What a word means depends on where you are
August 31st, 2017
Ed Snodgrass, CISO, Secure Digital Solutions
Here at Secure Digital Solutions (SDS), we get the opportunity to work with many types of customers and many types of security vendors. Each customer has a different understanding of the value of cybersecurity maturity and each vendor uses the term security maturity to demonstrate different functionality of their solution. The challenge is that there are as many definitions of maturity as there are customers and vendors. For many customers, the term maturity represents compliance and for many vendors it represents their solution’s coverage of the enterprise. It’s no wonder this critical security performance metric is so widely misunderstood and in many cases, misrepresented. Therefore, I will define what cybersecurity maturity is to us at SDS, why it’s so important for managing a security organization’s performance, and how we utilize it to help security leaders profile, plan and manage their security organizations.
Simply put, cybersecurity maturity is a means to better understand the capability and capacity of a security organization to perform at a certain and/or defined level over time that drives down risk to the business and increases fiscal responsibility of the security program.. It allows for a true picture, based on data, of how well the functions within your security portfolio are performing today, where they need to be to support yours and the company’s strategic objectives and what it will take to get – and keep – those functions there. It eliminates confusion, subjectivity, inefficiency and lack of understanding around alignment of people, process and technology. It also provides clear enterprise metrics – derived from operational data – with which you can demonstrate and communicate the capabilities of the security organization to business leadership and the Board of Directors. Finally, it not only compliments your current level of compliance and risk mitigation but shows your capacity to maintain the required levels of compliance and risk mitigation.
Our TrustMAPP Platform is giving customers that visibility regardless of where they might be in their cybersecurity journey and we’ve discovered that journey begins at one of three stages.
- Stage 1: Learning. The security organization is overwhelmed with multiple data sources and needs a way to assess it, aggregate it and determine what it has and what it’s capable of. They use TrustMAPP to discover what cybersecurity maturity is and how it can help.
- Stage 2: Implementing. The security organization understands that cybersecurity maturity is meaningful and can provide value but doesn’t know how to utilize it within their environment. They use TrustMAPP to incorporate cybersecurity maturity as a key performance indicator into their environment.
- Stage 3: Optimizing. The security organization utilizes cybersecurity maturity as a KPI, but assessment, analysis and reporting are expensive, time-consuming manual efforts. They use TrustMAPP to automate and manage these efforts quickly and efficiently.
So, when is the best time to start using cybersecurity maturity? There are some telltale signs to help make the decision. Is there a need or request for additional security KPI’s? How is your risk mitigation capability changing over time? Does the board need more than operational metrics? Does the security roadmap need to be communicated more effectively? Is the security resource strategy and technology plan aligned with business objectives and the threat landscape? How do you know you are getting the full value from your current investments?
Cybersecurity maturity can provide answers to these questions and more. TrustMAPP can provide the way to get there