Cybersecurity Maturity Models
It is probably safe to say that most organisations, small or large, could be doing more to strengthen their Cybersecurity. One of the first challenges they generally encounter, however, is to understand exactly what they should be doing. Without up-to-date visibility of their current Security Posture, it is difficult to identify exactly where weaknesses exist, and investment needs to be focused.
That’s where a Maturity Model could come in use. It can be used as an objective assessment across all the important domains to measure an organisations’ level of Cyber Maturity and identify the actions needed. Cybersecurity, as we all know, requires a big investment of time and resources. A Maturity Model helps identify where you are getting the maximum ‘bang’ from your Cybersecurity ‘buck’.
A Maturity Model can help an organisation assess its effectiveness at achieving a particular goal. In particular, it could be used to pinpoint where practices are lacking and also identify those that are successfully embedded and can reliably and sustainably produce the required outcomes. Maturity Models get beneath the surface of an organisation’s Cybersecurity posture and give the board the means to measure the progress being made in attaining Cybersecurity best practice. In a recent blog, the National Cyber Security Centre (NCSC) described a Maturity Model as something that can “help distinguish between organisations in which security is baked in, and those in which it is merely bolted on.”
Maturity Models work by gauging an organisation’s maturity in a number of areas where you would want to see effective performance. In Cybersecurity, it would gauge the relative maturity of systems and processes, giving an objective assessment of Cybersecurity preparedness – identifying where the organisation is doing well and where improvements are required. The capabilities under assessment might include leadership strength or the information risk management processes in place.
A Maturity Model can do far more than baseline your current Cybersecurity posture; it can also be used to measure the effectiveness of ongoing Cybersecurity programmes, either as an assurance activity during a programme of work or as part of continuous monitoring process. In addition, it can provide the information to drive your Cybersecurity dashboards, helping your board make sense of your Cyber Risk profile. One way it achieves this is by acting as a benchmark, establishing your position in each category against what would be considered excellent in the world at large.
The US Department of Defence (DoD) has recently developed the Cybersecurity Maturity Model Certification (CMMC) to enhance Cybersecurity practices across both the DoD and Defence Industrial Base (DIB). The purpose of the CMMC is to ensure that the more than 300,000 companies comprising the DIB, which regularly store and transmit sensitive DoD data, have Cybersecurity controls in place to protect against Cyberattacks.
Where the US pioneer technology and methodologies, the militaries of the west and indeed the major business enterprises generally follow.