Taming the Wild West of Cybersecurity Risk
By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
Cybersecurity today can feel like the Wild West of old. It’s chaotic, fast-changing, and unpredictable. New threats emerge without warning, wreaking havoc on organizations and individuals alike. Society hasn’t yet figured out how to impose order on the chaos. And unfortunately, the good guys don’t always win.
Clearly, something needs to change: Managing cyber security risk has become a critical issue for any business. But before I dive into how to solve the problem, I’d like to spend a few words discussing an analogous period in software history that offers important pointers on how to tackle cyber security risks today.
I’m referring to the Wild West days of software development: the so-called software crisis, which started in the 1960s and continued well into the 1980s
. During this period, software became mission-critical as organizations increasingly relied on technology to run their operations. Yet software development was notoriously chaotic and unpredictable. Software projects were nearly always late and over budget. And when the software was finally delivered, the quality might be terrible; it frequently failed to meet requirements and was riddled with bugs.
Solving the Software Problem
Nowhere was the software crisis a bigger concern than in national defense. By the 1980s, the U.S. Department of Defense had realized that software was an issue of national security. Jet fighters were essentially evolving into computers with wings — and it was unacceptable to experience the equivalent of the “blue screen of death” when operating at 35,000 feet.
Those concerns led the DoD to fund the development of a framework that evolved into the CMMI product suite. The initial goal was to find ways to solve the key problems that characterized the software crisis—addressing software reliability, resilience, predictability, and performance. The collaborative effort, involving industry, academia, and the government, created a framework for building and assessing organizations’ software development capabilities. The framework pulled together and organized established and emerging best practices for software development. It effectively helped companies bring order to previously chaotic and unstructured processes; it also provided a way to measure and compare organizations’ development capabilities.
The effectiveness of this approach led to broad adoption within the defense community. Many DoD contracts began requiring suppliers to demonstrate a specific maturity level as validation of their software development capabilities. CMMI subsequently expanded in scope to embrace a broad range of key business functions and processes, and the technology was widely adopted by other industries. Today, thousands of companies in more than 100 countries use the CMMI product suite
; they include some of the highest-performing software operations on the planet.
A Fresh Approach to Managing Cybersecurity Risk
Back to today’s world of cybersecurity risk. Cybersecurity has become a business-critical issue, just as software rose to critical importance back then. And despite the establishment of security standards and the development of successive waves of new security tools, most organizations haven’t yet found a way to successfully manage cybersecurity risk. That’s reflected by surveys that show 87% of boards and C-suite executives lack confidence
in their organizations’ cybersecurity capabilities.
We realized that a fresh approach was required, and that we could help. So, two years ago we started work on a platform designed to address the problem. We started from a clean slate, reimagining what is needed for cybersecurity risk management while drawing on our 30 years of experience helping companies improve business performance. Many other organizations provided ideas that helped guide the development. The result, the CMMI Cybermaturity Platform
, helps organizations build cyber resilience. It recognizes that cybersecurity is an enterprise risk issue that requires a strategic approach to risk mitigation
, enabling organizations to not only prevent and detect attacks, but also successfully survive them. Some of the key themes:
- Managing enterprise risk. In a highly dynamic threat environment, each organization needs to focus its limited resources on the most serious enterprise risks. Those risks are different for each company: A manufacturing company has different cybersecurity vulnerabilities and priorities than a software firm or a public utility. So, the platform begins by defining the organization’s unique risk profile. That risk profile then determines the specific capabilities that are required to address the organization’s cyber security risks, enabling resources to be deployed for the greatest effect.
- Empowering the entire organization. The platform engages people across the organization in measuring and tracking capabilities and cybersecurity gaps. This approach embeds security expertise throughout the business, enabling the organization to continuously manage and monitor the improvement of its security capabilities.
- Moving fast. We recognized that existing security standards cannot move fast enough to keep up with fast-evolving cybersecurity risks. Security standards may only be updated every few years; security threats can morph daily. The cloud-based CMMI Cybermaturity Platform is designed to be frequently updated to incorporate new practices and information. This helps organizations respond in real time to the changing cybersecurity risk environment.
- Communicating to the board. Boards are rapidly recognizing that cybersecurity is an issue of enterprise risk, not just an IT challenge. Yet one of the biggest obstacles for CISOs is the difficulty of communicating cybersecurity risks to the board in terms that they can easily understand. The platform aims to plug that gap. It represents the organization’s cybersecurity capabilities and gaps in straightforward bar charts that are easy for board members to understand, and enables benchmarking against other companies. It helps CISOs answer board questions about where the company is most exposed, where it needs to invest, and how it compares to others.
Civilizing the Frontier
The Wild West was an exciting time in history. But when it comes to cybersecurity risk, most of us would prefer not to live on the lawless frontier. I believe that the CMMI Cybermaturity Platform will help companies bring structure and control to the chaotic cybersecurity environment, enabling them to deploy cybersecurity best practices to effectively mitigate enterprise risks and quickly adapt to fast-changing threats.