In my very first virtual CISO role, I walked my client’s Director of Technology through the NIST Cybersecurity Framework and put together a project plan for our first six months.
Client: “Great! So we do all this and we’ll be secure!”
Carlota: “Er, not exactly…you’ll be more secure than you are now. You’ll be at the next Tier of maturity.”Client: “What does that mean?”Carlota: “Well, in a Tier 2 Maturity you’re stable and get a solid understanding of security… then we make sure everything’s repeatable to get to Tier 3.”
Client: “Oh, and then we’re secure? We’ll be done?”Carlota: “Well, you’re never really done with security, you keep maturing your security…”
Client: (exasperated) “What does that mean exactly ?”
I pulled up the NIST Maturity Model…and realized by the completely blank look on my client’s face that this did not in any way answer his question. This image for the NIST Maturity Tiers doesn’t describe exactly what Partial, Risk Informed, Repeatable or Adaptive mean. The arrows at least give the impression that you can move between the tiers, but there is absolutely no take-away here for someone who doesn’t have some basic understanding of cybersecurity. Which is most people, and especially at that moment, my client.
Figure 1: NIST Maturity Tiers
I told my client I’d find a better model to review at our next meeting.
I looked for other models, trying my best to set aside my own knowledge and review them as if I knew nothing of security. Doing so, I could see that the CMMC Maturity Levels requires that a viewer has some idea of the processes and practices that go into each level in order to be meaningful. Without that prior knowledge, there was little to take away from the model. The “Practices” side gives the impression that there’s a progression in the model from the bottom (Level 1) to the top (Level 5), but if I didn’t already know that most organizations are doing some sort of security (Performing) before they start formalizing it, the rest of the Processes side wouldn’t necessarily make sense.
Figure 2: CMMC Maturity Levels
The NIST Special Publication 800-30 was closer…but the Risk Management Hierarchy only covered a portion of what I wanted in a maturity model. “Risk” is at least business language, but still not the model I needed.
Figure 3: NIST 800-30 Risk Management Hierarchy
Fundamentally, even with documentation, these models are about the security practitioner’s implementation of security processes rather than getting business buy-in to support the security practitioner and program. These models are very much needed – but not very helpful for a vCISO or someone trying to start a security program!
I decided it was probably easier to start from scratch, but surely, someone has encountered and solved this problem before me! I searched the Internet for other maturity models and found some decent ones by consulting groups, but, frankly, I often found the language they used insulting or fueling “FUD” (fear, uncertainty, doubt). These are rampant problems within our industry: security experts talking down to anyone who isn’t a fellow security expert, or using fear to sell security products and services. I realized I could solve two problems with one model – I could make a model meaningful to business professionals while giving a great example of how to talk about security without using a condescending tone or resorting to FUD.
What exactly did I need to communicate to my client?
There were several things I felt were important to communicate to the executive team and board to ensure not just initial, but ongoing support for a security program.
Security has an organizing principle . Even if your organization doesn’t have a security or compliance team, someone or even a whole team is probably practicing good security hygiene in their little corner, or some teams have implemented security basics in response to regulatory and compliance requirements. But the best way to approach security is as an entire organization, and that requires, well, organization!
Your organization’s awareness of security impacts your security maturity. Your organization’s security maturity is directly proportional to the number of people in your organization who understand security basics and practice them. This requires you to have a shared understanding of security throughout your organization – from your employees to your executive team to your board of directors.
Your organization’s culture impacts your security maturity. If your organization is highly siloed or communication across teams is poor, your path to security maturity will be more difficult. A security program may highlight cultural weaknesses.
How you use technology is more important than what you use . You could spend all the money in the world on technology and tooling, but you’ll never achieve security maturity if you’re not using that technology in a way that best supports your organization’s business objectives.
Security requires leadership to stay healthy. The executive team has to be one hundred percent committed to securing your organization for it to be successful. More importantly, they need to have meaningful insights and metrics that help them best understand how security is reducing the organization’s overall business risk, and to understand when they need to invest more into or change how they’re investing in the security program.
Security requires constant vigilance to stay healthy.
Security isn’t a “climb to the top of the mountain” activity, where you’re done once you’ve reached the peak! No, security is a “steer the ship through the rocks to keep the boat from running aground” activity. There is almost never a “set it once and done” task or technology in security. With these things in mind, I drafted the first security maturity model in early 2020. I put it in a GitHub repo so anyone could use it.
Carlota’s Organizational Security Maturity Model
It’s not a “simple” model, but it is a meaningful one. It manages to hit all six of the critical facets I wanted to in a single table. I was able to include enough verbiage to make each state meaningful to someone with zero understanding of cybersecurity – and without them having to read a book on it (unless they really want to!).
In addition to hitting the six key talking points, I felt the model embodied security maturity concepts in an eye-catching way that helps a business person rapidly move through it.
The Embodied Concepts
Despite the reliance on verbiage of the organizational security maturity model, there are some key concepts that help move executive teams through the model.
Less Healthy vs More Healthy
I found it was difficult to paint a quick picture or make a quick analogy using the “less mature vs more mature” or “immature vs mature” verbiage – it’s still too focused on the security practitioner experience. Instead, I chose “less healthy vs more healthy;” in discussions, it’s easier to compare the maturity scale to grabbing a candy bar, a granola bar, or a chicken salad for lunch. No matter which one you get, you’re fulfilling the core objective of getting calories into your system. It paints a very quick image that neglecting security, like only ever eating candy bars, leads to increasingly less positive outcomes over time.
Ad Hoc
In the “Ad Hoc” concept, any approach to security is on an individual or team basis and/or security is generally viewed as a problem that can be solved with technology alone. There is no organization-wide approach to or understanding of security, and no centralized ownership of the security strategy.
Compliance-Driven
In the Compliance-Driven concept, government regulations, industry standards or customer expectations drive an organization towards security. Security awareness and collaboration coalesces around compliances needs, shifting security to being a “compliance problem.” Technology emphasis shifts to compliance controls, potentially endangering any focus on business risk.
Risk-Based
In the Risk-Based concept, security becomes a vehicle for managing business risk across the organization. There is a shared understanding of security both across the organization and at the leadership/Board level. Security is viewed as an integral part of any business endeavor, with technology implemented in alignment with business objectives. Security strategy is centralized and has a direct communication line with the Board of Directors.
A Peer Reviewed Model
I shared it with anyone who’d take a look, asking for constructive feedback. I was floored with how many folks asked if they could use it or share it with other CISOs, security architects, and such – organizations large and small in private, public and even government settings seemed to embrace my model! I’ve even heard that a large security vendor’s Customer Success manager uses it to train their team to empathize with and understand the business pressures faced by their customers. Wow!
The Latest Update: Security Maturity, Simplified
I’ve written before about making the decision to close up my solo vCISO consulting practice and joining the team here at Fractional CISO . This model is one of the reasons I chose to join Rob’s team; I knew Rob had an ethos of giving back to the community whenever possible. He appreciated how I’d shared the Organizational Security Maturity Model with the infosec community, and was adamant it should stay open source if I joined the team. Once on board, he even challenged me to simplify the model to fit onto a PowerPoint slide.
This simple organizational maturity model maturity model has also been added to the Excel File in GitHub (thanks, Rob!).
How to Model Security Maturity
Use the Organizational Security Maturity Model as a guide for meaningful discussions with your executive team and Board of Directors. Start with the embodied concepts to paint the bigger picture, then fill in details with the six key talking points to help leadership understand where the organization as a whole is now, and where they need it to be. Use the simplified version to keep maturity concepts fresh as you give the executive team and Board updates.
In my next blog post, I’ll show you how to operationalize the organizational security maturity model and use it to show the maturity of your security program over time. Until then, feel free to download the security maturity models from GitHub and use them to help your leadership understand security maturity better.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.