You must learn to crawl before you can walk. You have to walk before you can run. Business growth, it's continuity and cybersecurity are entangled based on a scientific research (Source: Chang SE). In reality it remains largely in separate silos. From the initial steps, we need to think agility, sustainability and scalability as it has to support the evolution of the organization. We require every stakeholder's buy-in and not just at management level. We need to align upon what, why and how the organization will be protected and what is our risk tolerance. Cybersecurity is one of the major managerial challenges, as it deals with the management of a complex system where wrong decisions may lead to poorer performance of the entire organization (Source: Jacobs MA).
Summer clear skies enable star gazing. While admiring Juniper the other night, it made me think of cybersecurity program. I associated it's moons with the key domains of cybersecurity: information security governance, risk management, compliance and incident management. As with Juniper and it's moons, everything is inter-connected.
When an organization is competent and capable of providing a high level of security, it is also efficient with respect to its planning, organization, implementation and investment activities. Here is a business case: Incident management (security services) whether in-house or outsourced reflects your cybersecurity program maturity. Your security services (SOC) is your business risk dashboard. Business continuity depends how agile and accurate that business risk dashboard is. Cybersecurity maturity helps business risk dashboard to become more accurate: provide services for their customers without interruption, protect sensitive customer and proprietary information, comply with laws and regulations that govern their operations, provide current security posture, benchmarking against industry, help in justifying and optimizing security investments, balancing cybersecurity portfolio, security strategy and roadmap, help CISOs communicate security to board. It is a tactical step which cybersecurity maturity approach should your organization choose to implement.
There are different methods that help assess cybersecurity maturity level and some are better than others at bridging the technical side of it to almost real-time business decision making. Let's take a look at few.
Despite the initial wave of Security Operations Centers (SOC) being established in early 90's and second wave - about 7 or 10 years ago, it is rather surprising that a relatively small percentage of organizations are ready to embrace SOC Productivity Optimization, which Gartner associate with 'Forward Leaning' SOC Maturity Level. The reality is that many organizations struggle to understand at what security maturity level they currently are and build the roadmap that helps accelerate cybersecurity maturity for the purpose of supporting business growth and improved business continuity.
Fig. 1. Example of Tooling a Modern SOC Against Maturity Level and Capabilities. Source: Gartner
In the report 'Battle for the Modern Security Operations Center, 2020', IDC lists five Security Operations Maturity Levels (Fig.2). It reflects integrated operations security and links technical operations to business goals, key to achieve agile security.
Fig. 2. Security Operations Maturity Levels.
In our 2020 survey of 50 global SOCs we have identified that the definition of SOC goals indicate it's maturity level.
Based on our observation, probably most recognized amongst CISOs is SOC-CMM (Security Operations Center Capability Maturity Model). It is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks. Even though the CMM was originally used as a process improvement tool for software development, it has been successfully adopted for driving SOC maturity (Fig. 3).
Fig. 3. Security Operations Center Capability Maturity Model. Source: SOC-CMM
CMM focuses more heavily on performance and how performance impacts business and how to understand an organization’s performance needs. There’s information on how to establish performance goals and then track those goals to make sure they’re achieved at all levels of business maturity, lower the overall cost of appraisals and shorten the time it takes to appraise, so leaders can get other executives on board. It provides a means for measuring growth of the SOC, thereby demonstrating the return on investment in the SOC.
There are number of SOC maturity levels proposed by various InfoSec vendors which frequently focus on purely Operational (technical) level. KPMG proposed cyber maturity path goes beyond typical cybersecurity domains and includes human factor as well places it's focus on business continuity.
Fig. 4. Cyber Maturity Lenses. Source: KPMG.
For example, NIST explicitly states that the implementation tiers are not indicating maturity level, but are designed to act as a benchmark to take stock of current cybersecurity risk management practices and help organizations develop plans to improve their cybersecurity posture which affects business continuity.
But the question still remains whether we are doing enough to embed aligning risk priorities with the business strategy into cybersecurity maturity roadmap?
At Quantum Cybersecurity Skills our approach to cybersecurity maturity is reflected at all organizational levels (Fig. 5). It is technology agnostic and enables to take an advantage of existing mechanisms and resources that allow orderly and agile exploitation of data to generate an actionable risk interpretation in three ways: for the technical level, accelerating the continuous processing of data in the day to day; for the tactical level, presenting monthly the situational state of security as well as the state of customer service; and above all, for the strategic level, making decisions based on risks, ensuring the continuity of the business.
Fig 5. Cybersecurity maturity path by Quantum Cybersecurity Skills.
Our approach is not trying to re-invent the wheel. We have incorporated number of cybersecurity maturity modules within our approach. The main differentiator of Quantum Cybersecurity Skills cybersecurity maturity path is the focus on bridging technical, operational, legal, compliance and other aspects of cybersecurity to be aligned with the business goals in a more dynamic way, being able to measure the success of it and track any changes.
We strongly believe in cybersecurity excellence being present at all business verticals and exercised as a daily 'norm':
At Operational Layer, we can help you adding speed to risk identification and mitigation by running automated breach & attack simulations, pen-testing, fine-tuning of security controls, Book our Proactive & Reactive Security Services.
At Tactical Layer, hardening of your platforms, systems and applications, helping to prepare for compliance audits, advising you on tactics that help reduce the frequency of expected data breach and lower the data breach costs. Book our Continuous Improvement Services or MDR Services.
At Strategic Layer, we can help you align risk priorities with the business strategy, take full advantage of your security services to act as an internal, trusted risk advisor to the Board and teach the methods of data quality to compute risks early. Book our SOC/MSSP Optimization Service.
In a nutshell, our cybersecurity programs need to sustain business agility and growth from the start, we need to increase speed in achieving cybersecurity maturity faster and ensure cybersecurity excellence is exercised on a daily basis and make a better effort in pragmatically aligning cybersecurity to business goals.
#IncidentManagement #OperationalResilience #ProactiveSecurity #ReactiveSecurity #SecurityServices #SOC #SOCoptimization #SOCproductivity #SOCsalability #SOCsustainability #SecOps #SOC #SOCsuperposition #InfoSec #RiskManagement #MDR #MSSPs #AgileSecurity #RiskManagement #BusinessContinuity
Organizations that are able to take a full advantage of their Security Services (SOC) are Leaders when it comes to reducing business risks, operational costs, improving resilience and business continuity. Scale and sustain the resources that you already have - it's part of an agile and integrated risk management strategy.
Quantum Cybersecurity Skills has been co-founded by seasoned SOC Managers to help SOC Managers and CISOs out there. We are your trusted Partner to deliver continuous SOC productivity optimization aligned to ISO 27001 PDCA, proactive and reactive security services, MDR and professional risk mitigation services. Our services are applicable to any size organization from any industry, whether with an in-house SOC / CSIRT / CERT or MSSP outsourced. We run operations in UK, Canada, Mexico, USA and Spain to meet customers' Data Privacy requirements.
Reach out to us: