Connect with us

Hi, what are you looking for?


Incident Response

Secureworks Launches New Security Maturity Model

Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to “research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment.”

Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to “research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment.”

Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks’ global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.

Further information, and a route map for attaining security maturity, can be found in a white paper titled ‘5 Critical Steps to a More Mature Security Posture’ (PDF). This paper suffers from one major drawback: security leaders who have achieved the title or function of CISO in a major organization will already know and understand everything contained in the paper. 

It does, however, lay out the necessary steps for achieving greater maturity that would be useful for security officers that are either new to their function, or are employed by small organizations.

But there remains what is possibly a fundamental flaw. The very first step for the CISO is to “Agree on business needs, objectives and tolerance”. The paper provides no solution on how that agreement can be reached; but agreement is the very basis of aligning security efforts with business priorities — and is possibly the biggest difficulty faced by CISOs.

The problem is that defining risk is a business problem. Setting risk tolerance levels is ultimately a CEO function. The CISO function is to mitigate risk up to the tolerance level. The CISO’s difficulty is getting accurate and timely information from the business — with adequate budget — in order to mitigate the risk. How to achieve this is possibly the biggest weakness for any maturity model, and is not resolved in the Secureworks white paper. 

The paper gives an example: “The CIO determines that the business need is to ‘introduce controls to reduce the risk of lost or stolen PII which subsequently reduces the chance of a data breach occurring and hence breaching government regulation.’ This is more than just saying ëstop the organization being hackedí as it provides the need, the requirement and the consequences of not acting.”

But the instruction comes downward. If the CIO doesn’t give that instruction, the CISO isn’t aware of the requirement — unless he or she proactively ensures that he or she is independently aware of the need by fully understanding the business beforehand. This is one of security’s biggest problems — how to fully engage with business leadership so that the business side understands what security can and is doing, and that security understands what business needs (which can still be overridden at Board-level when setting risk tolerance levels).

Advertisement. Scroll to continue reading.

A real-life example could potentially be seen in any large hypothetical tech giant that collects and keeps personal European data. There have been European laws requiring safe storage of personal data for decades. The regulatory sanctions on breach of those laws — before GDPR — were minor. A CISO could assume, this is the law, I must comply. The business leaders could override this and covertly say we can accept the risk and ultimately pay any fines out of petty cash. It is not for a CISO to make such decisions on risk tolerance; but the CISO must necessarily understand the business thinking.

There is no easy solution to this without the CISO getting the CEO on board, and the CEO giving the CISO authority to demand that business leaders engage fully with the security team. The extent of the problem was highlighted in a recent survey by Varonis. Nearly all security teams (96%) believe that their security planning is aligned with business risk, but far fewer (73%) of business leaders agree. Similarly, while 94% of the security teams believe that business acts on what they say, only 76% of the business leaders agreed.

There is no doubt that some organizations have solved this problem by having a business-enlightened CISO and a security-enlightened CEO. In such circumstances, the organization will probably already have achieved a high security maturity score. Going through the Secureworks security maturity model process will still be a useful process. The graphs and details will provide verification of existing practices and may highlight anything still missing.

Where the relationship between business and security does not yet exist, it will need to be solved before the model becomes useful.

It should be said however, that the process towards more mature security as outlined by Secureworks provides a valuable checklist of security processes. The irony is that the same paper warns, “Emerging, high profile issues like ransomware often trigger a reactive posture where the emphasis is on reviewing a checklist of specific ‘known’ threats and risks. In fact, being resilient to a breach is dependent on an integrated set of solutions and controls, instrumented for visibility across the whole environment, and made effective by people who follow the right policy, process and procedures to manage them.” Conforming to checklists does not provide security.

Secureworks was founded in 1998 by Michael Pearson and Joan Wilbanks. It was acquired by Dell and became Dell Secureworks in 2011. It left Dell and became a public company (majority owned by Dell) in 2016.

Related: Cyber Risk = Business Risk. Time for the Business-Aligned CISO 

Related: Risky Business: Understand Your Assets and Align Security With the Business 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.