization’s particular needs.
Security Maturity Level
As noted by the reviewers of Brian’s article.
For CISA or CISM people, we highly reference the COBIT maturity levels.
For laughs though, we sometimes refer to this article in Wikipedia:http://en.wikipedia.org/wiki/Capability_Immaturity_Model
Security Maturity Level
0 : Negligent
The organization pays lip service, often with excessive fanfare, to implementing engineering processes, but lacks the will to carry through the necessary effort. Whereas CMM level 1 assumes eventual success in producing work, CIMM level 0 organizations generally fail to produce any product, or do so by abandoning regular procedures in favor of crash programs.
Capability Immaturity Model
-1 : Obstructive
Processes, however inappropriate and ineffective, are implemented with rigor and tend to obstruct work. Adherence to process is the measure of success in a Level -1 organization. Any actual creation of viable product is incidental. The quality of any product is not assessed, presumably on the assumption that if the proper process were followed, high quality is guaranteed. This is the most common level achieved by most organizations that pursue CMM ratings.
However, Level -1 organizations believe fervently in following defined procedures, but lacking the will to measure the effectiveness of the procedures they rarely succeed at their basic task of creating work. Unfortunately, this behavior is inherent in the CIMM evaluation process. Since many government agencies will only award contracts over a certain monetary value to organizations that can pass a CIMM-3 or higher SCAMPI appraisal, management may be willing to accept inefficiencies to win these lucrative contracts. Government contracting models in which organizations are paid not for the value of their products but by the number of hours spent building them reward organizations for performing non-value-added activities related to CIMM compliance. Thus, government contractors with CIMM ratings may be more profitable than non-CIMM rated companies regardless of the quality of the work they produce.
Capability Immaturity Model
-3 : Undermining
Undermining organizations routinely work to downplay and sabotage the efforts of rival organizations, especially those successfully implementing processes common to CMM level 2 and higher. This behavior may involve competing for scarce resources, drawing those resources from more effective departments or organizations.
Capability Immaturity Model
-3 : Undermining
Undermining organizations routinely work to downplay and sabotage the efforts of rival organizations, especially those successfully implementing processes common to CMM level 2 and higher. This behavior may involve competing for scarce resources, drawing those resources from more effective departments or organizations.
Capability Immaturity Model
The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. The CRR is a derivative of the CERT Resilience Management Model (RMM) (http://cert.org/resilience/rmm.html ) tailored to the needs of critical infrastructure owners and operators.
https://www.us-cert.gov/ccubedvp/self-service-crr
Cyber Resilience Review (CRR)
The Risk IT Framework fills the gap between generic risk management frameworks and detailed (primarily security-related) IT risk management frameworks. It provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. In summary, the framework will enable enterprises to understand and manage all significant IT risk types, building upon the existing risk related components within the current ISACA frameworks, i.e., COBIT and Val IT.
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx
ISACA Risk IT Framework
The DOE, in consultation with industry SMEs, published and maintains 3 different versions of its Cybersecurity Capabilities Maturity Model (C2M2). Two are sector specific: for electricity and oil and gas, and the third is sector neutral. Word from utilities who’ve subjected themselves to this process has been very positive.
http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program
Cybersecurity Capabilities Maturity Model (C2M2)
The Cybersecurity Capability Maturity Model (C2M2) program is a public-private partnership effort that was established as a result of the Administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The C2M2 helps organizations—regardless of size, type, or industry—evaluate, prioritize, and improve their own cybersecurity capabilities.
Strengthening organizations’ cybersecurity capabilities; Enabling organizations to effectively and consistently evaluate and benchmark their cybersecurity capabilities; Sharing knowledge, best practices, and relevant references across organizations as a means to
improve cybersecurity capabilities; Enabling organizations to prioritize actions and investments to improve cybersecurity; and Supporting adoption of the National Institute of Standards and Technology (NIST) Cybersecurity
Framework.
Cybersecurity Capabilities Maturity Model (C2M2)
The C2M2 program is comprised of three cybersecurity capability maturity models:
The Cybersecurity Capability Maturity Model (C2M2)
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2)
http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program
Cybersecurity Capabilities Maturity Model (C2M2)
Core Security
http://www.coresecurity.com/white-papers/threat-and-vulnerability-management-maturity-model http://securitycigarsfud.com/2014/08/26/maturity-model-matures/maturitymodel/