Why Maturity Matters

Too often we hear organisations admit that they are not ready to conduct a maturity assessment, as they concede that they are ‘immature’. But this simple conclusion, based on some basic admissions, hides a number of dynamic issues under the surface.
It may have taken time for firms to achieve a level of confidence with information security audits, and if that has set the bar at a comfortable level to achieve, then there can often be resistance to raising it higher, as a maturity assessment inevitably would. However one key aspect that characterizes immature firms is an overriding focus on compliance activities, and a security organization that emphasizes adherence to policy.
But this reveals some simplistic or mistaken attitudes towards maturity assessments: that they are an ‘audit-type’ process that tells you what your level is. A cursory examination of the issues that are included in an assessment can already prompt organizations to point out the gaps and known weaknesses... so some firms will ask ‘what is the point’ of pushing this further?. Firms that are still working on building better preventative security, look at issues related to establishing incident response as something they are planning for in the future. So if resilience requires the ability to detect and respond to threats then why bother assessing resilience when it is clearly lacking?  Then again how can firms operate with any confidence if they know that they have little ability to detect and respond to targeted cyber attack?
One simple riposte to this is that immature firms are more likely to be spending tactically on prevention rather than displaying a more strategic approach and developing detection and response capabilities, because they believe that this is their immediate priority. In other words it has not been proven otherwise, and they do not have compelling reasons to reassess what they are investing in, in what order they have prioritized those investments, and how they will improve resilience [as opposed to scoring better on their next audit].
To firms that are trying to be resilient, measuring maturity matters if they have an appetite or aspiration to achieve a higher level and they want to track progress. This in itself is a sign of maturity if it is supported by appropriate governance. But it is counter-productive if the organization resigns itself to being where it is at, and setting a target retroactively to the level it has achieved, which borders on reckless self-governance. Until it becomes a victim of a breech it will lack the compelling driver to set a higher standard for itself, and these types of organization are quickly discernible through a rudimentary evaluation of senior management attitudes and planned investment rationale.
This points to the fact that too many firms are not trying hard enough to improve, and are not doing the right things in the right order to generate genuine improvements. Often this is based on an outdated concept of security and resilience that is still rooted in end-point security concerns, perpetually redefining security policy, and some concepts of securing the network and access to it which is increasingly futile as an end in itself. Too often it reinforces the illusion of security, and fuels over-confidence and board-level complacency in security.
The maturity assessment introduces the more rounded character of resilience and what is required to building & maintain it. For some firms this is the first step in learning what is beyond their conceptual boundaries of focusing almost exclusively on back-up infrastructure, back-up procedures and functionality.
For others it demonstrates the limits of their current approach and doctrine towards information security by highlighting where their emphasis is outdated or misguided within the context of the current landscape, particularly where the main attention is turned to external threats, for example.
More mature firms will tend to use more sophisticated security solutions and they will sit within a more integrated strategy. Couple this with a reticence to outsource functions which they should have more control of and accountability over, you can already see that maturity requires capability and resources, and that in turn requires a ‘connect’ with the business goals and functions, and board-level appreciation of the need for investment towards resilience. One of the major challenges in the commercial world is creating that ‘connect’ in various different ways.
Maturity on a sector-wide level is most evident in the banking industry which has been the target of the most rapidly evolving threat landscape; and it is the aggressive and fluid nature of that landscape that has forced bank to evolve strategy, doctrine, and approach rapidly towards a resilient posture. But being resilient does not necessarily mean that it is mature and visa versa. Small-to-Medium banks are not mature, and all banks are vulnerable to advanced attackers, though a firm is significantly more likely to be more resilient if it has greater maturity, evident in its security operation and organisation.
Maturity is a relative concept. Firms can be more mature than they were, and many organisations are keen to exhibit greater levels of maturity than the average for the industry, or within its peer group. There are more large companies that need to demonstrate relative maturity, and progress towards it, in order to satisfy shareholder & stakeholder expectations particularly when it comes to major business partners. This is one clear example where more tangible assurances can be provided to supply chain partners that are dependent on others’ security.
To those that are not really familiar with maturity assessments:
  1. Existing audit practices are not tantamount to the same as a maturity assessment ‘dressed up’ for different purposes, particularly if it incorporates technical assessments of incident response capabilities.
  2. Established audit processes are not sufficiently nuanced to derive maturity ‘judgments’, particularly where the measurement of effective performance is valued over recognition of static capability.
  3. Maturity assessments generate more comprehensive and holistic set of recommendations of how to develop a higher level of readiness and resilience, while audit outputs are not designed to inform organisations of how to improve.
  4. Find out more about our maturity assessment services download our flyer from http://www.optimalrisk.com/Information-Risk-Security-Consulting/Cyber-Readiness-Services
Posted: 23 July 2015 by Optimal Risk Admin | with 0 comments
Filed under: assessments, cyber, maturity, readiness, resilience