How Mature is your Information Security & Privacy Program?

Over the weekend a friend asked me how Phenomenati assesses the maturity of Information Security & Privacy programs for our prospects and clients.

I offered them the following, which borrows from CMMI but is adapted to emphasize a few points:

Level 0 – Motivation

Level 1 – Implementation

Level 2 – Operation

Level 3 – Governance

Level 4 – Optimization

Some phenomena we have observed on this maturation journey…

In the “Motivation” phase, some business imperative has raised the urgency to create or improve an actual Information Security & Privacy program. This may have been an attack or incident, may be new legal obligations (e.g., emerging regulations), perhaps the Cyber Entropy™ of their infrastructure has reached a critical point, or may be due to demands from their own clients or insurance providers. Often these businesses should start with a simple Assessment of their existing environment, preferably using some recognizable industry standard (ISO, NIST, SOC 2 TSCs, etc.).  The purpose is to identify relevant gaps in their existing controls… and prioritize them by the actual Risk they present to the business.

In the “Implementation” phase, the business has begun to address the gaps in its existing controls and practices by investing in new people, processes, and technologies. New staff are being brought on board, new policies are being written and socialized, new procedures like Security Awareness training are being implemented, new technologies are being evaluated and deployed. The caveat here is that this is not simply a checklist of tasks to be completed. Too many leadership teams get to this point and feel “Ok. We’re done. We’re secure.” Sadly, they are not.

In the “Operation” phase, the business actually has to OPERATE their new controls. Procedures need to be followed, consistently. Information needs to actually be labeled. Some level of Threat Intelligence should be gathered and reviewed. Monitoring & Detection needs to be staffed. Vulnerability and Patch Management needs to be rote discipline. Onboarding and Offboarding of Staff and Vendors need to be fully coordinated and automated. Data Retention Policies & schedules must be enforced with automation. Legal Holds must be enforceable. Policy violations need to be documented and dealt with, appropriately. Backups and Plans (IRP, DRP, BCP) need to be regularly practiced and TESTED. This stage is where most organizations falter. "Why" is a topic left for another discussion… but the most common reason we encounter is under-investment in sufficient resources. Establishing an effective Security Operations capability is non-trivial. Most, eventually, will decide to outsource much of their Security Operations to an MSP or MSSP, and their Privacy Operations to an external Data Protection Officer (DPO). While cost-effective, these external service providers will always lack an understanding of the Context of the business.

In the “Governance” phase, the organization has matured to acknowledge the Obligations (legal, regulatory, contractual, ethical, etc.) to protect information are perpetual. Stronger passwords, multi-factor authentication, and annual security awareness training are never going to be sufficient to meet those obligations. Here the organization will begin to formalize and staff ongoing governance activities including Business Impact Analysis (BIA), Privacy Data & Processing Inventories (including Privacy Data Flow Diagrams), Privacy Impact Assessments (PIA), Data Subject Access Request (SAR) procedures, Risk Identification & Assessment (e.g. Risk Scenarios tracked in Risk Registers), Risk Management & Treatment decisions (reject, accept, mitigate, transfer), including formal Third Party Risk Management (vetting, monitoring, auditing, etc.), Privileged Access Management (PAM), Insider Threat monitoring, Anti-Fraud discipline, Internal Audits, Management Reviews, etc. It is here that Risk Level Agreements™ begin to be established between leadership and the board, formally documenting their Due Diligence and Due Care to help counter claims of negligence or "willful ignorance". Often a formal "GRC" function is established and resourced with qualified staff.  It is in this phase of maturity where the organization finally demonstrates a culture of taking security and privacy seriously.  In today’s environment of continuous digital conflict, Stakeholders (shareholders, customers, employees, partners, insurers, even regulators, etc.) are demanding your business be at least at this level of maturity. Which is why independent, objective Compliance Audits have become a requirement to participate in most markets, for organizations of any size.  Trust Through Transparency is not a platitude, but an imperative. 

Finally, in the “Optimization” phase, the program is sufficiently established to permit the organization to begin collecting practical metrics (KPI, KRI, etc.) to assess the Effectiveness of their existing controls. Policies are adapted to address routine violations and new Threat conditions (e.g., emergence of Generative AI services). Procedures are adapted for both greater Effectiveness and Efficiencies. Organizations of this maturity will also use Cost-Benefit Analyses to inform decisions on which additional Risk Mitigation investments in technology make the most sense given the Quantitative estimate of relevant Risk Scenarios. The company-wide awareness of the need to balance Opportunity with Risk (be Responsive, but Responsibly) is pervasive, informing and accelerating decision making at all levels.

Where is your business on this maturity journey?

Copyright © 2023 Phenomenati – All Rights Reserved.