Often our work with Senior Management in Corporate Services, Human Resources and IT extends to developing a security plan that is mapped to a Security Maturity Model (click here to view example). The best way to make progress against a maturity model is to consider adopting the Security Improvement Cycle within your organisation (see graphic below).
Why should you be interested in a maturity model and an improvement cycle?
The Security Maturity Model will be of interest if you are determined to make cybersecurity a part of your organizational culture rather than just pay it lip service and do the bare minimum. Some readers will have invested in our IT Policy System as a means to provide consistent guidelines for computer users, managers and technical staff. The same IT Policy System provides clear concise direction on the protection of vital corporate information and the associated systems. The investment in the Policy System signals an intent and desire to get the foundations right for good governance and improved IT Security; however, in isolation the policies have limited impact. Using a construction analogy – the improvement cycle builds on the policy foundations allowing for the walls to be built, a roof placed atop and joinery to be installed. Weak foundations will most likely result in an expensive disaster.
Stepping through the Security Improvement Cycle
Promoting security awareness is key to ensuring that the message is getting through to the user population. You just have to look at the number of Ransomware incidents that occurred in 2015 to realise that users provide the best conduit to create havoc within your organisation. How can you consider holding a user accountable for a security incident if you have not provided them with guidance and an education program on how to use your IT systems and data?
Clarity develops around Process and Procedural requirements coming out of an IT Policy deployment. This area becomes easier as the organisation is experiencing a more heightened awareness and understanding of the need for cybersecurity and good governance.
Technical Controls are very necessary to ensure business is not impacted by cybersecurity threats; however, they are too commonly applied reactively to solve a short term issue. This ultimately represents a poor investment and does little to reduce the organisation’s overall cybersecurity risk profile. The security improvement cycle will help improve decision making around technical controls – less reactive and more strategic.
Is the cycle improving security? – Auditing and Monitoring for Compliance checks that the elements of the improvement cycle are being effective, provides a “baseline” for the current security posture and highlights where focus should be applied to make further continuous improvements.
Steve Macmillan is available to assist you in getting a Security Improvement Cycle underway and getting your organisation moved along a path to Security Maturity. He can be contacted for a discussion-
Mob: 07769 338003