Security Experts:

Secureworks Launches New Security Maturity Model

Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to "research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment."

Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks' global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.

Further information, and a route map for attaining security maturity, can be found in a white paper titled '5 Critical Steps to a More Mature Security Posture' (PDF). This paper suffers from one major drawback: security leaders who have achieved the title or function of CISO in a major organization will already know and understand everything contained in the paper. 

It does, however, lay out the necessary steps for achieving greater maturity that would be useful for security officers that are either new to their function, or are employed by small organizations.

But there remains what is possibly a fundamental flaw. The very first step for the CISO is to "Agree on business needs, objectives and tolerance". The paper provides no solution on how that agreement can be reached; but agreement is the very basis of aligning security efforts with business priorities -- and is possibly the biggest difficulty faced by CISOs.

The problem is that defining risk is a business problem. Setting risk tolerance levels is ultimately a CEO function. The CISO function is to mitigate risk up to the tolerance level. The CISO's difficulty is getting accurate and timely information from the business -- with adequate budget -- in order to mitigate the risk. How to achieve this is possibly the biggest weakness for any maturity model, and is not resolved in the Secureworks white paper. 

The paper gives an example: "The CIO determines that the business need is to 'introduce controls to reduce the risk of lost or stolen PII which subsequently reduces the chance of a data breach occurring and hence breaching government regulation.' This is more than just saying ëstop the organization being hackedí as it provides the need, the requirement and the consequences of not acting."

But the instruction comes downward. If the CIO doesn't give that instruction, the CISO isn't aware of the requirement -- unless he or she proactively ensures that he or she is independently aware of the need by fully understanding the business beforehand. This is one of security's biggest problems -- how to fully engage with business leadership so that the business side understands what security can and is doing, and that security understands what business needs (which can still be overridden at Board-level when setting risk tolerance levels).

A real-life example could potentially be seen in any large hypothetical tech giant that collects and keeps personal European data. There have been European laws requiring safe storage of personal data for decades. The regulatory sanctions on breach of those laws -- before GDPR -- were minor. A CISO could assume, this is the law, I must comply. The business leaders could override this and covertly say we can accept the risk and ultimately pay any fines out of petty cash. It is not for a CISO to make such decisions on risk tolerance; but the CISO must necessarily understand the business thinking.

There is no easy solution to this without the CISO getting the CEO on board, and the CEO giving the CISO authority to demand that business leaders engage fully with the security team. The extent of the problem was highlighted in a recent survey by Varonis. Nearly all security teams (96%) believe that their security planning is aligned with business risk, but far fewer (73%) of business leaders agree. Similarly, while 94% of the security teams believe that business acts on what they say, only 76% of the business leaders agreed.

There is no doubt that some organizations have solved this problem by having a business-enlightened CISO and a security-enlightened CEO. In such circumstances, the organization will probably already have achieved a high security maturity score. Going through the Secureworks security maturity model process will still be a useful process. The graphs and details will provide verification of existing practices and may highlight anything still missing.

Where the relationship between business and security does not yet exist, it will need to be solved before the model becomes useful.

It should be said however, that the process towards more mature security as outlined by Secureworks provides a valuable checklist of security processes. The irony is that the same paper warns, "Emerging, high profile issues like ransomware often trigger a reactive posture where the emphasis is on reviewing a checklist of specific 'known' threats and risks. In fact, being resilient to a breach is dependent on an integrated set of solutions and controls, instrumented for visibility across the whole environment, and made effective by people who follow the right policy, process and procedures to manage them." Conforming to checklists does not provide security.

Secureworks was founded in 1998 by Michael Pearson and Joan Wilbanks. It was acquired by Dell and became Dell Secureworks in 2011. It left Dell and became a public company (majority owned by Dell) in 2016.

Related: Cyber Risk = Business Risk. Time for the Business-Aligned CISO 

Related: Risky Business: Understand Your Assets and Align Security With the Business 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.