The 2019 Gartner Security and Risk Management Survey confirms that 73% of organizations worldwide espouse the NIST Cybersecurity Framework (CSF). The NIST CSF focuses on five core functions: Identify, Protect, Detect, Respond, and Recover. These categories cover all aspects of cybersecurity, making this framework a complete, risk-based approach to securing almost any organization.
The NIST CSF has been updated since this article was published. NIST CSF 2.0 includes updates to the core functions, including the 'Govern' function, improved information references for implementation, and a renewed emphasis on supply chain risk management.
Although NIST CSF adoption levels are high, risk management initiatives lack business participation and financial investment. Security and risk teams suffer from exhaustion due to a control-focused CSF implementation, which leads to a checkbox exercise informing senior management and the board about the organization’s cybersecurity posture. One way to set realistic expectations is to take a “risk-based approach.”
However, before switching to a risk-based approach, organizations must decide where they fall on the maturity scale and what GRC solution they will use. Different degrees of maturity enable the implementation of a NIST CSF framework.
What is Compliance Maturity?
Cybersecurity maturity refers to an organization’s ability and degree of readiness to mitigate vulnerabilities and threats. The more ‘mature’ a company’s cybersecurity practices are, the better equipped it is to prevent threats before they become breaches.
Organizations setting up a cyber risk management plan for the first time must start with a risk analysis and determine which identified risks are the highest priority. Companies often fail to create new risk management programs by adopting something that already exists but doesn’t match their goals. They essentially try to fit a square peg into a round hole.
It’s imperative to identify industry-specific goals to frame what risk prioritization should be. NIST CSF tiers can act as a guide between cybersecurity risk management and operational risk management. NIST CSF implementation should be continuous and repeatable but also flexible. Inflexible approaches may seem ideal initially, but since the landscape of risk changes so often, organizations will suffer from a process that only creates more gaps when it refuses to shift with new threats.
To start determining maturity level and how to increase your security posture, you must first decide the goals. Is it no risk, ever? If so, that is unattainable unless no one at your company uses anything digital. It’s better to ask what an acceptable level of risk is. Many “immature” organizations don't have a solid grasp of risk and simply say, "I accept the risk," without understanding their agreement. Another goal could be remediation. How do you identify the risk, qualitatively/quantitatively measure the risk, and then create the plan to reduce the mitigate risk to an acceptable level?
Let’s look at the different maturity levels and how they apply to security posture.
Compliance Maturity Level 1: Initial
This is the starting point of a new process with the bare minimum guidelines organizations must achieve to stay compliant. There is little support from other departments or top-level executives to perform risk assessments, and there are typically no risk policies. Security teams at this level of maturity might be spread thin and not have the bandwidth to monitor all aspects of regulatory compliance and risk successfully. Compliance programs may not be formed yet. This approach is more than a little chaotic at times.
Although managing compliance is a necessity, companies leave themselves vulnerable to threats that don’t fit in bare minimum compliance requirements by addressing risk from a compliance-only perspective. At level one, some things that can be addressed to help you reach a more mature stage can be found in automation. Specifically, report generation and dashboarding give important insight into risk without digging through spreadsheets. Workflows can be automated to free up time for other projects, and the return on security investment (RoSI) can be calculated for cybersecurity Board reporting.
However, this approach is still compliance-centric at its core, and it offers little data mapping or comprehensive risk insight.
Compliance Maturity Level 2: Developing
At this level, organizations have become less compliance-centric and more business outcome-centric. Security teams are starting to assign risk management responsibilities, a risk policy is being formed, and a cybersecurity risk register is being created. The process is beginning to be documented so that the same steps can be repeated or reassessed.
These procedures act as a guidepost for a more disciplined approach to cybersecurity. By improving risk mitigation and control monitoring, organizations reduce the likelihood of attacks and disruptions of day-to-day business processes.
At this stage, executives and security leaders still benefit from information on RoSI and how it applies to their program and workflow automation. Companies can engage in more detailed risk modeling to calculate cyber risk. With automation options available through platforms like CyberStrong, the bulk of the risk assessment burden can be taken from security teams.
There’s still more that can be done here to increase maturity, though. At this level, cyber risk assessments aren’t scheduled regularly, and leadership isn’t always on board with cyber practices.
Discover more about cybersecurity risk assessment templates here.
Compliance Maturity Level 3: Defined
This is where organizations are becoming serious about a risk-first approach to cybersecurity. Leadership supports formal strategic planning for cyber risk management, and automated risk assessments are scheduled proactively instead of once a year or every two years. Critical control gaps are being addressed and managed to allow a proactive response to deal with emerging threats. Governance has been formed.
This is where we see a shift toward thinking about risk in a business context. Instead of adhering to the bare minimum of compliance processes, maybe with some threat assessment sprinkled in, teams start to think about reputational and organizational risk and how it can be mediated.
At this level, though, there might still be an excess of time spent in spreadsheets checking boxes. There can be a waste of precious funding on security controls that don’t change the organization’s risk profile.
Compliance Maturity Level 4: Managed
Here, the data is beginning the mapping process to assist in making more informed decisions when risks and vulnerabilities crop up. This step has empowered the C-suite to make more informed decisions to bring their cyber practices up to modern standards. A top-down cyber-aware culture has influenced the way employees see integrated risk management.
Organizations are starting to see the need to quantify cyber risk to more accurately assess RoSI and positively influence business decisions. Instead of constantly shifting short-term goals, goals are being addressed with long-term objectives. Teams are becoming more agile and evolving quickly to address the industry's constant change.
But even with this risk first shift, automation can significantly decrease the time spent on reports. With automated crosswalking of frameworks, assessments can be done in hours instead of days.
Compliance Maturity Level 5: Optimizing
When companies optimize their processes, they assess risk and compliance continuously. The data collected consistently improves cybersecurity risk management and drives risk-first decision-making. Governance is driven by high-level executives and management and implemented through security teams. The board is actively invested in cyber posture, and a deliberate process focuses on optimization and improvement.
Executive-level buy-in here is critical in reducing a risk footprint. That can be achieved by creating a narrative that presents cybersecurity initiatives in business terms. Once a risk-aware, top-down culture is implemented, companies can make more insightful decisions that will allow them to manage threats proactively.
Use our Board Reporting Template to construct a robust, insightful cyber risk narrative.
Two key things are missing at this level: continuous control automation and real-time risk management.
Compliance Maturity Level 6: Dynamic
At this top tier, we see a true continuous assessment of risk and compliance. The risk-aware culture company-wide is flourishing, and risk is fully integrated into all strategic decision-making. There is full transparency at the board level, and the board understands and collaborates on risk management policies. Risk Operations Centers have been created to further supplement security operations centers.
Businesses and cybersecurity are completely aligned at this level and work seamlessly to manage cyber risk. Threat environments are continuously monitored through automation, and tweaks are made regularly to a flexible cyber risk strategy.
This layered approach allows for the highest level of protection for vital assets.
Wrapping Up
Gartner’s research between 2014-2018 shows that approximately 41% of clients had either not selected a framework or had developed their own ad hoc framework. Failure to choose any framework and/or build one from scratch can lead to poorly designed security programs. Organizations can increase their security maturity one level at a time by mapping long-term goals, determining ideal risk posture, and receiving executive buy-in. It’s not a process that happens overnight, but choosing the right GRC tools is vital in achieving a higher maturity level.
By proactively taking steps to mitigate and understand potential risks, companies set themselves up for success by doing their best to avoid incidents. To learn more about how automation can increase your maturity level and supplement your existing GRC platform, meet with CyberSaint.
