Cybersecurity Maturity: Tiers and Goals
April 27, 2020 by Loren Lachapelle
Achieving cybersecurity maturity is something that organizations should strive to reach over time. Once an organization has a mature cybersecurity program, they will be equipped with the knowledge and power to adapt to the ever-changing threat landscape – a key to becoming a resilient organization. It sounds simple, but gaining cybersecurity maturity is a fluid, never-ending work in progress that should always be improved upon. Let’s dive in.
What is cybersecurity maturity?
When we talk about the concept of cybersecurity maturity, we are talking about taking a programmatic approach to improve upon a cybersecurity program. In order to build an effective program, we first need to recognize that people, process, and technology – all working together – are the three fundamental pillars of cybersecurity maturity. At the same time, there are different stages of maturity, starting with Tier 1, the “foundational” level, and progressing to Tier 5, the “sustainable” level. As organizations add to their arsenal of cybersecurity defenses, they will be mitigating risk exposures and working toward a resilient security posture. It’s important to note that regardless of what level an organization is at, continuous assessment and remediation is always necessary. Let’s explore tier attributes of cybersecurity maturity across people, process, and technology.
Tier 1: Foundational
In the foundational tier, organizations often have limited IT and security resources with minimal awareness around what cybersecurity means from a process and procedural perspective. There is probably not a formal cybersecurity program in place, no policies or procedures. From a technology perspective, there are very few controls in place with limited oversight (if there are any).
Tier 2: Informed
From a people perspective, there is a semblance of security leadership established within the organization, and those people have a degree of cybersecurity awareness. The organization likely has some basic cybersecurity policies and processes established, such as a password management structure for employees’ workstations. On the technology side, some limited controls are in place – like firewalls and antivirus tools – with basic oversight and documentation.
Tier 3: Managed
In the managed tier, people within the organization now have assigned security roles and responsibilities (think Chief Information Security Officer or IT Controller), and the employees have improved security awareness. At this level, there is probably a basic security program in place with organization-wide processes and policies, such as an Information Security Policy. There is likely a wider variety of controls implemented and documented with better oversight and coordination.
Tier 4: Repeatable
When an organization has hit a repeatable tier of cybersecurity maturity, they have clearly defined security roles – likely even a dedicated team of security and IT professionals – and employees in the organization who are well-trained on how they can help keep the organization secure. A robust cybersecurity program is established by now and processes are tracked across the whole organization. Technical controls are fully implemented, monitored, and pursued on an ongoing basis.
Tier 5: Sustainable
An organization’s cybersecurity program is mature when the organization can successfully sustain and expand its business strategy while minimizing cybersecurity risk. Cybersecurity is engrained in the business culture and both practiced and supported at all levels of the organization. The program is operationalized and an adaptive approach to cybersecurity risk allows for contextualized decision-making.
Use Tier Levels to Set Goals and Reduce Risk to Become a Resilient Organization
In order to have a mature cybersecurity program and be an entity that can withstand the dynamic threat environment, organizations should start by establishing goals and mapping out how to achieve them. It won’t happen overnight, and there will probably still always be some gaps in your cybersecurity program. But how do you gradually reduce the amount of risk and vulnerabilities within the organization? How can you be better equipped to understand what disruption means to the organization? How can your cybersecurity program be more mature?
It starts with setting incremental goals. If you are starting from scratch, first set a goal of drafting basic policies and getting basic security controls in place. Map out steps to get there and what it looks like for the organization in terms of time, money, and personnel.
When setting goals to become a more resilient organization, ask yourself “What business strategies will we be pursuing this fiscal year?” How will those decisions impact network and infrastructure needs? Will we be onboarding new personnel anytime soon? Are we terminating or establishing new vendor relationships? All these considerations change the risk dynamic for the organization as well as the risk dynamic specific to cybersecurity.
If your organization can successfully set specific, measurable, attainable, realistic, and timely (SMART) cybersecurity goals that align with business objectives, you will be well on your way to reducing risk and ensuring business continuity.