Democratization of Security Information Reduces Cybersecurity Risk
By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
One of the biggest challenges to managing cybersecurity risk in a multinational company — or any distributed organization, for that matter — is ensuring a risk-aligned and consistent cybersecurity approach across the entire enterprise. How do you make sure everyone is aligned around the same understanding of the organization’s security needs, and consistently builds the capabilities needed to address the organization’s biggest risks? A chain is only as strong as its weakest link — and if there is a weak link, you can be sure that attackers will try to find it.
The challenge is hard enough for a mid-sized company with a few locations. For an enterprise with facilities across the globe, it can be extraordinarily difficult, given the differences in expertise, cultural background, language, and technology — in addition to the physical distance between locations. When you have people in Singapore, New York, and Argentina, how do you make sure they all have the same understanding of the company’s most significant cybersecurity risks and the capabilities needed to address them?
High-level Frameworks and Black Box Methodologies Don’t Solve the Problem
Organizations have wrestled with this cybersecurity risk problem for years, of course. One commonly used strategy is to adopt a common framework or standard across the whole organization, such as ISO 27000. But these frameworks typically describe security requirements at a very high level — they don’t provide the level of detail that enables an organization to consistently implement best security practices at every location. Translating those frameworks into everyday operational capabilities and procedures requires specialized expertise and a lot of time and effort.
Organizations often ask consultants to perform an enterprise-wide assessment and define what’s needed. But that approach is expensive, and brings its own issues. Consultants frequently employ “black box” proprietary methodologies to conduct analysis and make recommendations, and they keep their methodologies to themselves. That approach may help companies respond to current threats, but it doesn’t help them build the organizational knowledge they will need in the future to continue adapting their strategy as new cybersecurity risks emerge and business priorities change.
Exacerbating the problem is the continuing shortage of security professionals, which makes it harder for organizations to build and maintain a high level of internal expertise. According to the ISACA State of Cybersecurity 2018
survey, 59 percent of enterprises have open security positions, and most say it takes at least three months to fill them. Many experts expect the shortage to increase from hundreds of thousands today to millions over the next few years
When we started researching the requirements for the CMMI Cybermaturity Platform
a couple of years ago, input from many large organizations worldwide made us quickly realize that we could help solve this problem, in part by providing the best-practice information that’s missing from high-level frameworks. Accordingly, we designed the platform to enable companies to use their own limited internal resources to assess and build a consistent level of cybersecurity best practices across every location worldwide.
It works like this: Based on each organization’s assessment of its cybersecurity risks
, the platform defines the company’s unique risk profile, the specific cybersecurity capabilities needed to mitigate the enterprise’s biggest risks, and target maturity levels for each capability. Unlike high-level frameworks, the platform dissects these broad security capabilities into very specific best practices that can be understood by staff with differing backgrounds and levels of expertise.
‘Automating’ the Cybersecurity Risk Consultant
Thus, the platform effectively automates the expert
: It does the consultant’s job of translating the high-level goals of a framework into everyday cybersecurity practices that directly address the company’s risks. For example, the platform describes each of the practices involved in vulnerability scanning, ranging from low to the highest level of maturity. Does the company use automated scanning tools to look at all the systems on the network? Does it conduct those scans at least once a week? Are those scans executed from a dedicated account with appropriate administrative rights?
Now the organization no longer has to rely on external expertise to assess its cybersecurity capabilities, define what’s needed, and communicate the information across the company. Instead, internal staff at each location can use the platform to assess whether their facility’s current security practices meet target maturity levels, and can monitor progress toward those targets over time.
I think of this as the democratization of security information
. And in fact, we’ve found that the platform fosters democracy in more ways than one. It not only empowers employees across the enterprise to participate in assessing the organization’s cybersecurity program; it also elevates their expertise by educating them about best practices for managing cybersecurity risk.
The platform also builds institutional knowledge and disperses that knowledge throughout the organization. As employees at each location assess capabilities at a local level, the platform consolidates the information into an enterprise view of the organization’s cybersecurity status. That information can then be used across the organization to track progress and set priorities. Because the platform is updated at least every six months with new information and best practices, it also helps the enterprise adapt its strategy and practices over time to meet new risks and business requirements.
Because the platform captures information about individual facilities, it provides a way to compare locations and analyze any differences in their security capabilities. This helps to spot any weak links in the chain and figure out what’s needed to fix them. We’ve discovered that companies find this very useful: A side-by-side evaluation of different business units tends to highlight inconsistencies that previously went undiscovered. The assessment process also triggers important internal conversations about each facility’s current capabilities and the implementation of best practices.
Empowering the Organization
The cybersecurity landscape is global; attackers may exploit security weaknesses in any country and create disruption across an entire multinational organization. It’s more important than ever to make sure everyone in the distributed organization has the same understanding of the organization’s risks and capabilities, and to consistently apply security practices at all facilities worldwide. The CMMI Cybermaturity Platform
is designed to help, by translating abstract frameworks into best practices that address the organization’s biggest cybersecurity risks — without the need for expensive external expertise.