Today’s security leaders drive change across business strategy, technology, compliance and legal, and operations. Yet even as the scope has widened, the fundamental questions remain the same: Where are we today? Where are our benchmarks and targets? How can we best close the gap?
A risk-based maturity approach is often being employed to answer these questions. Such a model, when fully considered, is comprised of the following three components:
- Controls Framework – this could be a top-level framework such as ISO 27001-27002 and NIST 800-53, industry frameworks such has NERC CIP and PCI DSS, or third-party frameworks such as the CIS Critical Security Controls
- Maturity Framework – the most common is the Capability Maturity Model Integration (CMMI), however, various standards have specific maturity frameworks and some organizations have developed internal maturity models
- Cultural Framework – the most common is the Security Culture Framework
All three frameworks yield the deepest insights into the current state and provide the clearest answers into potential improvements. That said, an assessment can be performed using simply the controls framework to get a quick read. It is up the organization to determine the level of effort to invest in the assessment. For the rest of this article, we will assume that all three frameworks are in play.
In a risk-based maturity approach, having determined the frameworks, the security leader and his team then complete the following ten-step process:
- Assess the security program’s controls and compliance to the control framework
- For each implemented control, assess the current people, processes, and technologies
- Perform both process validation (is it functioning as designed) and technical validation (is the control sufficient) to ensure the control addresses the risk
- For each implemented and functioning control, assess the maturity and identify improvements
- Document implemented controls that is not addressing the risk, and missing controls
- Analyze the organization’s capabilities and constraints for these missing controls (see our previous article on Action-Oriented IT Risk Management)
- Develop a project plan for immediate, short-term, mid-term, and long-term improvements in the control
- Create a communications plan and project metrics to ensure that these improvements change the culture as well as changing the security posture, using a cultural framework
- Execute the plan
- Re-assess the controls, maturity, and culture on a regular basis to adjust the plan
The above ten-step process establishes, maintains, and improves the quality of risk management program and overall security posture. It baselines the current program and provides a roadmap for making process and technical improvements. Each improvement is tracked technically (does it work), procedurally (is it sustainable), and culturally (is it implicitly performed). Culture is key, turning the IT risk program into a set of behaviors adopted by the entire organization. When everyone does their part to protect the organization, without the need for excessive oversight and intervention, the security leader moves from day-to-day supervision and toward strategy and value.
Controls, maturity, culture: three levers for advancing the security program and elevating the leader’s role.
Cross-posetd at http://content.cbihome.com/blog/it_maturity