Everyone (er, almost everyone) has had the experience of growing up - maturing if you will. You likely had people teach you and thoughtfully impart to you some knowledge. And, if you’re like me, you didn’t always pay attention. I had to make mistakes for myself to learn. When it comes to compliance and risk, the same goes for businesses and individuals that make up a business. Practice, and making mistakes, is one of the best ways to gain experience. Mature organizations will anticipate pitfalls and seek guidance and coaching by those that have essential experience.
Security maturity is a choice.
Security frameworks and regulations provide a baseline of technical and operational requirements as a start. But the standards are a low bar and only the minimum requirements. You must determine which, if any, additional controls and practices should be in place to further protect data and mitigate risk. Enter security maturity modeling. The concept of maturity modeling is nothing new. It’s just a good idea. And, security maturity should be the next step beyond the minimum requirements.
Yes, part of maturity modeling is pointing out things that are broken. It’s not meant to embarrass anyone into action with some management power play. At the most basic level, the core purpose of a maturity model is to create organizational awareness of common goals and increase performance and growth. That starts with the reality of where you are today.
Breaches are often what forces a bump up in the maturity scale.
The better alternative is support from management for an honest exploration of security maturity objectives to set the bar high enough before a breach happens. The genuine objective is to persuade leadership to shift the culture to make security a priority. Learning and growing from the experience of others is the difference that enables leaders to do right thing without having to suffer a breach directly.
The maturity levels are:
0) INCOMPLETE: Ad hoc or unknown process.
1) INITIAL: Initial approach to carrying out a process is unpredictable and poorly controlled.
2) REPEATABLE: A repeatable process is planned and controlled but is often still reactive.
3) DEFINED: Proactive rather than reactive, defined processes are documented and standardized.
4) MANAGED: Processes are quantitatively managed to improve toward performance objectives.
5) OPTIMIZED: Processes are continuously improved to respond to opportunity and change.
My dad used to tell me, “A fool makes mistakes and doesn’t learn. A smart person makes mistakes and learns from the experience. A wise person observes the mistakes of others and learns to avoid them.”
Will you be the fool? Will it take a breach for your organization to take the next maturity step? Or will your organization be wise?
2019 SecureTrust Global Compliance Intelligence Report
The SecureTrust Global Compliance Intelligence Report gives you the opportunity to review security maturity ratings from its Global Compliance and Risk Services assessments by industry.
Chris Brown is a Product Manager at SecureTrust driven by strong beliefs about risk management and has a decade of experience in risk management and information security. Chris has spent the last 5 years overseeing the SecureTrust Global Compliance and Risk Services (GCRS) professional service offerings and is responsible for the roadmap to produce solutions that satisfy customer needs and demands for security, risk and compliance assurance services. He is actively involved in helping clients understand and utilize effective, efficient and secure business systems in accordance with risk management frameworks and security best practice guidelines.
Chris holds a BSBA from the University of Colorado at Boulder with emphases on Accounting as well as Operations and Information Management. Chris is a Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) and is an active member of the Information Systems Audit and Control Association (ISACA) Denver chapter. Outside his role at SecureTrust, Chris is passionate about risk management as it relates to decision making in outdoor activities, backcountry travel and rescue operations. Chris holds avalanche hazard management and safety certifications including American Institute for Avalanche Research and Education (AIARE) Level 1, AIARE Level 2, Wilderness First Responder (WFR), and CPR for the professional rescuer (ProCPR).