Why Your Organization's Security Maturity Matters – And What to Do About It
Forrester’s practical and actionable Informational Security Maturity Model - and Digital Guardian - can help organizations gauge their information security program.
Every organization faces risk. It’s how prepared each organization is to mitigate that risk that makes a difference.
Over the years, there’s been a lot of discussion around security maturity models and how - if aligned with your information security program and your overall business strategy - they can benefit organizations. Assuming processes are followed and periodic reviews are carried out, companies who assess their security program under a model will be better prepared to adjust to an internal business shift or an external event, like a global pandemic and a WFH mandate.
There’s no shortage of these models; some have been used to calculate the formality and optimization of software engineering processes dating back to 1986.
These assessments generally focus on several concepts, things like people, process, policy, technology, procedures, implementation, test, and integration.
While these models can keep an organization honest and allow them to operate sustainably, having a mature information security program in place is ultimately about demonstrating competencies and ensuring your organization has the steps and solutions in place to keep running soundly, no matter what happens.
Using a maturity model to quantify an organization's information security program can also optimize the efforts you’ve made so far and serve as an investment in your brand’s future. The complexity and subjectivity of some models has often relegated them to interesting, but mainly academic, discussions.
Forrester Research, Inc. recently updated its Information Security Maturity Model which is based on a rigorous review of the latest ISO, ITIL, NIST and SANS security standards. A big advantage of the Forrester model is that it is straightforward - condensing security maturation to 20 essential activities that are organized around four competencies: oversight, technology, process, and people – providing a more pragmatic and actionable blueprint than many other models.
Let’s recap each of the competencies:
According to Gauge Your Information Security Maturity, Forrester Research, Inc., November 20, 2020, being able to demonstrate oversight in an information security program largely correlates to the agility to respond to the needs of the business while responding to current conditions? This competency is rooted in setting and achieving objectives that support business goals and mitigating risk, largely through policies and controls. Satisfying this competency also requires having an effective response to risk management, audits, and governance of third parties.
This competency relies heavily on an organization's ability to protect data across the enterprise. Organizations need to be able to maintain the confidentiality, integrity, and availability of corporate data wherever it resides – including in the cloud on servers, systems, applications, and endpoint devices. Organizations need to be able to "protect proprietary or confidential content from being mishandled," regardless of where its located or hosted, as well. Merely having the required technology in place isn't enough; these tools need both process and people to oversee them and ensure they're being run reliably and securely.
Speaking of process, this competency outlines the steps needed to carry out day to day activities designed to mitigate risk. Having a team dedicated to threat detection and remediation, one that's constantly assessing and analyzing threats and looking into potential security events that could introduce risk is critical here. Having processes in place to identify, classify, and handle assets, as well as the ability to assess that third parties, like vendors, suppliers, service partners, and cloud providers, are secure, also meet this competency. Again, companies that just meet the requirements here aren't fully realizing their potential. According to Forrester, organizations should "increase quality through optimization" of these programs and have plans in place to ensure business isn’t disrupted in the face of disaster.
Demonstrating the last competency, people, shows you’ve got the glue to hold the other competencies together. The most important teams are nothing without the people behind them and an Information security team is no different. Being able to set defined roles and communicate not just internally with the team but across the organization is key here. Getting employees to understand and follow security and risk management objectives is also necessary here.
You wouldn’t blindly trust a child to repair a leaky pipe in your basement. Nor would you trust your neighbor to do your taxes. Like any skill, developing a robust security program doesn’t happen overnight. Being able to exhibit proficiency takes time; it requires a strategy that's thorough, reliable, one that can be streamlined over time. Being able to demonstrate maturity matters, both for your organization and your customers.
Digital Guardian can play a role in both documenting where you are today in the security maturity model, but also in advancing your organization to more advanced levels. Digital Guardian delivers value towards each of the four key competencies.
Forrester’s three activities in the Oversight competency can be boiled down to consistently setting objectives based on current conditions, resources and business needs and then developing practical policies and controls to achieve those objectives. While most security teams are very good at assessing current conditions and their resources, many fall short in understanding and communicating their connection to business needs. This is where Digital Guardian’s unique approach has been proven to pay big dividends.
The minute you deploy our software on endpoints you start to discover where sensitive data is located, how it flows, and where it is put at risk throughout the enterprise – even before you have created any policies. The insights you gain from this visibility make it so much easier to engage the business leaders and work with them to find the right balance between security needs and business needs. In the words of John Graham, the previously CISO of Jabil Inc., “the insights from this approach make it much easier to engage the business sponsors; you can give them concrete examples that they can understand and relate to instead of abstract policies.”
In short, with this approach your Oversight competency objectives, policies and controls are evidence-based and perhaps most importantly they are developed and optimized in conjunction with the business leaders.
Forrester’s six activities under the Technology competency are all related to ensuring the confidentiality, integrity, and availability (CIA) of IT infrastructure, applications and corporate data. One of the key lessons for CISOs from the major breaches in the last few years is a realization that they should emphasize protecting data as opposed to focusing on protecting the infrastructure. With that in mind, Forrester’s #5 activity – capabilities to maintain CIA of corporate data regardless of location or hosting model bumps up to the top of the list under Technology.
DG was founded by a group of bio-tech professionals whose firm nearly lost their intellectual property. This IP was the lifeblood of the company so they understood that CIA is all about the data you have to protect. Our solution is so powerful because it was born without bias towards the audit community, but with a bias to understand, control and protect data. Our products, services and team of experts are relentlessly focused on maintaining the confidentiality, integrity and availability of corporate data.
Supporting, informing, and enforcing your business and its underlying processes is what Digital Guardian can do for you. DG can help you create and deploy data classification and data loss prevention processes to develop and optimize DLP as a program. Our most successful customers are those that incorporate DG DLP as an overall business process, not just a technology.
There are several ways that Digital Guardian can advance your People competency; the easiest way is through our Managed Security Program (MSP). We take on the responsibility as your data protection team. Our security experts are your people; we take your data protection challenge seriously. If you are managing your DG environment, the customized prompts that are shown when a policy is violated communicates and reinforces best practices for security enterprise-wide and automatically.
In summary, the Forrester Information Security Maturity Model provides a straightforward and practical blueprint to assist you in advancing your organization security maturity. And Digital Guardian can play a key role along your journey.