IT Maturity: The First Ten Steps to a Secure Future

Archive for August, 2015

IT Maturity: The First Ten Steps to a Secure Future

Posted by

Today’s security leaders drive change across business strategy, technology, compliance and legal, and operations. Yet even as the scope has widened, the fundamental questions remain the same: Where are we today? Where are our benchmarks and targets? How can we best close the gap?

A risk-based maturity approach is often being employed to answer these questions. Such a model, when fully considered, is comprised of the following three components:

  • Controls Framework – this could be a top-level framework such as ISO 27001-27002 and NIST 800-53, industry frameworks such has NERC CIP and PCI DSS, or third-party frameworks such as the CIS Critical Security Controls
  • Maturity Framework – the most common is the Capability Maturity Model Integration (CMMI), however, various standards have specific maturity frameworks and some organizations have developed internal maturity models
  • Cultural Framework – the most common is the Security Culture Framework

All three frameworks yield the deepest insights into the current state and provide the clearest answers into potential improvements. That said, an assessment can be performed using simply the controls framework to get a quick read. It is up the organization to determine the level of effort to invest in the assessment. For the rest of this article, we will assume that all three frameworks are in play.

In a risk-based maturity approach, having determined the frameworks, the security leader and his team then complete the following ten-step process:

  1. Assess the security program’s controls and compliance to the control framework
  2. For each implemented control, assess the current people, processes, and technologies
  3. Perform both process validation (is it functioning as designed) and technical validation (is the control sufficient) to ensure the control addresses the risk
  4. For each implemented and functioning control, assess the maturity and identify improvements
  5. Document implemented controls that is not addressing the risk, and missing controls
  6. Analyze the organization’s capabilities and constraints for these missing controls (see our previous article on Action-Oriented IT Risk Management)
  7. Develop a project plan for immediate, short-term, mid-term, and long-term improvements in the control
  8. Create a communications plan and project metrics to ensure that these improvements change the culture as well as changing the security posture, using a cultural framework
  9. Execute the plan
  10. Re-assess the controls, maturity, and culture on a regular basis to adjust the plan

The above ten-step process establishes, maintains, and improves the quality of risk management program and overall security posture. It baselines the current program and provides a roadmap for making process and technical improvements. Each improvement is tracked technically (does it work), procedurally (is it sustainable), and culturally (is it implicitly performed). Culture is key, turning the IT risk program into a set of behaviors adopted by the entire organization. When everyone does their part to protect the organization, without the need for excessive oversight and intervention, the security leader moves from day-to-day supervision and toward strategy and value.

Controls, maturity, culture: three levers for advancing the security program and elevating the leader’s role.

Cross-posetd at

Friday Books and Talks 08/28/2015

Posted by

Everyone Communicates, Few Connect
by John C. Maxwell

In Everyone Communicates, Few Connect, world-renowned leadership expert John C. Maxwell says if you want to succeed, you must learn how to connect with people. And while it may seem like some folks are just born with it, the fact is anyone can learn how to make every communication an opportunity for a powerful connection. In this book summary, Maxwell offers his proven method — Five Principles and Five Practices — so you can connect one-on-one, in a group, or with an audience.


BSides: Broadening the Horizons of Information Security

Posted by

Posted on TripWire: BSides: Broadening the Horizons of Information Security

With access to further reaches of the security community, new ideas and research are never far behind.

“The folks who attend these conferences tend to be geared towards learning something new,” reflects Irfahn Khimji, senior information security engineer at Tripwire. “As a result, they always ask great questions.”

J Wolfgang Goerlich, strategist with CBI and an organizer of BSides Detroit, shares Irfahn’s thoughts on BSides’ learning potential: “The movement has become a staple of the security industry. It has made it easier than ever for the local communities to come together, share and commiserate, and learn what is working and what is coming next. BSides also provides a platform for new speakers and new content, filling a vital role in developing talent.”

Mentorships, new people, and new ideas–that is just some of what BSides has to offer.

Read the full article at


Friday Books and Talks 08/21/2015

Posted by

Leading Outside the Lines
by Jon R. Katzenbach, Zia Khan

An all-new approach to understanding the (in)formal connections of an organization
From the bestselling coauthor of the business classic The Wisdom of Teams comes an all-new exploration of the modern workplace, and how leaders and managers must embrace it for success. Katzenbach and Khan examine how two distinct factions together form the bigger picture for how organizations actually work: the more defined “formal” organization of a company-the management structure, performance metrics, and processes-and the “informal”-the culture, social networks, and ad hoc communities that spring up naturally and can accelerate or hinder how the organization works. With dynamic examples from enterprises around the world, this book takes a timeless organizational approach and creates a powerful paradigm-shifting tool set for applying it. Leading Outside the Lines illustrates how leaders can make the two distinct factions work together to get the best of both.

Exploiting Chaos
by Jeremy Gutsche

In this executive book summary of Exploiting Chaos, one of the best trend spotters in North America reveals powerful strategies for thriving in any economic climate. Author Jeremy Gutsche offers examples of successful iconic companies — Disney, Hyatt, MTV, and more — that started during periods of recessions, arguing that periods of uncertainty actually fuel opportunity, reshuffle the deck and change the rules of the game.

Friday Books and Talks 08/14/2015

Posted by

Improv Wisdom: Don’t Prepare, Just Show Up
by Patricia Ryan Madson

In an irresistible invitation to lighten up, look around, and live an unscripted life, a master of the art of improvisation explains how to adopt the attitudes and techniques used by generations of musicians and actors. Improv Wisdom shows how to apply the maxims of improvisational theater to real-life challenges—whether it’s dealing with a demanding boss, a tired child, or one of life’s never-ending surprises. Patricia Madson distills thirty years of experience into thirteen simple strategies, including “Say Yes,” “Start Anywhere,” “Face the Facts,” and “Make Mistakes, Please,” helping readers to loosen up, think on their feet, and take on everything life has to offer with skill, chutzpah, and a sense of humor.

Insanely Simple
by Ken Segall

Simplicity isn’t just a design principle at Apple—it’s a value that permeates every level of the organization. It’s what helped Apple recover from near death in 1997 to become the most valuable company on earth in 2012. This book makes you a fly on the wall inside a conference room with Steve Jobs, and on the receiving end of his midnight phone calls. You’ll understand how his obsession with Simplicity helped Apple perform better and faster, sometimes saving millions in the process. You’ll discover how companies that leverage this power can stand out from competitors—and individuals who master it can become critical assets to their organizations.