CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

Cyber Maturity Means Being ‘Situationally Aware, Constantly Vigilant’

By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
"Constant vigilance!" are the frequently uttered watchwords of the Harry Potter character Mad-Eye Moody, a highly trained defender against practitioners of the "dark arts." Like the Ministry of Magic that Moody defends, the best cyber-defended real-world organizations are similarly always on guard—always ready to recognize and defuse a cyberattack. That may seem simplistic or obvious, but has your organization truly embraced vigilance as part of its cybersecurity culture?

Of at least equal importance is building and maintaining a cultural emphasis on being "situationally aware." Historically, the term has been used extensively by the military, with varied meanings. What it boils down to for cybersecurity is being able to assess the threat environment, both over time and potentially in real time, with respect to your most critical data and systems, so that you can always make correct decisions even when the threat environment is rapidly changing. In essence, it means grasping the situation at hand and being able to see multiple likely outcomes. The goal is knowing which direction to steer to protect your organization.

Situational awareness and constant vigilance work hand-in-hand. Together, they might serve as catchphrases that help support the emergence of cyber-resilient cultures at companies that have learned to leave no stone unturned in setting up their cyber defenses. Persistent vigilance involves perpetual monitoring of your data, your network, your systems, your infrastructure. But it also entails actively gathering data from a variety of sources, internal and external, to get a bead on the threat scenario. That data, in turn, informs situational awareness.

There's a very clear difference between a situationally aware culture and one that is trying to ensure compliance. The latter seeks to ensure it's aligned with a framework, as opposed to a situationally aware organization, which is characterized by a mindset that employees need to be prepared for the threats directed at vulnerable points in the organization.
Building a Situationally Aware Culture
What are the key organizational behaviors that support building a situationally aware, cyber-resilient culture? Drilling down, you're looking for the culture to develop an awareness and sensitivity to prioritized risks. You want the cybersecurity team to take ownership of identified best practices, incorporating both vigilance and awareness. It's important that these practices become habitual and persistent. (So that everyone thinks to themselves: "This is something I have to do every day.")
You want cybersecurity leadership that enables the team and keeps senior management in the loop about evolving threats facing the organization. CISOs should be driving cultural change and institutionalizing the best thinking. Leadership should also enable the company at large by implementing training that will help thwart threats and mitigate undesirable outcomes. Lastly, situationally aware, cyber resilient organizations assess and measure their defensive capabilities.

I like to sum this up with four words: awareness, enablement, measurement, and persistence.

What It Looks Like in the Real World
Once upon a time, a large U.S. business was hacked. The company’s customer data was stolen, and the hack made headlines. Fast forward several years, and that company's transformed cyber defense culture offers an instructive look at what cybersecurity maturity looks like in the real world. The company created a culture that is incredibly situationally aware, very sensitive to what's going on, highly trained in terms of how to address any types of risk, and continually tests and reevaluates the organization's capabilities. It actively trains its employees and even offers them financial rewards as incentives to increase and retain their knowledge.

When I talked to them two years ago, they explained how they started by bringing in people from the NSA, the FBI, and the CIA to help them build a culture that was continuously evaluating cybersecurity. They had teams watching server activity around the world. They identified specific threat sources, in their case, approximately six nation-states, and they were continually replicating the kinds of attacks emerging from those bad actors to test their readiness to withstand them. The company had a team that did nothing but monitor the activity of these six or so bad actors.

When you talk about maturity at the highest level, it's about optimizing, which means that you can generate predictive analytics. One of that company’s capabilities is to anticipate and identify when a threat source might generate an attack. Such a system might rely on classifying activity levels, common behaviors, anything that could be an indicator that an attack might be underway. By characterizing the attacks, they were able to create a flow of intelligence that was able to classify on-the-fly what an attack might do. One team at the firm was devoted to simulating these attacks.

Another major leg supporting the company’s security transformation was a significant push to train all relevant employees to recognize cyberattacks. Arming their employees with knowledge added to the organization's resiliency by creating a second line of defense. So, for example, say somebody set up a new system without following proper protocol, and it became a point of vulnerability. That system would be surrounded by other employees that could recognize its vulnerability and alert the organization to address related exploits. Every quarter the company trained and evaluated more employees. It affected their pay scale and was part of the measurement system. The upshot: awareness was ingrained into the everyday practice of how employees did their jobs.

The CMMI Cybermaturity Platform enables organizations to assess their capabilities continuously, an excellent step to guide you down the path toward cyber resiliency. Based on industry best practices and regularly updated, it provides a platform for continuously building, reassessing, and evolving mature capabilities.

Old Mad-Eye would probably feel right at home in a situationally aware, cyber-resilient culture. Everyone else: practice getting comfortable with being uncomfortable. Over the long haul, you'll be better off for it.