“Maturity” might seem an odd word to apply to security. As attacks become more frequent and complex, organizations need the agility to respond to new forms of cybercrime.
Old ways of thinking are seldom useful in the ever-changing world of IT.
But security maturity isn’t about a particular tool or technique. It’s about a security-oriented mindset and culture that addresses risk appropriately and efficiently. Each organization’s approach will vary based upon the greatest threats to the business and the tolerance for risk.
In 2010, Gartner introduced the ITScore model for security and risk management. It breaks security maturity levels into five levels:
- Level 1: Initial. Cybersecurity is considered a “necessary evil,” and lacks executive support. Processes are ad hoc and IT-centric, and security tools are elementary and decentralized. There is no formal IT strategy or assigned responsibilities.
- Level 2: Developing. The organization is beginning to recognize the need for a formal program and executive commitment. The IT team is gathering requirements, assigning roles and responsibilities, and developing an implementation plan.
- Level 3: Defined. Cybersecurity is more integrated into the business and formal processes are in place. Security tools include analytics capabilities. There is commitment from stakeholders to meet established performance metrics.
- Level 4: Managed. The security program clearly addresses identified business needs and risks. The program is assessed regularly to identify and close any gaps, with reporting at the executive level.
- Level 5: Optimizing. Cybersecurity is now considered a strategic business imperative, and there is a security-aware culture across the enterprise. The security program is continually optimized and IT risk management helps drive business decisions.
Framework for Improvements in Security Maturity
Gartner’s ITScore methodology also includes a framework for tracking improvements in security maturity. It is designed to increase visibility and identify gaps across six security domains:
- Risk Management. Without a thorough understanding of business risk, organizations cannot develop an effective IT security strategy or justify the considerable cost of implementing it.
- Privacy. Growing numbers of privacy regulations, coupled with consumer distrust of organizations that don’t protect sensitive data, have made privacy a key component of cybersecurity. Failure to protect data from exposure or misuse can have a range of consequences, from regulatory fines to legal action to customer churn.
- Compliance. For many organizations, regulatory compliance remains a “check the box” function. However, this increases the cost and effort involved and fails to address compliance from an enterprise perspective.
- Security Processes. Well-defined processes form the foundation of mature cybersecurity. Ad hoc, manual, uncoordinated processes waste staff resources and leave gaps that increase risk.
- Identity and Access Management. Given the distributed nature of today’s IT environment, identity and access management plays an increasingly important role in protecting systems and data.
- Business Continuity. Security and business continuity go hand in hand. Organizations need the ability to protect critical information assets from loss and prevent security incidents from causing business disruption.
Develop an Action Plan for Improving Your Security Maturity
A framework is only the beginning. The path to maturity begins with creating an organizational culture that prioritizes security. Security should permeate every aspect of organizational activities and processes — not just IT — and ensure that everyone from the top down follows best practices. Board- and executive-level involvement is critical to the success of any security strategy.
Old ways of thinking are seldom useful in the ever-changing world of IT.
Organizations should assess where they are today to identify areas that need to be strengthened. They should invest in security tools that address the most pertinent business risks, and automate many functions to save time and effort, improve accuracy, reduce response time and provide better reporting.
It’s not easy, but GDS is here to help. Our experts can assess your environment and develop an action plan for improving your security maturity and reducing risk.