#CyberFLASH: Time to measure your security maturity

typing-image-genericMost CISOs think they have a handle on how secure their organization is, pointing with pride to the latest (fill in the blank) system that’s just been installed.

But another way to measure what’s going on is to look at the organization’s security maturity — or, as author Brian Krebs put it in a post Monday, does it make cybersecurity a part of the culture or just pay lip service to it?

There are several models IT security pros can chose from: Krebs cites one crafted by the Enterprise Strategy Group, which breaks organizations down into basic, progressing and advanced. An advanced organization, for example, has a CISO who reports to the CEO, and focuses on incident detection, prevention and response.

An executive at a security vendor suggests a three-tier model which measures maturity in terms of preparedness and expectations. A reactive organization, for example, lacks executive support for IT security, and its IT operations are underfunded, understaffed and lack metrics for reporting. Business units are then ranked 1 to 5 across six categories (for example, security awareness and training.)

Read more here

About canux
© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.