Folks who know me know that I’m a bit of a standards junkie. When it comes to building out an effective information security program, I think the Common Sense Security Framework followed by an ISO 27001/27002 implementation is a killer one-two punch.
(For the record, I hate compliance, but I love security. Isn’t that ironic?)
I’m going to float a list of security activities by you, and you start daubing your infosec bingo card.
- Complete an annual risk assessment to figure out where our control gaps are. Remediate.
- Complete an annual PCI / HIPAA / <insert your compliance albatross here> audit. Remediate.
- Hire someone to perform a pen test. Remediate.
- Review the list of findings from internal audit. Remediate.
- Look back at everything we did this year, take a deep breath, and get ready to start the cycle all over again.
The scary part is that despite all the infosec teams across the world devoting millions of hours (and dollars) to following some variation of this process, we’ve still had over 8,000 publicly disclosed data breaches with a whopping 10 billion compromised records (and counting).
So what can (should) we be doing differently?
My recommendation: Take a minute to assess the maturity of your infosec program as it stands today.
“Easier said than done, Jerod. We’re busy enough already. Now you want us add one more thing to our plate?”
Yeah, I do, and the payoff will be well worth-it. Trust me.
If you’ve gone through an ISO 27001/27002 implementation, a PCI audit, a HIPAA security risk assessment, a FISMA audit, or an assessment against some other set of security controls, chances are you answered each control question with either, “Yes, we’re doing that,” or “Not today, sir, no.”
If the auditor/assessor conducting the assessment is worth his/her salt, though, then you’re likely to be asked for a sample of evidence to prove that each Yes is really a Yes.
While I do see value in this process, these types of assessments and audits are limited. While they take into account leading security practices, they don’t take into account your organizational culture. They don’t take into account your business model. They don’t take into account your leadership’s risk appetite.
When it comes to the real reason we have infosec programs in the first place, namely to reduce the risk of bad or disruptive events impacting the organization (and, more importantly, the people who depend on the organization), then these self-imposed blind spots become even more apparent.
That’s where the Capability Maturity Model (CMM) can really help you out.
First, take a sec to familiarize yourself with the CMM. I’ve seen a few variations on this theme in the infosec space, but it goes a little something like this:
- Level 1 – Initial. No documentation, and if Beth from IT is out sick, good luck.
- Level 2 – Repeatable. Alright. Here we go. We’ve got some documentation, and we’re starting to see some consistency.
- Level 3 – Defined. Standards? We don’t need no stinking standards! (Wait. Just kidding. Yes we do, and we’re sticking to them.)
- Level 4 – Measureable. Metrics! We’ve got metrics!
- Level 5 – Optimizing. The business and the tech have achieved perfect harmony. Let’s focus on fine tuning our controls as both the business and the tech change over time.
This is where the art meets the science.
Every organization doesn’t want to be Level 5 across the board. Level 5 is expensive, and the overhead isn’t always worth it.
And no one wants to be Level 1. Level 1 leads to unnecessary disruptions, unnecessary downtime, and unnecessary costs. It also leaves you wide open to attack.
So where do you want to be? It depends.
It depends on all those squishy things like culture and risk appetite that auditors can’t measure.
It depends on executive sponsorship (read: budget).
It depends on your customers’ expectations.
Like I said… it depends.
The positive here, though, is that you can perform a capability maturity assessment against your own organization and reprioritize your work by taking all of those factors into account, and you can do this on a control-by-control basis.
If you’ve not yet performed a CMM assessment of your infosec program, try these five (5) steps:
- Open a blank spreadsheet.
- Enter all the infosec controls that you feel are relevant to your organization.
- If you work for a smaller shop, start with the CSSF.
- If you work for a larger enterprise, give ISO 27002 a go.
- For every infosec control in your list, write down two numbers:
- First, the CMM level that control is at today; and
- Second, the CMM level do you want that control to be at in the future.
- Float the completed spreadsheet by your leadership team, by whoever controls the infosec budget, and ask them to help you revise the numbers.
- Filter out the lines where your controls are already meeting your maturity targets, and focus on the maturity gaps when you start planning your security work for the coming year.
Want to go for extra credit? Then add these two (2) steps:
- Feed the finished product into your next risk assessment, and incorporate those maturity gaps (where you are vs. where you want to be) into the risk scores.
- Use that new and improved risk assessment to drive your security planning instead.
If you want to bring some industry knowledge to the table, reach out to your infosec provider. Ask them to help. They should be THRILLED about having this conversation with you.
Managing an infosec program is a daunting task, and the amount of work on your plate is often overwhelming. By performing a maturity assessment, you can bring order to the chaos, and hopefully find a little sanity and a lot of success.
Walk. Then run. You’ll get there.
I’m Jerod Brennen (@slandail), an infosec pro who’s worked in the field long enough to have earned every gray hair in my beard.
By day, I’m a Security Architect with One Identity, an identity and access management solutions provider.
By night, I’m a husband, father, writer, filmmaker, martial artist, musician, and gamer.
I’ve spent my career fulfilling roles in consulting, higher education, retail, and public utilities. I consider it both a calling and a privilege to share what I’ve learned over the years with local and regional information security professional organizations, as well as attendees at larger information security conferences. In addition, I teach information security courses, both domestically and internationally.
At the end of the day, I just want to help folks get one step closer to doing what they want to do securely.