By Tennelle Anderson, CISSP, CISA, CPA, Secure Digital Solutions
I started out my career as an auditor. Then I moved into compliance. Now I’m a security consultant. One thing I’ve observed during my journey, is that while each of these groups value controls such as logical access and vulnerability management, each group is evaluating these controls using a different lens. These different lenses cause each group to speak a different language, leading to the confusion and frustration of management (and each other). All teams should focus on unifying the message of information security.
Isn’t there a single language that all three groups can use to consistently communicate the state of control effectiveness, compliance position and risk? Is there a single language that can also accommodate an ever-changing technological and compliance landscape? Is there a unifying language that can also communicate “how good is good enough” AND address concerns regarding overinvestment in security and compliance?
Yes, there is.
A Single Language
You probably think I’m dreaming, but I assure you I am not. The security industry is increasingly moving toward process maturity as the standard by which security programs are measured and improved. The five CMMI maturity levels (Ad hoc, Managed/Repeatable, Defined, Quantitatively Managed, Optimized) can be used to describe control implementation and effectiveness, compliance with a specific requirement, as well as the level of risk present for any given process or asset.
Harmonization of Controls and Processes to Reduce Compliance Fatigue
As you have no doubt observed, there is a great deal of overlap between the various security regulations and frameworks that exist today. Rather than trying to keep up with hundreds of different individual (and ever-changing) control objectives, organizations can harmonize those individual controls into a set of processes that can be measured based on their maturity level. For example, rather than measuring adherence to 20 different logical access-related controls, break those controls into a subset of processes (e.g. provisioning, de-provisioning, access reviews, etc.) and measure the maturity of those processes.
Unlike audits and risk assessments, which provide only a point-in-time view of the existence and/or effectiveness of controls, assigning maturity levels to existing processes gives a point-in-time snapshot of these processes AND helps determine a company’s ability to adapt to ever-changing compliance requirements and control expectations. In addition, it reduces the number of assessments that must be conducted (and the number of widgets assessed), helping to reduce your organization’s audit fatigue.
How Good is Good Enough?
Using the CMMI maturity levels is also a great way to help your organization define “how good is good enough”. For example, if your logical access provisioning processes are considered Level 1, or ad hoc, most auditors, compliance specialists and security analysts would agree that the associated controls are likely not operating effectively (if they exist), do not meet associated compliance requirements, and present a higher level of risk to your organization. Processes rated a Level 2 (repeatable, but reactive) or Level 3 (defined) may be considered to be operating effectively, meeting associated compliance requirements, and presenting less risk to your organization. Processes rated a Level 4 (quantitatively managed) or a Level 5 (optimized), while indicating effectively operating controls that meet compliance requirements and present little risk, may be getting into overinvestment territory for your particular organization. Having management define maturity goals for the organization can help everyone know how good is good enough from the outset, eliminating confusion and reducing the risk of under- or overinvestment.
Bringing it all Together
Once audit, compliance and security begin to speak in the same language, management will immediately benefit by receiving a consistent and understandable message. This will allow your organization to move to the prioritization and implementation stages more quickly without fear of overinvestment. It may even help your organization to recognize audit, compliance and security as valuable business partners contributing to business goals, rather than impeding them.
SDS’s Accliviti tool, powered by their MAPP methodology, empowers organizations with a clear picture of security posture based on maturity levels, including trending analysis, planning and budgeting, and built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a security program happens in weeks, instead of months, using built-in analytics. Accliviti helps CISOs create and communicate, using a unifying message for information security, a roadmap to guide the organization’s security activities.
By leveraging the best-practice MAPP model of Maturity Assessment, Profile, and Plan, using an automated tool like Accliviti, CISOs can focus more of their time and interactions towards security strategy and advisor roles for the business.
 Veltsos, Christophe; “A MAPP to Clearer Information Security,” January 2016,