Maturity models can compel your leadership to action

The cyber environment is filled with threats. It’s virtually impossible to avoid “INFRASTRUCTURE FACES IMMINENT CYBER ATTACK,” or something very similar every time you encounter online or television news. Nobody argues that there’s no threat. At the same time few people, much less experts, agree on how to solve the threat. 

Let’s go a step beyond acknowledging our infrastructure is in danger. How do we quantify the threat and our preparation to respond? How do you, our nation’s cybersecurity professionals, assess the readiness and agility of an organization, and more importantly how do you describe the threat and defense landscape to people outside the profession? 

While not advocating any particular tool, the maturity-model assessment family in general is geared to a cybersecurity program assessment as opposed to a risk or a threat assessment. Most models present a common set of industry-vetted, best practices in cybersecurity. These may go even further, matching your status to industry maturity levels.

Scores are based on the organizations risk tolerance for multiple domains. These can include cybersecurity approach, management objectives, and operational and technical practices. After a facilitated assessment or self-assessment tool is completed, a score is assigned. Scores then are compared within and possibly between industry sectors to categorize your organization in relation to your peers.

[ ALSO ON CSO: What’s in a security score? ]

Why go through all this work? Maturity models can help you to paint a clear and compelling picture of the gap between threat and preparation — not only for infrastructure defenders, but for you management when it’s time to request resources.

Return on investment

Why wouldn’t you use a tool like this? After all, you’ve already paid for it! That’s right; one of the most functional and popular tools within the Natural Gas Subsector is the Department of Energy’s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2). 

The ONG-C2M2 includes the generic C2M2 assessment and adds additional reference material and implementation guidance specifically tailored for the oil and natural gas subsector. The ONG-C2M2 comprises the aforementioned maturity model, an evaluation tool, and DOE- facilitated self-evaluations.

Generic Cybersecurity Maturity Model

As I prepare this blog I’m sitting in a live, two-day, facilitated ONG-C2M2 session to observe an experienced facilitator, industry partners, and the evaluation process. Active facilitation simplifies everything by clarification and guidance that increases the accuracy and provides interpretation of the final results. The C2M2 models are publicly available and, while designed for the energy sector, still can be used as a foundation by any organization to enhance its cybersecurity capabilities.

Electric Subsector Model

While not mandatory, compliance with and measured maturity within a government-authored assessment tool can go a long way to assure stakeholders of your commitment to cybersecurity. It might offset potential liability as well.

Real-world experiences

Your feedback is not only appreciated by me but will certainly be well-regarded by your sector and sub-sector partners. You are encouraged to comment on this blog!

What impresses me may not impress you. Cyber defender peers, have you encountered any of these tools? Have you found them useful? Cumbersome? What alternatives have worked for you?

What, if any, positive or negative effects have the results had within your organization?  How does the C-suite regard the results of the tool? Did the evaluation result in a clear, usable picture of your threat and defense landscape? Did it help your department get more resources?

Nobody stands alone in defending our critical cyber infrastructure. Everybody depends on somebody for resources. Maturity models/evaluation tools such as the ONG-C2M2 can turn cyber-speak into a story that compels your leadership to action.