Cybersecurity Maturity Models Can Be Immature

Cybersecurity Maturity Models Can Be Immature 

Like many things in life, cybersecurity posture is a spectrum of states in maturity. Cybersecurity Maturity Model Certifications (CMMC) are all the rage now in IT departments. You can be at one end of the spectrum of cybersecurity maturity, the other end of the spectrum, or maybe somewhere in the middle. The National Institute of Standards and Technology (NIST) and CMMC have defined those security maturity models in five distinct stages. You even often hear some IT departments proudly declare that they are a level three or four or five in terms of their security maturity. We can analytically categorize the levels that compose these security states, and that is a good thing. However, some of these states assume reasonably well-known threat patterns. The challenge is that even with the best possible security posture, novel threats can bring the entire security structure crashing down. This is one of the driving conditions that make a comprehensive cyber security approach an operational and technological necessity. 

Whether it is NIST or CMMC, the five levels of cybersecurity maturity shape up like this: 

• In the first level, the organization is vulnerable. A lack of preparedness is the most palpable description, along with a general lack of structure, documentation, or processes.
• At the second level, an organization becomes more aware, but they are still reactive. They can repeat basic efforts, and they have basic documentation of processes available but only in a reactionary manner. This organization can respond in the timeframe of a few days, but they are vulnerable to data loss, operational gaps, and financial impact.
• Level three marks the beginning of effective security measures. Typically constructed from security, compliance, and regulatory efforts, along with a greater establishment of tight security processes. Security policies and technologies are deployed and are available in documentations for the most critical environments. General assurance of the environment is established, typically including the existence of backups and repeatable issue mitigation. In this scenario, rapid event awareness is the vehicle for enablement, reducing response to hours and sometimes minutes while there is a significant minimization of potential financial loss.
• The next level escalates to a continually compliant state based on external requirements and internal operational standards. The entire environment is managed, logged, and reviewed on a routine basis and continuous monitoring helps eliminate regulatory penalties and awareness of operations across each discipline.
• The highest level in this security maturity level is the optimized proactive posture where information security processes are a model of continual improvement. These processes are tightly integrated with information from throughout the environment, offering feedback, external information, and research, and they can introduce needs-based process updates to better serve the organization. Organizations at this level are able to respond in real time, and they can significantly reduce data and application breaches.

Prepared but Still Exposed 

While these five levels sound good, there are still massive risks from novel threats that can make much of the level two and level three preparedness become obsolete, and perhaps severely compromise even a level four organization. A Zero-Day attack is an unforeseen event that bypasses previously established standard security measures. This makes it difficult for security systems and software providers alike, as they don’t know what threat signature might trigger alarms or not— leaving their products vulnerable in the process. 

During a Zero-Day attack, all that preparedness can be undermined as even a limited opportunity slips through the cracks, unknown and unopposed. Preparing for Zero-Day attacks is critical, with a foundation of: 

• Being proactive
• Maintaining good data backups
• Monitoring traffic, security incidents, and accounts
• Keeping systems up to date
• Zero-Trust implementation

Zero-Day Blinders and Zero-Day Finders 

A key disadvantage of operating as a single organization with a single infrastructure is reduced visibility. In terms of Zero-Day vulnerabilities, a lone organization may only be subject to a single attack at a given time. This makes it easy to lose sight of looming dangers that are continuously present and just as dangerous. 

Among the benefits of leveraging a massive infrastructure, and a adopting the mission to go beyond the final level of security maturity into Zero-Day conditions, is the ability to see incoming threats across different channels, organizations, industries, and geographies. The imperative of Zero-Day threats across a scaled base requires never-ending active identification and hunting of threats throughout the infrastructure. 

When we speak of comprehensive security, it incorporates everything from process to technology to detection monitoring to recovery. It encompasses everything from designing, building and operating the entirety of the IT environments. Absent this complete approach, even proactive organizations cannot rely on their maturity model designation as a crutch against threats. When the significant risk of Zero-Day threats is unacceptable, no stone can be left unturned. 

Check out this piece, originally published in Security Magazine, here and follow me on LinkedIn.