One of the things I love most about working in security is that things are constantly changing. Yup, you read that correctly. I love changes! Learning new things, challenging past assumptions, and expanding my understanding and abilities are profoundly satisfying. I once heard myself referred to as a life-long learner and thought, isn’t everyone? And with the vast landscape of disciplines-like network vulnerability management, access controls, or mobile device encryption-there is no shortage of learning opportunities in security!
How to Keep Up With Rapid Change
What is the right level of protection? Are we vulnerable to that latest exploit? How can we better protect our assets? To answer some of these questions, many organizations utilize security maturity models. Most commonly utilized by organizations that do business with the US department of defense, maturity models document various levels of security capabilities to show progression within your security program.
When I was an Information Security Manager, I was a fan of security maturity models. I love organized, straightforward steps to reaching a goal and believed they were a good indication that I was “doing my job.” After all, if all of our controls meet the highest level of maturity, we must be doing something right! Right?
Unfortunately, no. Security maturity models are about the implementation of controls and provide graduating steps to showcase change over time. And while this is excellent information to have as a security leader, it represents a false sense of security to your C-suite, Board and other non-security stakeholders.
Shortcomings of a Security Maturity Model
Security maturity models focus on climbing a ladder or reaching the peak of security, which simply isn’t how security should work. Further, because these maturity models aren’t tied to the business’s ability to operate or meet its objectives, the context is lost. And when leadership doesn’t understand the context, it can be difficult to “sell” the value of improved security without sounding like a fearmonger.
A Better Option Than a Security Maturity Model
Instead, organizations should shift towards security health. Unlike security maturity models that document what you’re doing (or not doing), security health focuses on how well you’re doing it. Your security program becomes less about achieving the highest maturity level and more about guiding your organization to healthier cybersecurity decisions.
I was recently reading the book Reinventing Cybersecurity published by Jupiter One, and was particularly intrigued by one of the authors, Carlotta Sage. Their open-source security health model (available in a GitHub repo under Creative Commons) aligns perfectly with how we approach cybersecurity within the Reciprocity® ROAR Platform. Their model includes the shift from ad-hoc or compliance-driven security to a risk-focused approach, communicating security in a collaborative way that empowers your organization to make smarter decisions, and the necessity of scalable risk management to support rapid change and growth.
To demonstrate this concept, I will borrow an analogy from Sage. Let’s say you’re planning your dinner.
If you’re using a maturity scale, it might look like this:
Tier 1- Hamburger
Tier 2- Hamburger with Fries
Tier 3- Hamburger, Fries and a Drink
Looking at this list, it’s understandable that most of us would want tier three since it is a more ‘mature meal.’ If you don’t get the whole meal, you might be hungry later, so logically you select tier 3. When you present your leadership with options like this and cannot contextualize them, it’s difficult for them to understand or make appropriate decisions.
However, if you’re using a health scale, it would look like this:
Tier 1- Candy Bar
Tier 2- Granola Bar
Tier 3- Turkey Sandwich
With all three options, you can achieve your goal of filling your stomach so you won’t be hungry later. Regardless of what you select, you can still meet your objectives. However, this method demonstrates that consistently making less healthy security choices (or consistently eating candy bars for dinner) will only lead to increasingly less positive results over time. Adopting a security health model allows you to offer levels of protection and enables your board to align its security investments with its business objectives.
Putting This Into Practice
Are you looking to start assessing your security health? With the Reciprocity ROAR platform, we integrate your compliance activities with your risk register to automatically adjust your risk scores as controls are assessed. Unhealthy controls automatically increase your residual risk! And because we contextualize that risk to your business objectives, you’re able to point them towards healthier security decisions, thus allowing them to tie their investment to a tangible increase in their overall health.
And with that, security shifts from being a “climb the mountain” activity to a “steer the ship through the rocks to keep the boat afloat” activity.
Why not give it a try? Register for a FREE live demo to see ROAR in action.