In my very first virtual CISO role, I walked my client’s Director of Technology through the NIST Cybersecurity Framework and put together a project plan for our first six months.
Client: “Great! So we do all this and we’ll be secure!”
Carlota: “Er, not exactly…you’ll be more secure than you are now. You’ll be at the next Tier of maturity.”Client: “What does that mean?”Carlota: “Well, in a Tier 2 Maturity you’re stable and get a solid understanding of security… then we make sure everything’s repeatable to get to Tier 3.”
Client: “Oh, and then we’re secure? We’ll be done?”Carlota: “Well, you’re never really done with security, you keep maturing your security…”
Client: (exasperated) “What does that mean exactly ?”
I pulled up the NIST Maturity Model…and realized by the completely blank look on my client’s face that this did not in any way answer his question. This image for the NIST Maturity Tiers doesn’t describe exactly what Partial, Risk Informed, Repeatable or Adaptive mean. The arrows at least give the impression that you can move between the tiers, but there is absolutely no take-away here for someone who doesn’t have some basic understanding of cybersecurity. Which is most people, and especially at that moment, my client.
Figure 1: NIST Maturity Tiers I told my client I’d find a better model to review at our next meeting.
I looked for other models, trying my best to set aside my own knowledge and review them as if I knew nothing of security. Doing so, I could see that the CMMC Maturity Levels requires that a viewer has some idea of the processes and practices that go into each level in order to be meaningful. Without that prior knowledge, there was little to take away from the model. The “Practices” side gives the impression that there’s a progression in the model from the bottom (Level 1) to the top (Level 5), but if I didn’t already know that most organizations are doing some sort of security (Performing) before they start formalizing it, the rest of the Processes side wouldn’t necessarily make sense.
Figure 2: CMMC Maturity Levels The NIST Special Publication 800-30 was closer…but the Risk Management Hierarchy only covered a portion of what I wanted in a maturity model. “Risk” is at least business language, but still not the model I needed.
Figure 3: NIST 800-30 Risk Management Hierarchy Fundamentally, even with documentation, these models are about the security practitioner’s implementation of security processes rather than getting business buy-in to support the security practitioner and program. These models are very much needed – but not very helpful for a vCISO or someone trying to start a security program!
I decided it was probably easier to start from scratch, but surely, someone has encountered and solved this problem before me! I searched the Internet for other maturity models and found some decent ones by consulting groups, but, frankly, I often found the language they used insulting or fueling “FUD” (fear, uncertainty, doubt). These are rampant problems within our industry: security experts talking down to anyone who isn’t a fellow security expert, or using fear to sell security products and services. I realized I could solve two problems with one model – I could make a model meaningful to business professionals while giving a great example of how to talk about security without using a condescending tone or resorting to FUD.
What exactly did I need to communicate to my client? There were several things I felt were important to communicate to the executive team and board to ensure not just initial, but ongoing support for a security program.
Security has an organizing principle
Your organization’s awareness of security
Your organization’s culture
How you use technology what you use .Security requires leadership Security requires constant vigilance
Security isn’t a “climb to the top of the mountain” activity, where you’re done once you’ve reached the peak! No, security is a “steer the ship through the rocks to keep the boat from running aground” activity. There is almost never a “set it once and done” task or technology in security.a GitHub repo so anyone could use it.
Carlota’s Organizational Security Maturity Model
It’s not a “simple” model, but it is a meaningful one. It manages to hit all six of the critical facets I wanted to in a single table. I was able to include enough verbiage to make each state meaningful to someone with zero understanding of cybersecurity – and without them having to read a book on it (unless they really want to!).
In addition to hitting the six key talking points, I felt the model embodied security maturity concepts in an eye-catching way that helps a business person rapidly move through it.
The Embodied Concepts
Despite the reliance on verbiage of the organizational security maturity model, there are some key concepts that help move executive teams through the model.
Less Healthy vs More Healthy
I found it was difficult to paint a quick picture or make a quick analogy using the “less mature vs more mature” or “immature vs mature” verbiage – it’s still too focused on the security practitioner experience. Instead, I chose “less healthy vs more healthy;” in discussions, it’s easier to compare the maturity scale to grabbing a candy bar, a granola bar, or a chicken salad for lunch. No matter which one you get, you’re fulfilling the core objective of getting calories into your system. It paints a very quick image that neglecting security, like only ever eating candy bars, leads to increasingly less positive outcomes over time.
Ad Hoc
In the “Ad Hoc” concept, any approach to security is on an individual or team basis and/or security is generally viewed as a problem that can be solved with technology alone. There is no organization-wide approach to or understanding of security, and no centralized ownership of the security strategy.
Compliance-Driven
In the Compliance-Driven concept, government regulations, industry standards or customer expectations drive an organization towards security. Security awareness and collaboration coalesces around compliances needs, shifting security to being a “compliance problem.” Technology emphasis shifts to compliance controls, potentially endangering any focus on business risk.
Risk-Based
In the Risk-Based concept, security becomes a vehicle for managing business risk across the organization. There is a shared understanding of security both across the organization and at the leadership/Board level. Security is viewed as an integral part of any business endeavor, with technology implemented in alignment with business objectives. Security strategy is centralized and has a direct communication line with the Board of Directors.
A Peer Reviewed Model
I shared it with anyone who’d take a look, asking for constructive feedback. I was floored with how many folks asked if they could use it or share it with other CISOs, security architects, and such – organizations large and small in private, public and even government settings seemed to embrace my model! I’ve even heard that a large security vendor’s Customer Success manager uses it to train their team to empathize with and understand the business pressures faced by their customers. Wow!
The Latest Update: Security Maturity, Simplified I’ve written before about making the decision to close up my solo vCISO consulting practice and joining the team here at Fractional CISO . This model is one of the reasons I chose to join Rob’s team; I knew Rob had an ethos of giving back to the community whenever possible. He appreciated how I’d shared the Organizational Security Maturity Model with the infosec community, and was adamant it should stay open source if I joined the team. Once on board, he even challenged me to simplify the model to fit onto a PowerPoint slide.
This simple organizational maturity model maturity model has also been added to the Excel File in GitHub (thanks, Rob!).
How to Model Security Maturity Use the Organizational Security Maturity Model as a guide for meaningful discussions with your executive team and Board of Directors. Start with the embodied concepts to paint the bigger picture, then fill in details with the six key talking points to help leadership understand where the organization as a whole is now, and where they need it to be. Use the simplified version to keep maturity concepts fresh as you give the executive team and Board updates.
In my next blog post, I’ll show you how to operationalize the organizational security maturity model and use it to show the maturity of your security program over time. Until then, feel free to download the security maturity models from GitHub and use them to help your leadership understand security maturity better.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
