Image from Shutterstock.com

Most CISOs think they have a handle on how secure their organization is, pointing with pride to the latest (fill in the blank) system that’s just been installed.

But another way to measure what’s going on is to look at the organization’s security maturity — or, as author Brian Krebs put it in a post Monday, does it make cybersecurity a part of the culture or just pay lip service to it?

There are several models IT security pros can chose from: Krebs cites one crafted by the Enterprise Strategy Group, which breaks organizations down into basic, progressing and advanced. An advanced organization, for example, has a CISO who reports to the CEO, and focuses on incident detection, prevention and response.

An executive at a security vendor suggests a three-tier model which measures maturity in terms of preparedness and expectations. A reactive organization, for example, lacks executive support for IT security, and its IT operations are underfunded, understaffed and lack metrics for reporting. Business units are then ranked 1 to 5  across six categories (for example, security awareness and training.)

There are other models, some based on controls set out in the ISO 27001 family of information security management standards.

As Krebs notes, measuring security maturity can also provide a roadmap for organizations that wish to change their security culture. “Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority,” he writes. “The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach.”

Read the full post here.

Previous articleThe word on passwords: Why eight isn’t enough
Next articleSix hard truths IT pros have to face
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here