Today, more and more organizations are accepting that security is a business risk issue and that for true resilience, they need to develop a mature security posture. That means integrated solutions and controls, based on appropriate policies, processes and procedures.
Simple, right?
In one sense yes. But how do you know what is appropriate for your environment? How do you know how well you are doing? What or who do you measure yourself against? And how can you provably demonstrate the progress that your Board will require in order to continue supporting you?
Essentially, you need to be able to benchmark your performance, but in a way that is tailored exactly to your organization and takes into account the constraints within which it operates.
To help you answer these questions, Secureworks™ has created the Security Maturity Model, a holistic, risk-based, business-driven approach to evaluating cybersecurity maturity, based on an organization's business operations and risk profile.
It is based on but goes further than established industry frameworks like NIST and ISO27001. It takes the best of them and adds to this the benefit of our extensive experience across our client base and in threat intelligence. The result is a higher view, more flexible, pragmatic framework, which enables precision focused benchmarking across all sectors, regions and sizes of organization.
Why did we do that? After all, these existing frameworks are rigorously constructed and widely used.
Some of these existing frameworks inadvertently create a tick-the-box mentality – you check off the boxes, achieving compliance, but do not holistically address risk. While they are undoubtedly valuable and, in many cases, required, compliance-driven frameworks can engender an insufficient attitude towards addressing risk.
Security Maturity: Where it Begins
In contrast, we take as a starting point the organization's inherent risk profile. This defines the amount of risk produced by the organization's makeup, activities and connections, and its risk tolerance. It also considers the threat landscape, security industry, and the types of information assets the organization handles.
We then compare this profile to the organization's performance in five domains: security organization and governance, security operations, cloud security, incident response, and threat management.
We develop this profile and the comparison using a set of key questions, constructed and validated through extensive research across our customer base. Working with more than 4,400 clients across a very wide range of industries and organizational types has helped inform the questions we've created to enable us to gauge certain security behaviors across each of these domains. Conducting this analysis provides a reading of an organization's current security maturity tier and of the appropriate level to aim for given its risk profile – starting with a Guarded focus and evolving to Informed, then Integrated and finally, Resilient.
Security Maturity is not One-Size-Fits-All
This question of what is best suited for an organization's profile is important and a key method in which the model differs from existing industry approaches. Rather than forcing all organizations to work towards the highest security maturity tier, it recognizes that this simply isn't necessary or relevant to some organizations. In other words, the output is suitable for the level of risk that the organization faces and for the type of business it operates.
We all benefit when organizations improve their security maturity and threat actors have fewer opportunities to disrupt and victimize. Think of this model as a compass, guiding you in your decision making and facilitating meaningful and pragmatic conversations about cybersecurity. If you'd like a deeper dive into the domains the model covers and the different maturity tiers it measures, then please go to our website and download your free copy of our white paper introducing the Secureworks™ Security Maturity Model.
