When you search for the term “cybersecurity” online, you get approximately 17 billion images of padlocks and shields – but what is this trying to communicate? So often, when we think about how to secure our companies, we jump to the technical solutions by buying products, or running a penetration test. While these are important pieces of the puzzle, it’s also important to think about our business values and what we’re trying to achieve. Before jumping straight to a solution, we need to understand the problem we are trying to solve. This is why maturing cyber governance and risk management capabilities is so important.
No organization has unlimited time and resources available to solve problems, especially when they aren’t directly tied to company profits. Unless a company is in the cybersecurity business, cybersecurity is not typically seen as a key business priority – which it shouldn’t be! BUT cybersecurity should be considered and managed per the risk it seeks to mitigate for the organization. This is done through implementing processes and capabilities to enable effective decision making, ensuring those limited resources are utilized efficiently and that they are having the desired outcomes. So, how do we do that? We define our priorities and create governance processes to support them.
Evaluating companies based on their business goals helps us to understand what should be driving our decision-making processes. Ultimately, we want to ensure that every action a company takes is supporting its key business goals and is being achieved consistently to provide confidence to the stakeholders involved. This can be done using many different methodologies at various levels of maturity. So, how do we know where to start?
Mature organizations with strong governance programs likely have policies and processes in place defining how a stakeholder group (e.g., board of directors, the C-Suite) makes decisions for the organization. Typically, these organizations will define the resulting expectations for employees when it comes time to execute these decisions to ensure they can be reliably implemented. However, even in very small organizations, there are usually informal systems of governance in place. While these processes may not be documented, employees are generally aware of where the decisions are coming from. Whether guidance is being provided from a supervisor or direction is formally documented in a policy, there are always decisions being made. The question then becomes whether the decisions are best for the organization.
As companies grow, they typically mature governance capabilities to gain confidence that the best decisions are being made based on the information and resources available. ISACA’s CMMI Cybermaturity Platform (CCP) is expanding its governance guidance to include capabilities across all five levels of maturity defined within CCP’s Model, transitioning from only being available at the highest levels of cybermaturity. This update is designed to help small and mid-sized companies gain a better understanding of how to improve their governance capabilities by leveraging informal processes they may already have in place. By expanding the definition of these capabilities into lower maturity levels, a broader set of organizations will be able to leverage these capabilities to identify where they are today, even if informal, and see a path toward greater cybermaturity without being overwhelmed by the formality.
More information regarding CCP is available at http://h04.v6pu.com/enterprise/cmmi-cybermaturity-platform.