Cybersecurity maturity model lays out four readiness levels

When it comes to cybersecurity, how do you know if your organization is doing a good job?

That question is harder to answer than you'd think. I've spent years asking CISOs what they consider success in cybersecurity, and the most common answer is: "My organization isn't on the front page of The Wall Street Journal for a cybersecurity breach."

No disrespect to the Journal, but that's a terrible success metric. So what's a better one?

Nemertes Research has developed a four-level cybersecurity maturity model that has been validated using extensive research gathered from more than 1,000 organizations in the U.S. and abroad. The result is a model that ranks companies' readiness to respond to potential breaches as unprepared, reactive, proactive or anticipatory.

The key to the model is that it's based on operational metrics; specifically, the time required to do the following:

• detect that something potentially dangerous has occurred;
• understand whether this occurrence represents a breach; and, if so
• contain the breach.

For those familiar with the U.S. NIST cybersecurity framework, this set of metrics represents a slightly simplified version of the NIST approach. Note: Nemertes has worked with NIST to develop various operational documents.

At Nemertes, we applied those metrics to our cybersecurity maturity model to validate it. Then the question was, do higher levels of maturity actually correspond to better operational security? The answer is yes.

The maturity model assesses an organization's cybersecurity initiative across several dimensions, including answers to questions in the following areas:

• Organization. Is there a CISO? To whom does that person report? How large is the security team? What areas of expertise do they focus on?
• Policy and processes. Are architectures, roadmaps and policies defined for the critical elements of the organization? Is there an incident response policy? What does it contain? How often is it tested? Does the organization conduct cybersecurity awareness training? How often? What does the training cover?
• Technology. What technologies are currently in place or on the organization's roadmap? Are they appropriate for the organization's size, vertical industry and business goals?

Based on the answers to these questions, the model places an organization on one of four levels in terms of cybersecurity maturity.

Companies at a lower level of cybersecurity maturity would do well to make improvements to their organizations, processes and technologies to move to the next level.

Level 0: Unprepared. This organization lacks the people, processes and technology to deal with cybersecurity threats. Examples include organizations that don't have a CISO or anyone whose responsibility is to oversee cybersecurity; organizations that have failed to implement basic technologies, such as antimalware or basic firewalling; and companies that fail to conduct regular cybersecurity awareness training.

Level 1: Reactive. This organization has the people, processes and technology in place to handle attacks after they've occurred, but it can't protect the organization effectively against future threats. This includes companies that have done the basics, such as having an individual responsible for cybersecurity, implementing antispam, antimalware and firewalling; having incident response policies; conducting awareness training; and so on.

Level 2: Proactive. This organization has the people, processes and technology in place to protect against foreseeable threats from known sources. These organizations have gone beyond the basics and are deploying cutting-edge tools and techniques, such as moving to a zero-trust approach to security.

Level 3: Anticipatory. This organization has the people, processes and technology to protect against threats that could emerge based on changes in the business and technology environment. Companies that are currently investigating, for example, the potential impact of quantum cryptography on blockchain are thinking in anticipatory mode.

So what's the real-world impact of reaching higher levels of cybersecurity maturity?

Companies at the anticipatory layer can detect, understand and contain threats in fewer than eight minutes. Companies at the proactive level can do the same in 109 minutes, or just under two hours. And companies that are at level 0 or 1 take far longer -- often days to weeks.

The implication is clear: Companies at a lower level of cybersecurity maturity would do well to make improvements to their organizations, processes and technologies to move to the next level.

Specifically, if your company doesn't have an individual responsible for cybersecurity, appoint one. Make sure this person has business-level visibility, which means he or she isn't just one of the CIO's many direct reports. Make sure you have effective incident response plans and security awareness training, and refresh them often -- quarterly is best. In terms of cybersecurity plans, have security architectures and roadmaps for all your key initiatives, such as cloud, IoT and mobility.