The SecureControls Framework (SCF) release 2023.2 contains completely newcontent for its Security& Privacy Capability Maturity Model (SP-CMM). Thiseffort was conducted to help streamline and standardize maturity criteria. Oneof the use cases for the SP-CMM is to provide a CISO with objective criteria tobuild a cybersecurity and privacy program. This is objective criteria that canbe used to establish expectations for a cybersecurity & privacy program.
Identifyinga target maturity state is intended to support your organization’s mission andstrategy so without first understanding the broader mission of theorganization and having prioritized objectives, a CISO/CIO/CPO will beguessing when it comes to establishing expectations for capability maturity.Like anything in life, if you fail to plan you plan to fail - CMM rollouts areno exception.
The time to execute a business plan to mature acybersecurity and privacy program generally spans several years, where certaincapabilities are prioritized over other capabilities. This means theCISO/CIO/CPO will establish CMM targets that evolve each year, based onprioritization. In the graphic below, the use of a spider chart can bebeneficial to identify current vs future gaps with the SP-CMM. Prioritizationof capability maturities may be based on risk assessments, audits, complianceobligations or management direction.
Using a CMM helps organizations avoid “moving targets” forexpectations. Maturity goals define “what right looks like” in terms of therequired people, processes and technology that are expected to exist in orderto execute controls at the individual contributor level. Without maturitygoals, it is very difficult and subjective to define success for a security& privacy program.
All too often, unprincipled cybersecurity & privacyleaders manipulate the business through Fear,Uncertainty and Doubt (FUD) to scare other technology and business leadersinto supporting cybersecurity initiatives. These bad actors maintain theillusion of a strong cybersecurity & privacy program, when in reality thedepartment is an array of disjointed capabilities that lacks a unifying plan.These individuals stay in the job long enough to claim small victories,implement some cool technology, and then jump ship for larger roles in otherorganizations to extend their path of disorder. In these cases, a common themeis the lack of viable business planning beyond a shopping list of technologiesand headcount targets to further their career goals.
Cybersecurity & privacy departments are a costcenter, not a revenue-generating business function. That meanscybersecurity & privacy compete with all other departments for budget, andit necessitates a compelling business case to justify needed technology andstaffing. Business leaders are getting smarter on the topic of cybersecurity& privacy, so these leaders need to rise above the FUD mentality anddeliver value that is commensurate with the needs of the business.
When identifying a target level of maturity, it is crucialto account for your organization’s culture. The reason for this is theimplementation of perceived “draconian” levels of security can cause a revoltin organizations not accustomed to heavy restrictions. One good rule of thumb when deciding between L3and L4 targets is this simple question: “Do you want to be in an environmentthat is in control or do you want to be in a controlled environment?”L3 maturity is generally considered “an environment that is in control” whereit is well-managed, whereas being in a L4 environment is more of a “controlledenvironment” that is more controlled and less free. Given those considerations,environments not used to heavy restrictions may want to target L3 as thehighest-level of maturity targets. Additionally, the cost to mature from a L3-4 or L4-5 could be hundredsof thousands to millions of dollars, so there is a very real cost associatedwith picking a target maturity level. This is again where havingmanagement support is crucial to success, since this is ultimately a managementdecision.
From aCISO/CIO/CPO perspective, identifying a target level of maturity is also verybeneficial in obtaining budget and protecting their professional reputation.In cases where business leadership doesn’t support reaching the proposed targetlevel of maturity, the CISO/CIO/CPO at least has documentation to prove he/shedemonstrated a defined resourcing need (e.g., CMM level to support a businessneed) and the request was denied. Essentially, this can help cover aCISO/CIO/CPO in case an incident occurs and blame is pointed. That is justthe reality of life for anyone in a high-visibility leadership position andbeing able to deflect unwarranted criticism is professional reputationinsurance.
Defining a target maturity state is Step 4 in the IntegratedControls Management (ICM) model is a free resource from the SCF. That guidecan be useful, since it helps establish two key pre-requisites to identifyingCMM targets:
The most efficient manner we can recommend would be to firstlook at the thirty-two domains that make up the SCF and assign a high-level CMMlevel target for each domain. These domains are well-summarized in the SCF’sfree Security& Privacy by Design Principles (SIP) document and can be used by aCISO/CIO/CPO to quickly align a maturity target to each domain, in accordancewith previously-established prioritization and business needs.
%20(white).png)
.png)