CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

The Copernican Shift in Managing Cybersecurity Risk: From Compliance to Capabilities

By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions

As jurisdictions around the globe increasingly target cybersecurity with new regulations, an understandable focus on compliance with security standards and frameworks is driving cybersecurity strategy at many companies. In part, this preoccupation with compliance reflects a quest for ways to structure and measure effective security programs. But it also reflects the growing recognition at board level that cybersecurity is an issue of enterprise risk. Boards are looking for objective evidence that the company is adequately managing cybersecurity risk; some believe standards compliance checks that box.

The problem is that “checking the box” doesn’t measure how well the organization is mitigating its real business risks from cybersecurity. As Paul Watts, CISO for Domino’s Pizza, U.K. and Ireland, said recently: “All the compliance and certification in the world is no substitute for a solid foundation for cyber defenses, and I know of organizations that have been breached by [penetration] testers—even though the CISO had a string of certifications and had implemented a host of high-grade security controls.”

It’s not that compliance is unimportant—but it should be the natural by-product of a strong cybersecurity strategy, not the goal. I believe that a Copernican shift is needed. Just as the astronomer Copernicus determined that the earth orbits the sun—not the other way around—mature enterprise cybersecurity doesn’t orbit regulatory compliance.

Enterprise cybersecurity strategy should focus on identifying the organization’s unique set of risks, then prioritizing investment in security capabilities to mitigate those risks. Mature capabilities and best practices that are designed to reduce enterprise cybersecurity risk also tend to result in compliance with security standards and frameworks. Security capabilities become the engine driving the cybersecurity strategy—and compliance becomes that engine’s exhaust. 

A Disruptive Shift in Cybersecurity Risk Mindset

This is a disruptive shift in security mindset, and it has potentially far-reaching consequences. Instead of using an external framework as your starting point and trying to align your company to it, you begin by looking at your company’s business risks and the capabilities needed to address them. All organizations have limited resources, and it’s vital to focus those resources on the most important cybersecurity risks. By focusing on capabilities instead of chasing compliance, you’re investing in the things that matter most to your particular enterprise. Instead of checking boxes, you’re addressing the real business risks.

Although this represents a radical departure from the way many businesses think about cybersecurity today, our experience is that companies find it both logical and intuitive. When we started discussing this concept with enterprises two years ago, we discovered that they “got it” immediately. In fact, many of them said they needed a platform that supported this approach, because existing standards and frameworks didn’t do the job. Furthermore, they told us what features they needed the platform to provide. Those conversations helped direct the development of the CMMI Cybermaturity Platform, which is designed to let companies focus cybersecurity investment specifically on capabilities that mitigate their highest-priority cybersecurity risks. 

The platform enables companies to take a strategic approach to cybersecurity, based on viewing security through the lens of enterprise risk. It captures the company’s biggest risks as well as its risk tolerance, which is often determined at C-suite level. Each company assesses the likelihood and potential impact of specific incidents such as third-party compromise or breaches of personal information. Those risks can vary greatly between industries and even between individual businesses; banks’ biggest concerns differ from those of transportation companies or nuclear power plants.

Based on the organization’s risk profile, the platform automatically hones in on the security capabilities that are needed to mitigate the company’s most important cybersecurity risks. It identifies the target maturity level of those capabilities and translates them into a comprehensive set of security practices required to achieve that level. Companies assess their current cybersecurity maturity level, compare it with their targets and prioritize investment where it’s needed to fill the gaps. This shifts the emphasis from a static, tactical approach focused on plugging gaps in standards compliance to a dynamic, strategic approach focused on investing in capabilities that are valuable over the long term.

The words strategic and dynamic are key. Cybersecurity capabilities are the foundation of cybersecurity resilience: the ability not only to detect and ward off most threats but also to survive successful attacks and mitigate their impact. Resilience is an essential strategic goal, because the cyber security landscape changes rapidly and unpredictably as threats evolve and new attack surfaces are created.

The platform is also cloud-based and frequently updated to stay abreast of the rapid changes to the security environment. In contrast, standards change at a glacial pace; they may be updated only every few years. Completing the Copernican shift, the platform also translates the organization’s capabilities into compliance reports. It automatically maps cybersecurity capabilities against major standards and frameworks such as ISO 27001 and the NIST Cybersecurity Framework (CSF).

This approach provides a more direct and effective method for providing the board with an objective view of cybersecurity risk strategy and threats, thus helping to drive informed board-level investment decisions. It presents security in terms that the board already understands—the language of enterprise risk mitigation—instead of an abstract discussion of compliance to standards.

A Strategy for Digital Transformation

The digital transformation sweeping across all industries means that technology strategy is inseparable from business strategy, and cybersecurity risks are no longer an issue for IT only. A strategic approach to mitigating cybersecurity risk is therefore integral to helping a company achieve its business objectives. Focusing on capabilities, rather than compliance, shifts the perspective to enterprise risk instead of checking boxes. It helps the company strategically direct investment to mitigate the most important risks.

In other words, if you’re doing the right things to protect your business, compliance will naturally follow.