Security Maturity – What Really Counts?

This year has tested organizations and their cybersecurity teams with a number of challenges, including unprecedented remote work, evolving security needs and an expanded attack surface. To keep systems secure, CISOs must adapt with the changing landscape with the end goal of keeping the enterprise safe.

The Boston CISO community joined an interactive discussion on “Security Maturity – What Really Counts?” After boiling down this topic over an hour of intense conversation, the CISO group has come to realize that beyond the tangible elements, flexibility and communication are at the core of a successful security program.

The CISO role has become increasingly connected, which steers the discussion toward the people side of security. Although accurate reporting tools such as dashboards are necessary to understand where a company stands, it is just as important to recognize the external and internal factors for a well-rounded understanding of security maturity. Cybersecurity policies and programs are only as strong as their weakest link, making education and employee compliance integral to optimal security.

Moderating this panel was Adam Glick, VP and CISO at Rocket. Glick was joined by Bob Krzysik, CTO of the US Public Sector at Varonis Systems and Steven Keller, AVP and CISO at MAPFRE, as well as several members of the Boston community who shared perspectives on effective tools to measure program security.

Security Maturity — Defining, Measuring and Communicating

Finding a customized way to define and measure security maturity starts with a solid plan. Creating a roadmap may sound like a simple task, but the Boston CISOs explained that it is no easy feat. No one security landscape is the same, so obtaining a baseline picture is necessary before moving on to delivery. First, a CISO must understand the security environment and how it functions. The Boston panel identified necessary questions to ask for an all-encompassing view, including how to identify valuables and stakeholders.

The CISO role is frequently evolving in response to business needs, changing threats and unexpected obstacles. Because of this fluid position, many CISOs would agree that flexibility is key to success.

Beyond defining landscape parameters, another important responsibility is assessing the strengths and weaknesses of security systems both outside and within an organization. Risk cannot be assessed in a vacuum – emphasizing the importance of looking beyond the internal security team and establishing a pulse on security system effectiveness company wide. 

When discussing risk measurement, communication comes to the forefront. Is information from the security team somehow failing to reach other parts of the organization? To create a culture of security, support from the executive team is fundamental. One community member mentioned the importance of starting slow and building from the bottom to collect information from all angles. When educating the workforce, each individual’s understanding about the program identifies holes, lending direction for future awareness and training. Although it is not necessary for everyone to grasp all functions behind a new security application, employees must understand the importance of security and how they can help plans succeed.

Leveraging Tools and Partners to Increase Security Maturity

In order to ensure the security program is in line with company objectives, CISOs use tools to illustrate overlap and gaps in coverage and the value to partners across the organization.

Compliance is certainly important, but it doesn’t guarantee security. Business needs must be the guiding force for any model, taking into account corporate objectives. At times, this can call for initiatives that are “beyond compliance” due to the specific needs of the organization. Often these needs are identified in executive meetings and through speaking with employees across the organization. Working closely with these business partners to provide them an understanding of why security is a priority, and implementing measures accordingly is critical to gaining buy-in.

Security is a balancing act – landing too far on one side could leave the company wide open to risk, but there are downsides to the pendulum swinging too far the other way. If the organization is too locked down, business operations can be impeded, and it is possible to suffocate a business altogether. 

All organizations must make the best decision they can with the information they have – sometimes allowing for risks by making calculated decisions. Many CISOs indicate that the role is migrating from ultimate decision-making power towards risk consultancy. In some cases, if a decision is deemed too risky, it’s necessary to move it to the committee level and gain buy-in from partners across the executive team. This ensures continuity on all fronts, and the business is moving forward together.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.