Cybersecurity Maturity 101

Rich Caralli

With the announcement of the Cybersecurity Maturity Model Certification (CMMC) model and program, the practice of cybersecurity will undergo significant evolution, as the concepts that transformed manufacturing, software engineering, and service delivery begin to find their way into how cybersecurity programs are developed, deployed, operationalized, and measured for effectiveness.  As you begin to consider taking a maturity approach to your cybersecurity program, and how that can benefit your business, it’s helpful to understand the origins of the “maturity” concept as it has been applied to quality control and process improvement.

One of the earliest and most well-known applications of maturity concepts to process improvement is found in manufacturing, and specifically, quality control.  In the book “Quality is Free:  The Art of Making Quality Certain” author Philip B. Crosby describes the Quality Management Maturity Grid (QMMG), providing organizations a way to benchmark the maturity of their processes and the extent to which those processes were embedded in the culture—a journey from uncertainty to certainty.

A decade later, the Software Engineering Institute at Carnegie Mellon University pondered whether Crosby’s concepts could be applied to other processes, such as software development.  As a result, the SEI published the Capability Maturity Model (CMM) and set in motion a new way of thinking about the evolving practice of software engineering.  At its core, the CMM defined a way to objectively evaluate the maturity of software development processes which, by implication, should provide more predictability and measurability of the outcomes of these processes.  Indeed, if your organization scored high on the maturity scale, it should have been indicative of the production of better software, on-time, on-budget, with fewer defects.  In reality, a high-maturity organization may not always produce great software, but the structure provided by maturing processes surely gives them a better chance at more predictable and repeatable outcomes.

For the sake of time, let’s skip over 30 years of maturity model evolution to today.  Crosby’s assertions in the QMMG defined attributes that any good cybersecurity program would highly value:  a means of benchmarking current practices, embedding cybersecurity in the “way we work,” and providing more certainty in a field that is fundamentally challenged by uncertainty.  Who will attack us?  How and when will they do it?  Will we be able to detect it before it causes impact?  One of the ways to reduce some of the inherent uncertainty in cybersecurity is to ensure that critical activities performed by the cybersecurity program have more predictability in their outcomes; that they achieve what they set out to do, the achievements can be measured, and deficiencies can be corrected in a continuous way—in essence, applying a process improvement approach to the field of cybersecurity.

But, what does it mean to mature a cybersecurity practice or process, and how will I know when I get there?  Maturing cybersecurity isn’t dependent on some magical formula.  In a nutshell, it comes down to measuring five key attributes of every cybersecurity practice or process:

  • Do you perform the basic cybersecurity practices, albeit in an ad hoc way? Are the results of your work consistent? Do you rely on one or two key persons to perform the practice? If you perform the basic practices, but they are inconsistently applied and success is often attributable to the person performing the practice, you may be operating at a low level of cybersecurity maturity.
  • Is the practice documented? Can anyone follow the documentation and perform the practice? Is the practice knowable by all in the organization? Do you have policy that defines and implements the practice?
  • Do you actively manage the practice? Does the practice have the resources it needs to meet its objectives? Is training provided on the practice? Are all relevant stakeholders of the practice involved?
  • Do you measure the effectiveness of the practice? Do you take corrective action when the practice isn’t producing the result you expected, such as improving the measurement or adjusting the practice?
  • Is the practice standardized across the organization? Do all units of the organization perform the practice in a consistent way, tailored to the unique needs of the unit?

As you can see, applying maturity concepts to any practice, domain, or process comes down to the degree to which these elements are “institutionalized”—ingrained in the culture and reflective of how the organization works.  In cybersecurity, achieving higher levels of maturity for a domain—such as vulnerability management—can imply that an organization performs their processes in a way that is efficient, predictable, measurable, and achieves its objective.

To be certain, maturing a cybersecurity program is a journey, and it starts with understanding where the organization operates currently, how much maturity it needs to support its cybersecurity objectives (hint: it’s not always the highest level of maturity), and how it will get there.  In future blog posts, we’ll detail ways that organizations can embark on taking a maturity approach to cybersecurity—whether it’s the adoption of CMMC, broadly-used standards like ISO 27001, or any other model or framework that the organization chooses.  The team at Seiso can help to catalyze your cybersecurity maturity effort, align it with compliance requirements, and develop a roadmap to improving and investing in the cybersecurity practices that provide the highest pay-back to the organization.  For more information about our related services, see our information security strategy offerings.