The threat of the unknown is real? You may think you have a well managed network until you discover, from a breach, that you’ve been ‘pwn’d’ for months. The ‘dwell’ time is upwards of a year for a reason, lack of visibility into security controls and management over logs, changes, and security within an organization. How do you KNOW you’re secure?
Cybersecurity frameworks offer a holistic review of security practices to ensure a baseline of operations and practices. A baseline evaluation of these practices provides a qualitative and quantitative review of maturity of an organization. If you perform a framework evaluation like that of the CMMC you’ll also evaluate the maturity of process, by domain, not commonly included in such evaluations. When it’s all said and done, where do you stack up in terms of industry standard best practices and how do you decide your relative maturity and what to focus upon next?
The Capability Maturity Model Integration (aka CMMI) insitute is a fantastic global benchmark for best practices of key capabilities and roadmaps for baselining operations. This is a great starting place for any organization, and a good internationally accepted method that most will understand and relate to in the boardroom.
4D5A Security has created our own maturity model chart, below, based upon our own insights and consultation with clients on maturity modeling and cybersecurity frameworks over the years. Our focus is to help clients see the value in going from reactive to proactive, and to become process driven instead of person dependent, with consistent risk reduced operations over time that are most cost effective long-term.
Most organizations, when they first baseline operations score around high 1’s or low 2’s in their overall maturity, on a scale of 1-5, with 3 being a target for industry standard cost-effective best practices.
True risk management involves alignment between leadership and practice managers and understanding your attack surface, high-value assets, and risks overall. 4D5A Security recommends a 3rd party broker these discussions, using a framework as a vehicle for this discussion, to create unity and alignment as an organization mature in operational excellent and clear prioritization of risk reduction.