The numbers don’t lie. 60% of businesses have already faced at least one cyber-attack in 2019 according to a survey from insurance provider Hiscox. Cyber criminals show no sign of slowing down their activities and, with record fines for data breaches recently handed out by the Information Commissioner’s Office (ICO), cyber security is a significant priority for any organisation.
But here is the challenge. You know you need to be doing more – but you are not sure what that is – or how to find out. What’s more, what does good and bad look like – and how effective is your current cyber security? You may have already experienced a cyber attack and are determined to prevent another. That’s where a maturity model can help.
What is a maturity model?
You may have heard about maturity models. They’ve been around since the 1980s and, while originally developed for software development, they’ve been used in a number of sectors, including information assurance and cyber security.
A maturity model helps an organisation assess its effectiveness at achieving a particular goal. In particular, they pinpoint where practices are lacking and also identify those that are successfully embedded and can reliably and sustainably produce the required outcomes.
Maturity modelling is also about quality management – the ability of an organisation to identify lessons when things go wrong and absorb the lessons into their practices to make improvements.
How do they work in cyber security?
They get beneath the surface of an organisation’s cyber security posture and give the board the means to measure the progress being made in attaining cyber security best practice. In a recent blog, the National Cyber Security Centre (NCSC) described a maturity model as something that can “help distinguish between organisations in which security is baked in, and those in which it is merely bolted on.”
They work by gauging an organisation’s maturity in a number of areas where you would want to see effective performance. In cyber security, it would gauge the relative maturity of systems and processes, giving an objective assessment of cyber security preparedness – identifying where the organisation is doing well and where improvements are required. The capabilities under assessment might include leadership strength or the information risk management processes in place.
A maturity model can do far more than baseline your current cyber security posture; it can also be used to measure the effectiveness of ongoing cyber security programmes, either as an assurance activity during a programme of work or as part of continuous monitoring process. In addition it can provide the information to drive your cyber security dashboards, helping your board make sense of your cyber risk profile. One way it achieves this is by acting as a benchmark, establishing your position in each category against what would be considered excellent in the world at large.
What type of organisations can it help?
Ascentor’s experience of delivering cyber resilience in both public and private sectors is that most organisations fall into a small number of categories – we’ve identified what each might wish to understand about their cyber security:
Beginners: These organisations are just setting out on their cyber security journey, don’t yet understand what they have to do and need a focused ‘how to’ manual to get them started.
Intermediate: These organisations have already started implementing a cyber security strategy, they need assurance that they are doing the right things and are progressing in the right direction.
Advanced: These organisations already have a significant investment in information security, are probably ISO 27001 certified (or meet some other cyber security standard), and need to know what else to do to achieve a good level of cyber resilience.
Ascentor’s approach to maturity modelling
There are several cyber security frameworks available, each has their area of focus. The NIST Cyber Security Framework, for example, includes a maturity assessment mechanism but it is inward focused and doesn’t take into consideration the wider business context. Maturity modelling is about the ability to identify lessons, learn from them and incorporate them into the way an organisation operates.
That’s why Ascentor uses the Cybersecurity Maturity Assessment Model (C2M2) in our own Cyber Security Maturity Assessment. C2M2 is a mature model applicable to any type of organisation. It features 10 comprehensive ‘domains’ to describe an organisation’s cyber security capability and measures how well these have been used.
The 10 domains of C2M2 are:
• Risk Management
• Asset, Change and Configuration Management
• Identity and Access Management
• Threat and Vulnerability Management
• Situational Awareness
• Information Sharing and Communications
• Event and Incident Response, Continuity of Operations
• Supply Chain and External Dependencies Management
• Workforce Management
• Cybersecurity Program Management
A maturity indicator level is established for each domain independently – they do not have to be the same, and, in many cases, organisations will seek a higher maturity level for some domains over others.
As a tool, C2M2 can be used to support organisations at any level. Clearly, the outputs and presentation will vary according to cyber-sophistication of the organisation – but the underlying approach is broadly the same.
Another reason for adopting the C2M2 model is that it’s workshop based. We find it works well when there is a facilitator to keep the discussion on track and summarise and record the consensus for each of the measurement points and responding to questions. One key aspect of maturity modelling is to establish a baseline and the target. The workshop output establishes the baseline with discussion during the workshop used to validate the target maturity indicator level for each of the C2M2 domains.
After the workshop we feedback how your organisation shapes up against all the C2M2 criteria for strong cyber security; we will explain any shortfalls with recommendations on priorities and actions to address them.
Most organisations, at whatever their stage of development, could be doing more to strengthen their cyber security. The challenge is to identify what they should be doing – and in order to do that they need to understand where the weaknesses lie just as much as identify what is working. However, organisations will struggle to identify where these lie if they don’t know what to measure against.
That’s where a maturity model comes in. It forms an objective assessment across all the important domains to measure your organisations’s level of cyber maturity and identify the actions needed. Cyber security requires a big investment of time and resources, a maturity model helps identify where you are getting the maximum ‘bang’ from your cyber security ‘buck’.
For further information
We’ve produced two resources to help further your understanding about maturity assessments for cyber security.
You can download a sample of our Cyber Security Maturity Assessment feedback report to see the format and outputs of a C2M2 based assessment.
We’ve also written a new white paper covering the concept and purpose of a maturity model, where the value lies and discuss several models available, including the C2M2.