Cyber risk, information security, privacy and compliance services to business thought leaders.
19 Feb 2020

Reaching for the Pinnacle of Information Security Maturity

February 19th, 2020
Adam Stone, VP, Consulting Services

Not all security leaders are alike. Though this statement is obvious to most, many folks in this industry have a difficult time articulating exactly what makes one security leader stand out from others. Does s/he exhibit technical acumen? Business savvy? Strong financial instincts? Skillful sales and marketing reflexes? Effective organizational skills? Could it be the case that security leaders maintain certain aspects of all these traits (and more)? According to a trio of researchers affiliated with the Building Security in Maturity Model (BSIMM), information security leaders tend to fall into four “tribes” with differing approaches to security management. In a whitepaper entitled, “Four CISO Tribes and Where to Find Them,” authors Gary McGraw, Sammy Migues and Brian Chess assert that security leaders exhibit character traits that skilled observers can both identify and measure. In descending order from strategic to tactical, each “tribe” of security leaders carries its own strengths and weaknesses. Ultimately, the authors suggest that the security leaders who can appreciate and learn from the differences between the tribes are those best situated to creatively lead organizations into the next iteration of information security management. Secure Digital Solutions (SDS) agrees with this conclusion. We observe that, in general, these tribes describe individuals with increasing levels of information security process maturity, where Tribe 4 is the least mature and Tribe 1 the most (see image below).

Using tribes as the organizational foundation of their study, the authors interviewed over two dozen Chief Information Security Officers (CISOs) working for large corporations. During the interviews, the researchers used a set of three security “domains” with eighteen “discriminators,” or approaches to addressing information security topics. For each discriminator, the researchers translated each CISO’s survey responses into statements that best approximate his/her management philosophy. Using this approach, CISOs can identify their tribe and use this information to determine what steps are necessary to elevate oneself to the next level (for instance, transitioning from Tribe Four to Tribe Three, and so on).

The researchers’ method to establish “tribal membership” among CISOs is similar to the method SDS developed for the TrustMAPP® Performance Management System. Instead of narrowly assessing the qualities and character traits of the security leader separately from the function, TrustMAPP enables organizations to use process maturity as the baseline metric describing the effectiveness of the entire information security function (which includes people, processes and technology). The goal of both methods is the same: use quantitative and qualitative data to identify current state, while leveraging this knowledge by taking steps to reach the next level. In place of “discriminators” however, the TrustMAPP System evaluates process maturity across six maturity “attributes,” as illustrated below.

Prior to conducting a TrustMAPP assessment information security leaders set a maturity goal for their organization, typically on a scale of 1-5 (see maturity levels defined below). After completing a TrustMAPP assessment, an organization can quickly identify which business processes fall short of the maturity goal. Using this data, information security managers can communicate a meaningful message to executives and develop plans to improve. After nearly five years of capturing data from the TrustMAPP system, we observe that security leaders and their functional area transition slowly and methodically from one level of process maturity to another in manner not unlike the different tribes defined by the authors of “Four CISO Tribes and Where to Find Them.” In other words, security leaders (like business processes) fall along a continuum of maturity – where one learns from and builds off the previous level.

How can you leverage the power of understanding your tribal membership and information security program maturity relative to your maturity goals? The TrustMAPP Platform makes the process simple and efficient. Information security leaders can use the ideas advanced by the McGraw and team in combination with one or more industry-accepted frameworks to build an assessment that captures both dimensions. We designed TrustMAPP to make the assessment process nearly painless. In four steps, you will benefit from TrustMAPP’s reporting metrics to plan for process improvements.

If you are interested in elevating your professional maturity and improving your organization’s information security program, contact Secure Digital Solutions today at 952-544-0234 from 9am-5pm Central Time, or email us at info@trustmapp.com.

17 May 2019

Managing Third-Party IoT Cybersecurity Risks

Adam Stone, CPO, VP Consulting Services
May 16th, 2019

Managing Third-Party IoT Cybersecurity Risks

Lessons-Learned from Shared Assessments/Ponemon Institute’s Survey Results

The Ponemon Institute recently published the results of its Third Annual Study on Third Party IoT Risks(sponsored by Shared Assessments) and the results will surprise few security leaders already grappling with the explosion of third-party Internet-connected devices on their networks. As the cost of deploying IoT (Internet-of-Things) drops and fresh ideas for monetizing these Internet-connected devices emerge in the marketplace, businesses of all sizes are reaching out to third-party specialists for solutions. Business executives are drawn to the promise of IoTas the answer to business problems ranging from manufacturing efficienciesand improved logistics, to attracting new audiences and providing more personalization for consumers.

Naturally, there are downsides to this apparent panacea. Most profoundly, cybersecurity experts are having a difficult time keeping up with the chaotic pace of change and the new risks IoT introduces to organizations. Exacerbating the challenge is a persistent culture – among IoT vendors – that prioritizes speed-to-market over reliability and sustainability. This is merely the latest iteration of a technology development attitude that treats security as too costly and a hinderance to innovation and convenience.

Customers of IoT (both businesses and individuals) also contribute to the insecurity of these internet-connected devices. Users expect these nascent technologies to have reliable cybersecurity built-in but are unwilling to pay the premium necessary to encourage semiconductor (and related) manufacturers to do so. Thus, with few market or regulatory incentives to adopt cybersecurity-by-design into IoT solutions, manufacturers appear to accept certain security risksassociated with IoT. This in turn puts the onus on customers to mitigate against the security risks of IoT devices in their networks.

The 2019 Ponemon study emphasizes the fact that organizations suffer from significant blind spots when addressing IoT-related risks. According to the survey data, firms struggle to understand:

  • the extent of IoT-related cyberattacks, data breaches and service disruptions;
  • whether their existing safeguards address IoT-specific threats and vulnerabilities;
  • who is accountable for IoT risks and security failures;
  • how to conduct an effective IoT-focused risk assessment;
  • how to improve third-party service provider risk management policies and processes;
  • how to train the workforce on IoT-related security risks; and
  • what sorts of in-house expertise is required to mitigate IoT-related risks.

The results of this latest research validate what many security leaders already know: IoT is the latest challenge in the never-ending race to manage the pace of change in the business environment. There are no easy solutions to the cybersecurity risks that emerge from increased reliance on third-party vendors to develop and maintain IoT technologies on behalf of corporate clients. As with any major disruptive event, security leaders need to forcefully communicate the strategic importance of managing third-party risks to obtain executive support and budget for new security initiatives focused on controlling the runaway expansion of IoT in the business environment.

 

About the Author

Adam Stone is Vice President of Consulting Services and Chief Privacy Officer for Minneapolis-based Secure Digital Solutions, Inc.(SDS). Our firm helps firms of all sizes efficiently navigate the complexities of today’s security and privacy challenges. Our seasoned professionals provide the leadership, support and guidance necessary to develop sustainable cybersecurity programs aligned to your business mission and objectives. For information about how your organization can develop a winning strategy for managing third-party security risks, contact us at (952) 544-0234 or info@trustsds.com.

02 Aug 2018

Is Your Business in Scope for the California Consumer Privacy Act?

                                                                                                                                                                                                                          Image Courtesy of Pixabay.com

August 1st, 2018
Adam Stone, Principal and Chief Privacy Officer

Just as business leaders started acclimating to the data privacy requirements in the EU’s General Data Protection Regulation (GDPR), along comes a new and equally robust privacy law from the Golden State. Passed with impressive velocity and approved by Governor Jerry Brown on June 28, the California Consumer Privacy Act of 2018 (CaCPA, or “kak-pah“) raises the data privacy bar for businesses that profit from or otherwise collect, use and share personal data about California residents. In a borderless digital economy, where a business is domiciled no longer matters. The extrajurisdictional reach of CaCPA means that businesses of all sizes may fall under the statute if they provide goods or services to Californians. And who doesn’t nowadays?

Long the policy vanguard for data privacy, California generally sets the tone for the rest of the country. Once effective, many privacy experts believe that CaCPA will move organizations (especially tech-focused firms) towards a data protection regime similar to GDPR. Operating from the constitutional position that Californians enjoy an inalienable right to privacy, CaCPA enshrines many of the same rights that GDPR does for those in the EU. These include a right to be informed; to block the sale of personal information; to access, rectify and request erasure of personal information; and a right to exercise these privileges without prejudice.

If history is a guide, the state will take an aggressive stance on enforcement after the law’s January 1, 2020 effective date.

Though CaCPA covers the activities of a significant number of organizations across the US, some businesses can count themselves out of the statute’s scope. To do this, business leaders should conduct a scoping test based on the carve-outs defined in CaCPA. Here is a helpful decision-flow chart for this purpose.

In plain language, the decision flow above points to businesses that collect, process, use, share, and retain personal information about California consumers. To fall within scope, the business must meet certain thresholds for annual revenue and the breadth of processing of personal information. If the answer to one of the three questions below are “yes,” organizational leaders may assume that the business is in scope of CaCPA.

  • Do we have annual gross revenues in excess of $25 million dollars?
  • Do we alone or in combination, annually buy or receive, for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices?
  • Do we derive ≥50% of our annual revenues from selling consumers’ personal information?

With an affirmative answer to the decision flow above, business leaders should begin reviewing their business processes to ensure compliance with CaCPA on or before the effective date. As the date draws near, expect to find numerous articles and resources for deciphering CaCPA and implementing its requirements. For business leaders seeking an early edge on the competition, hire an outside expert who can help efficiently operationalize a CaCPA-compliant data privacy program.

Adam Stone is Principal Consultant and Chief Privacy Officer for Minneapolis,MN based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or info@trustsds.com.

15 Jun 2018

Processes Are for Managers

A Holistic Approach to Information Security

(originally posted November 2015 – revised June 2018)
By Chad Boeckmann, (CEO, 
Secure Digital Solutions)

In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.

CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress and the state of information security program – related risks – to other executives and board of directors. Our team partners with CISO’s from Fortune 500 companies and many mid-market businesses. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.

To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:

Processes-Are-For-Managers

Let’s say we want to measure the referenced process above. Access Control is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes. Looking at Access Control Management we want to understand the level of performance (maturity) of this process across the six major attributes using a standard maturity scale of 1 through 5.

  1. What is our level of maturity of Awareness for Access Control Management across our environment?
  2. What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
  3. What is our level of maturity of Expertise for Access Control Management across our environment?
  4. What is our level of maturity of Accountability for Access Control Management across our environment?
  5. What is our level of maturity of Automation for Access Control Management across our environment?
  6. What is our level of maturity of Measurability for Access Control Management across our environment?

If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then understand clearly where our resources and investment should be applied. In this example, improvement can be applied to Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.Then taking core business objectives, such as improving customer retention, and associating a core process like “access management” to that objective, one can correlate how information security is supporting key business outcomes.

This approach described is proven to establish alignment with business leadership, while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs and related risks. To see this methodology in action, take a look at a 2-minute video demonstrating TrustMAPP, a platform we developed to holistically manage information security.

22 May 2018

GDPR Deadline Looming

Does the GDPR "due date" remind us of Y2K? What will really happen on May 25th? No one really knows for sure the answer to this question but likely there will be a lot of work to continue to do in the months (and perhaps years) to follow May 25th, 2018.

Just for fun here is a timer you can refer to for the GDPR deadline.

GDPR Top Ten Disciplines for EU Data

#1 Data Portability
#2 Accountability Principle
#3 Extraterritorial applicability of the GDPR
#4 Maintaining records of processing activities
#5 New Data Subject Rights
#6 Privacy by Design and by default
#7 Data Protection Authority enforcement methods
#8 Pseudonymization and its use in profiling
#9 Security and breach notification
#10 One stop shop

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our privacy services page for more information.

06 Apr 2018

Four Hats a Security Leader Must Wear

April 6th, 2018
Chad Boeckmann, Secure Digital Solutions

A security program, as it evolves and matures, will typically experience four types of leader personalities. These personalities may even occur within the same individual if that individual adapts to the maturation of the business and molds the security program simultaneously.

I believe these leaders can be categorized into four types:

  • Auditor
  • Technologist
  • Hero
  • Business Leader

Auditor
The first type of leader is the auditor. The role of the auditor is purposefully designed to be tactical. The security leader in the auditor role is primarily focused on control measurement and compliance. The resulting security program is typically built and managed based on complying with regulatory requirements. Budget and resource decisions are made with the purpose of meeting these regulatory requirements. This approach isn’t surprising considering the history of Information Security throughout its long tenure. Countermeasures were frequently driven by the need for controls to protect information. As such, many security programs begin with compliance as the initial driver for building and maturing information security, making them tactically effective but strategically immature due the fact that some never move beyond this stage.

Technologist
The next type of security leader personalities – the one that we most commonly see – is the technologist. The security leader in the technologist role has a keen focus on technical testing, monitoring and response, and primary focus on tools to automate controls. Typically the security leader as a technologist takes pride in building out operational security capabilities and leveraging leading edge products and services. Every modern security program must have a strong security technologist leader.  However caution should be placed in emphasizing the majority of time in this single discipline. Implementation of leading automation technology must also be accompanied by well-defined processes and plans. Oftentimes, these processes are defined after tools are selected. Instead, the reverse should be achieved.  Processes and plans that meet the business objectives and inform technology decisions to automate key processes must be defined before technology is selected and applied.

Hero
The next type of security leader personality is the hero. The hero is generally the type of leader who will focus on response and detection based on the company having recently experienced a negative cyber security event. Oftentimes the hero approaches the role with the mindset “they hired me to build it” which can have both positive and negative effects on the organization. The positive implications this personality displays is pride and ownership for achieving outcomes. The flipside of this trait could be spending countless hours of staff time to build tools that already exist within the marketplace.

Business Leader
The fourth security leader personality is business leader. The business leader personality has only recently benefitted from discussion in the community. A security leader fulfills this type of role when they focus on managing the security program like a business within the business. Being a modern-day security leader is challenging as they need to understand technology and controls while simultaneously having the right team (staff and partnerships) in place to respond adequately in the event of a negative cyber event. The business-minded security leader understands to be successful, they must rely on others within the business and have strategic partnerships with firms outside of their business. Additionally, business-minded security leaders measure performance and do not rely on the less-effective approach of FUD (fear, uncertainty and doubt) to communicate the performance of their security initiatives with executives. Instead, they focus on aligning and enabling the business objectives while raising caution when situations require it.

No matter what type of security leader you have (or you are), we can help you measure the things that matter most to the business and improve the alignment of security strategy. I encourage you to reach out for more information and further discussion.
16 Jan 2018

The Great GDPR Compliance Panic of 2018

January 16th, 2018
Adam Stone, Principal Consultant

Are you falling into the rut known as the great GDPR compliance panic of 2018? Stop worrying. Many data security and privacy leaders have successfully addressed the challenges of new regulatory compliance obligations before.

Several years ago, I entered the data security and privacy world just as new business challenges emerged from two separate congressional reform bills intended to solve certain problems in the US healthcare and financial services sectors. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), followed by the Gramm-Leach-Bliley Act of 1999 (GLBA), triggered federal regulation focused on – among many other areas – data privacy and security. At the time, organizations of all sizes struggled to prepare for the new federal requirements.

The first hurdle for some organizations was to simply acknowledge the fact that HIPAA and GLBA applied to their operations. For those who moved past the acknowledgement phase, preparatory scope creeped, and unplanned business disruptions followed. In an environment where executives were unclear about the applicability and impact of HIPAA and GLBA regulations, data security and privacy professionals found little support to implement new controls structures. The result: compliance programs poorly-aligned to corporate mission, values and objectives.

Though data security and privacy professionals emerged wiser from the HIPAA/GLBA compliance experience of the early aughts, evidence suggests that many firms now struggle with the emerging challenges of the EU General Data Protection Regulation (GDPR). As principal consultant with Secure Digital Solutions (SDS), I hear from lots of panicked leaders who need help understanding the impact of GDPR ahead of its May 2018 effective date. We find that firms can avoid some of the setbacks of the past by adopting an effective, scalable process for GDPR compliance preparations today. Whether preparing for GDPR with in-house resources or hiring an experienced consultant, firms should adopt a GDPR Readiness process like the one in the image below.

This is an image of a simple process to help organizations prepare for the General Data Protection Regulation (GDPR) compliance requirements.
Preparing for GDPR: Process Steps

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our Web site for more information.

11 Dec 2017

Cyber Security Services Catalog Enables Strategy

Original: October 19th, 2016
Updated: December 11th, 2017

Mike Edlund, Solutions Manager

Cyber Security Service Catalog Enables Strategy

Creating a Security Services Catalog for a security team begins to drive value across the business by establishing accountability and scope of services. A security service catalog enables strategy by clearly articulating to the business customer services provided by information security teams while providing a level of service and responsible parties for each area identified. This case study was inspired by a more formal representation of provided by NIST 800-35 "Guide to IT Security Services". In short NIST 800-35 provides guidance using a lifecycle consisting of six phases: 

ƒPhase 1: Initiation—the need to initiate the services life cycle is recognized. Section 4.1 discusses potential triggers for this phase. ƒ
Phase 2: Assessment—before decision makers can implement a service and select a service provider, an accurate portrait of the current environment must be developed. Section 4.2 discusses Phase 2 and the importance of creating and gathering appropriate metrics. ƒ
Phase 3: Solution—decision makers choose the appropriate solution from the viable options identified during the assessment phase. Section 4.3 discusses the business cases and implementation plans. ƒ
Phase 4: Implementation—the service and service provider are implemented during the implementation phase. Section 4.4 guides decision makers through service agreement development and service implementation. 4-1 NIST Special Publication 800-35
ƒPhase 5: Operations—the service is operational, the service provider is fully installed, and constant assessment of the service level and performance is made. Section 4.5 discusses the importance of metrics in monitoring service level and performance. ƒ
Phase 6: Closeout—the environment changes, the need for the service diminishes, or performance deficiencies are noted necessitating a replacement or termination of the IT security service. Section 4.6 discusses the closeout and retirement of a service and/or service provider using the exit strategies developed in Phase 3.
(source: NIST 800-35 - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-35.pdf)

Customer Request

A customer requested Secure Digital Solutions (SDS) to develop security plans and procedures to consistently manage their information security program. SDS collaborated with the customer's security team to document and improve the current and desired security capabilities and plans. Our customer had two key challenges:

  1. Procedures and plans to deliver the security program activities were not formally documented, leading to poorly-defined program actions and responsibilities.
  2. Roles and responsibilities defined in newly minted procedures and plans were not aligned with the team set up to do these activities and the associated controls supported by the new activities.

The customer engaged SDS to collaboratively develop cyber security plans and procedures for the cyber security program and supporting team members. Along the way, SDS discovered a gap in roles and responsibilities that led to a further surprise benefit to aid the customer's security program.

SDS Solution

Over a period of months, SDS partnered with customer security leadership to define desired security program strategy, objectives and goals. The service areas in-scope include a number of processes such as threat and vulnerability management, training and awareness, risk management as well as policy and standards management.

servicescatalogSDS began creating a number of documents that defined areas within the security program including a RACI chart designed specifically for the customer's cyber security team. Plans to define how these areas would be strategically delivered were designed and offered for further feedback, input and iteration from the security team and executive leadership to reach a final cyber security service catalog framework. The SDS team developed the content leveraging both industry best practice, SDS experience and
and feedback from the customer's security team.

Plans and procedures included sections to define roles and responsibilities as to who is responsible to deliver the security program processes and related service levels (RACI). SDS also noted areas missing formal responsibilities for the security team that lead to more reactive response and "firefighting" in turn draining current resources. The existing approach used by the customer, prior to the final adoption of the SDS service catalog, was far less strategic and not optimized. With the presentation of our findings conversation with leadership and it was clear to all parties involved for the need to coalesce security team processes/controls into a centralized service catalog.

Consulting with customer's security team lead to the creation of a services catalog that defined the required activities and assigned team personnel responsibilities to these activities.  As a result not only did the security team have a clear understanding of priorities and responsibilities, the business customers also understood the scope of the internal security services team.  Business teams now understand how to engage and who to speak with regarding various projects and customer engagements to meeting both internal and external security requirements.

Impact on the Customer's Business

Along the way, leadership of the security team changed. The security catalog took on a whole new meaning with a surprising additional benefit. With the catalog’s estimates for FTEs required for duties to properly cover the entire security program, the new security leadership leveraged the security service catalog as the means to forecast and request additional resources to executive stakeholders.

With the change in security program leadership, the plans and procedures also offered insights and a standard approach from which the new leadership could understand how the program is managed to meet business expectations while aligning existing security team personnel.

To learn more about automating a cyber security services catalog reach out to our team at: info@trustsds.com or visit the TrustMAPP website. 

Resources For You


[wpv-view name="white-papers-widget"]

18 Oct 2017

Creating a Health and Fitness Plan for Cyber Security

October 18th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions
This article was originally posted on Forbes .

Virtually everyone wants to be healthier. Good health and fitness provide a multitude of benefits. Better quality of life, increased energy, sharper mental focus and lower risk of malady are but a few. But it takes work to enjoy the benefits. A four-hour marathoner won’t suddenly become a three-hour marathoner simply by acquiring the newest running shoe. It takes planning, discipline and execution, and there are countless obstacles lurking to derail you in your attainment of your goal — both known and unknown.

Ironically, this scenario also applies to an organization’s information security program. A mature and effective program empowers staff, allows for more effective enablement of the business, increases threat awareness and response, and lowers the risk of negative front-page exposure. However, like the marathoner example, simply purchasing the latest security technology won’t guarantee good security health and fitness. It takes the same planning, discipline and execution, as well as the same willingness and ability to overcome obstacles.

Here are eight steps to create an effective information security protocol in the form of a health and fitness plan:

Take inventory. Regardless of where you want to be, a good fitness plan starts with where you are today and an honest assessment of current capabilities. Perhaps it’s a body fat measurement or a VO2 test. A mile time or a max bench press. An evaluation of eating and sleeping habits. Whatever the assessment type, diligence and candor are critical. The same goes for the state of a security program. What are the program’s current capabilities, its level of expertise, the usable technologies available today? Honesty is the key. If a security program’s third-party management capability may not be where it should be, then it’s a baseline of current capability.

Set goals. This could be anything from dropping a few pounds to completing a full Ironman. Goals should be multifaceted. Along with determining the desired outcome brings the analysis of what it will take to get there based on the results of the initial inventory. Shaving an hour off a marathon time, for instance, will require a training plan with a schedule and a certain level of effort. So too will reducing vulnerabilities in a company’s critical infrastructure, lowering the time to respond to a security incident and complying with the newest data privacy regulations. Determining what an organization needs to accomplish from a security perspective should be the focus.

Execute. The fitness plan may call for a 1,000-meter swim on Monday, but there’s an errand to run, a call to make or it’s simply been a long day. There are countless roadblocks that could derail a detailed plan, and some truly can’t be avoided. However, most can. It’s oftentimes an attractive proposition to get security “quick wins” by acquiring a new tool or by making a short-term change in direction. In some cases, these actions are mandatory. But not in most. Plan the work and, more importantly, work the plan. It’s consistency that produces results.

Monitor progress. This is straightforward. As the work on a plan progresses, health and fitness increase as demonstrated by the metrics. Mile times get better, pounds come off and performance improves. Similarly, success on the security front will bring progress, too. The clusters on the risk heat map transition from red to yellow to green, malware infections decrease, code quality gets better, significant compliance deficiencies are remediated, etc.

Adjust. At this point, there should be enough data to track alignment to goals. For a triathlete, it may be time to adjust the cycling schedule because that appears to be the weakest area — more hill training or longer distances. Some areas in the security plan may need adjustment as well. Perhaps risk management is improving and with it, security’s visibility of an enterprise. Because of this, more focus may be required on data loss prevention, for example, to reach security performance milestones.

Accomplish the first goal. Run the first 10k, shoot the first sub-90 round of golf, drop the first five pounds. For a security program, it may be achieving compliance, reduction of significant risk in an area or reducing online fraud by a certain percentage.  Whatever the first goal is — accomplish it.

Celebrate. Enjoy the fruits of labor and appreciate all who contributed.

Repeat.

22 Aug 2017

Cybersecurity Maturity is Growing Up

originally featured on CSO Online

August 23rd, 2017
Ed Snodgrass, CISO

 

Maturity is an interesting word. We’ve heard it throughout our lives and it’s had different meanings in different contexts.  As a child, we heard it from our parents regarding “growing up” or “being more mature”.  We may not have entirely understood it then, but our parents knew that developing maturity would be important for friends, colleagues and peers to take us seriously.

As we grew older, we began to understand the concept of maturity and that it could be compared closely to wisdom.  We began using what we learned through experience and started applying that knowledge to our decision-making process.

Today we hear the word maturity frequently in the workplace.  We see it used in processes, methodologies, rating scales, etc., and from a technology and process standpoint, maturity can be applied to cybersecurity as well, although its applicability and benefit isn’t always readily apparent.

Case in point.  Recently, over lunch, I was attempting to explain the purpose and benefit of cybersecurity maturity to a business colleague.  Based on his skeptical expression, it was clear to me that I wasn’t succeeding.  He fully understood compliance and the implications of non-compliance, but wasn’t grasping the value of maturity and how it was relevant in the security space.

I thought about what was personally important for me to secure, and the answer was easy – my family.  I then thought about an area where compliance comes into play and how it is typically used to determine effectiveness – home fire safety.  Using that as an example, I asked him to rate his family’s level of home fire safety on a scale of 1-5.  “4-5,” was his response. “I have the best smoke alarms money can buy.  I have one on each floor and in each bedroom, as I’m required to by code.  In addition, I have a fire extinguisher in the house and one in the garage.”

From a compliance standpoint, we both agreed that his score of 4-5 was likely accurate, and one could say that he had gone above and beyond the minimum standard.  I then challenged him to look at it from a maturity perspective, using a series of ad-hoc questions as a baseline:

  • Do you test your smoke alarms?
  • Do you have a regular schedule for replacing the batteries or do you replace them only when the alarm tells you to?
  • Do you have a family communication and logistics plan that you can put into action if an alarm sounds in the middle of the night?
  • Do you practice the plan?
  • Does everyone in your family know where the fire extinguishers are?
  • Does everyone in your family know how to use the fire extinguishers?
  • Is there a pre-determined family assembly area outside?

As he considered each question, I then asked, now that he’d added a maturity measurement to compliance, what would he rate his family’s level of fire safety?  “Probably a 1-2,” was his concerned reply.

While this may be a simple example, it begs a question.  Traditional compliance and operational data is important, but does it provide adequate context to truly evaluate capability?  Using the fire safety example above, it doesn’t appear to.  My colleague had all the required detection mechanisms in place, including some additional preventative measures, but any significant capability for his family to respond effectively to a fire simply wasn’t there.

The same question can be asked of a cybersecurity organization, and a growing number of security leaders are adopting maturity as a metric to analyze and determine their team’s strategic capabilities because the hundreds of individual controls, while critical, only represent a point in time.

Cybersecurity maturity, used as a performance metric, offers additional insight into how the security organization is operating.  It can be used to analyze compliance and operational data at the process or function level.  Trends can be discovered, monitored and adjusted for.  An enterprise security training program may have all the right features in place, for instance, but the open rate of phishing emails by employees isn’t decreasing over time.  Do the components of the training program need to be adjusted or does the content?  Or, does the challenge lie within another function or process outside of the training program?   The use of maturity to analyze the capabilities of those processes can likely answer those questions.

In today’s evolving threat landscape, effective metrics are critical to security success.  Controls and operational data are required to run the organization today.  Strategic KPIs, such as maturity, are also required to measure, profile and plan the security organization’s capabilities for both today and tomorrow.  Performing a cybersecurity maturity assessment on the security organization will likely yield valuable insights.  There are excellent sources available that show where to begin and how to demonstrate the value of measuring cybersecurity capabilities and effectiveness.  (An example can be found here).

Ultimately, the best smoke alarms money can buy are powerful tools in the event of a fire, but only if everyone has the capability and maturity to respond effectively.

Interested in learning more about security program performance and leveraging the value of cybersecurity maturity? Download the white paper titled “Roadmap to Success