Review: Best practices for measuring and tracking cyber security maturity
Review: Best practices for measuring and tracking cyber security maturity

Cyber-security is a discipline that is still finding its place in many organisations. More so than many other aspects of company operations, cyber-security is an area that can function well when the spotlight is on it, but equally can be left to operate in the shade for extended periods. Given that cyber-security is a discipline that needs consistent, repeatable, continuous action to be effective, this is obviously less than ideal. 

Cyber-security maturity (CSM) is an attempt to measure the effectiveness of the process that support cyber-security and improve these consistently over time. It is a model to ensure a proper focus on cyber-security over time, rather than waiting for the next crisis to sharpen our focus. It is an attempt, in short, to ensure that cyber-security is approached with the same discipline and professionalism as other aspects of company operations, and to ensure that it receives the same level of executive focus on an ongoing basis.

It is not overstating the case to say that without effective management and improvement of CSM, it will not be possible for organisation – or indeed nation states – to meet the growing cyber-security threat. A change is required in the way that we manage our cyber-defences, and cyber-security maturity offers an effective way to manage that change. 

What is cyber-security maturity?
CSM is the measure of an organisation's preparedness to meet cyber security threats -
Over time
Within the context of that organisation
With a focus on repeatable outcomes
With sufficient detail to be meaningful
A score that can communicate the organisation's preparedness and allow for comparison over time and against goals
A means of communicating progress over time and encapsulating a complex state to all stakeholders
A measurement that encapsulates decision-making processes and governance as much as specific controls, and allows for granular scoring of effectiveness of controls
A measure of how well things are done, as well as the things that are done
Controls selection can be environment dependent. However, the method of controls selection, and the management of those controls, is much more appropriate to maturity assessment
How should we measure maturity?
The very simple answer to this question is in whatever fashion is useful. A number of different grading scales exist, although perhaps the most frequently used is a variant on the COBIT maturity scale below:

Level title description
0 Non-existent. Process does not exist
1 Initial. Ad-hoc processes are in place, very dependent upon the efforts of diligent individuals, often going above and beyond
2 Repeatable. Some procedures are in place that allow for repeatable outcomes but the process still relies on individual knowledge
3 Defined. Processes are documented and standardised, but are not yet sophisticated enough and success is not adequately measured
4 Quantitatively Managed. Compliance with the defined processes is measured and controls are put around significant deviations from process
5 Optimised. Continuous improvement is the outcome of continuous feedback into process improvement, to the point where deviations from process are reduced to an acceptable minima

The key is that the measure should be:
Sufficiently granular to allow for meaningful results
Able to be applied to process and controls appropriate to cyber-security
Repeatable and consistent over time

A large part of this process is that it offers comparison over time, so it is important that scoring mechanisms and the areas scored do not change drastically over time.

What should we measure?

The exact controls and processes to measure will vary from organisation to organisation, but there will be a large amount of common ground covering the basics of cyber-security governance and operations. CNS Group measures maturity across five domains consisting of 74 questions. The intent is to gather a score against the basics that can then be mapped to various standards and compliance regimes as needed. The domains that CNS Group measures are as follows:

Compliance and accreditation

Technical compliance

Transformation and maturity

Events, alerts and threat intelligence

Governance and policy

The exact scoring regime for your organisation will depend upon a number of factors, including the exact nature of your IT estate, compliance and regulation requirements, specific areas of focus or need, client requirements and many other factors. The critical point is that there should be a baseline that is consistent and measurable over time. 

Why track maturity?
There are a number of good reasons to track CSM. These all speak to the need for consistent, well-funded and clearly understood action in maintaining an organisations cyber security defences over time:
Without a measurement of maturity, cyber-security is normally primarily measured on contingent outcomes
The fallacy that “nothing has happened so we must be good at this… or at least there is nothing else we need to do”
Comparison over time is very useful and important to modern organisations
Cyber-security demands continual improvement, and there should be a way to track this
Even where good things are happening, this may be down to one or two diligent individuals
What happens when they leave?
Is their judgement infallible?
Cyber-security is sometimes a function that is focused on (and funded) when the light shines on it. However, it actually needs consistent and constant progress over time
Controls and processes may be effective, but how effective are they?

There are a good ways and bad ways to manage a firewall:

We have a firewall
We have a firewall and it is patched
We have a firewall and it is managed and patched
We have a firewall and it is managed, patched and under effective change control
We have a firewall and it is managed under principles of least access, patched, under effective change control, monitored 24/7 and rulesets are independently reviewed at least every six months
Controls are often not checked over time
Maturity assessment, allied to framework based controls selection, means that all factors are considered
Maturity assessment will engage and involve the whole business
As proof of the successes of the information and IT security functions 

In designing a CSM matrix, it is helpful to focus on the desired outcomes. Organisations should seek to determine their maturity score for all cyber-security functions (and controls) to an agreed scoring matrix. It is important that the scores and areas evaluated are approved at an executive level and that consistent and comparable scores are taken over time to demonstrate progress – or lack thereof. Comprehensive coverage of maturity scoring and clear communication of the current state of cyber-readiness to all stakeholders will help any organisation meet its cyber-security goals. 

Contributed by Kevin Dowd, Chairman of independent UK cyber security consultancy CNS Group 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.