The Security Maturity Model

by | Mar 30, 2019 | Cybersecurity | 0 comments

Cybersecurity is on everyone’s mind especially with sites from government to crypto currency exchanges being targeted. The Security Maturity Model (SMM) is a tool for assessing an organisation’s effectiveness at achieving a particular goal. Using a tiered model, it helps to identify the current state of cyber security through the observation of practice and risk mitigation techniques. This assessment can assist in creating a strategic direction to achieving an acceptable risk level and help to determine the degree to which compliance to governing laws and regulations is achieved. In the context of cyber security,  maturity models can help to distinguish between organisations in which security is baked in and those in which it is merely bolted on.

Organisation-wide improvements can take time; in cyber security, a maturity model gives an organisation’s leadership a way to measure the progress made in embedding security into its day-to-day and strategic operations.

An entity with a mature security risk culture is one where the leadership team and personnel:

  1. understanding of the entity’s security risks and risk mitigation strategies
  2. performance of the entity in:
    • implementing the minimum core and supporting requirements in relation to its risk environment
    • driving a strong security culture through awareness of agreed security behaviours
    • identifying and implementing changes that achieve robust security outcomes
    • using resources efficiently and effectively to protect people, information and assets
  3. assurance that the entity’s:
    • people, information and assets are adequately protected consistent with government policy
    • security risks are managed appropriately (including security incidents) and clear lines of accountability and sound planning and proportionate reporting are undertaken.

Improving the trust in your data offers several potential benefits:

  • Process Automation – provides confidence to (further) automate your real time decision making, which will drive down costs and improve performance.
  • Reduced Risks- minimising the chance of a cyber attack-fraud, data tampering reduces legal and economic risks
  • Increased Business Trust- a blockchain based system will increase trust thereby reducing accidental or international fraud
  • Accident/Litigation Clarity – with operational and environmental data stored immutably, and its providence assured, the information stored within ledgers will provide the ground truth data needed to help determine the root cause of problems within the system.3

The SMM model is a core piece that focuses on the end to end security of the data. The SMM discusses the need to protect your data in use, in motion and at rest.

Protecting mission critical environments requires security that scales from edge to cloud, across systems and suppliers, however as John Y said in a blog entitled – ‘New Guidance on Risk Management for Cyber Security’ (2017) “there is no single method for doing risk management for cyber security which can be applied universally, to good effect”.1

With that in mind, one needs to examine the business objective, the enabling processes and systems, and finally the associated threats and vulnerabilities. Analysing these areas will produce the most tailored and cost-effective security strategy.

While cyber security does not begin and end with technical consideration, for the purpose this article we will define two specific areas of consideration, component and system driven risks.

Component driven risks are focused on systems. Components which you have no control over, but which your system depends on. These include:

  • hardware (computers, servers, etc.)
  • software
  • data sets
  • services
  • personal information
  • business critical information
  • staff

System driven approaches focus on the goals and purposes of the system and the system as a whole. It explores interaction failures or flaws and the way these components interact. Where does the risk come into this? An example was a situation I encountered where automated security doors letting people in and out failed.

The model below introduces the idea that you can analyse risk in fundamentally different ways. We look at WHAT should be achieved by the system compared to the bottom two layers that analyse what could go wrong. They are both valuable when applied to the right problem.

To find out more about how to secure your organisation please contact us.
advisor@theadvisorynetwork.io

Sources:
1. https://www.ncsc.gov.uk/guidance
2.  https://www.protectivesecurity.gov.au/
3.  https://www.rti.com

Submit a Comment

Your email address will not be published. Required fields are marked *