Why do you measure cybersecurity maturity?


May 12th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

Maturity is an interesting word. We’ve heard it throughout our lives and it’s had different meanings in different contexts.  As a kid, we heard it from our parents regarding “growing up” and “being more mature”.  We may not have understood it then, but our wise parents knew that “mature” action was important so people would take us seriously.

As life’s path continues, we begin to understand the value of maturity and that it could be compared closely to wisdom.  We begin using what we learn through experiences and applying it to our decision-making process.

Fast forward several decades and we now hear the word maturity in the workplace.  We can see it used in processes, methodologies, rating scales, etc., and from a technology and process standpoint we realized that this concept could be applied to security as well.  Compliance alone didn’t equal secure/safe, we needed to combine that with maturity to achieve our goals.

I had the opportunity to illustrate this concept the other day.  I was trying to explain what my company does to a friend who is not in technology.  Based on his glazed expression, it was clear to me that I wasn’t succeeding.  He understood compliance, but was not grasping the value of maturity and how it was relevant.

I thought about what was personally important to me to secure, and the answer was easy – my family.  I thought about where compliance comes into effect quite clearly – home fire safety.  Using that premise as an example, I asked him to rate his family’s level of home fire safety on a scale of 1-5.  ‘4-5’, was his response.  ‘I have the best smoke alarms money can buy.  I have one on each floor and in each bedroom, as I’m required to do, and in addition to that, I have a fire extinguisher in the house and one in the garage’.

From a compliance lens, his score of 4-5 was likely accurate, and one could say that he had gone above and beyond the minimum standard, but then I challenged him to look at it from a maturity perspective.  He thought about that for a bit and I helped him make the connection by performing an ad-hoc maturity assessment:

  • Do you ever test your smoke alarms?
  • Do you have a regular schedule for replacing the batteries or do you only replace them when the alarm tells you to?
  • Do you have a family communication and logistics plan that you can put into action if an alarm goes off in the middle of the night?
  • Do you practice the plan?
  • Does everyone in your family know where the extinguishers are?
  • Does everyone in your family know how to use the extinguishers, and do they practice using them?

As he thought about each question, I could see the proverbial light bulb go on in his head so I asked him, now that you’ve looked at it from a maturity perspective, what would you rate your level of fire safety?  ‘Probably a 1-2’.  I told him that’s what we do for Cyber Security.   We help customers look at the state of their security environments, not just through the lens of compliance, but by using maturity to understand their capability and capacity for security which, in turn, helps them make critical decisions about what they need to improve.

There are many additional benefits that come from maturity assessments like comparative scoring or KPI’s, trending, transparency, improved communications, making a program more inclusive with other groups/divisions, etc.  That’s why we have developed TrustMAPP. TrustMAPP was created based on a customer need and additionally refined based on customer feedback to automate assessment, forecasting, reporting and planning security program performance. See why your peers are interested in TrustMAPP by taking a product demo.