Advisory Note

Maturity Level Matrix for Cyber Security

KuppingerCole Maturity Level Matrixes for the major market segments within cyber security. These provide the foundation for rating the current state of your cyber security projects and programs.

Mike Small

sm@kuppingercole.com

1 KuppingerCole Maturity Level Matrix - How to use this document

Most organizations now critically depend upon IT services to operate and are therefore their business is vulnerable to cyber security incidents. This report provides a tool to evaluate the maturity of your cyber security.

Organizations are moving from using IT services that are exclusively delivered by equipment on-premises to a mixture of delivery models that also include hosting as well as cloud services. The move to this hybrid environment is driven by digital business transformation to provide greater flexibility as well as cost reduction. However, it brings with it increased challenges of management, compliance and security. This makes it essential to continuously review and update your cyber security posture, processes and tools.

1.1 Why Cyber Security projects need regular reviews

Business objectives, organizational best practices and technologies are constantly evolving. It is essential to continuously review your organization’s performance in the light of these changes.

Organizations are under pressure to exploit digital technology to become more flexible, more responsive to customer needs and more efficient. The traditional model where IT services are delivered internally is being challenged as being unresponsive, poorly adapted to connecting with customers as well as too costly, and cloud services are being promoted as the solution. However, this evolution needs to be considered in the context of the increased regulation over the protection and use of data, such as the recent EU GDPR (General Data Protection Regulation). Compliance with these regulations depends upon good cyber security and the use of cloud services means sharing the responsibilities for security with the cloud service provider. Failure to properly manage cyber security risks can result not only in operational failure but also in reputational damage as well as regulatory penalties.

These conflicting challenges have led to the emergence of the hybrid IT service delivery model. When organizations deliver IT services from their own data centres, they have tight control over the security and compliance of processing. The loss of direct control when using externally provided services leads to concerns over compliance and security. The hybrid IT service delivery model addresses these concerns. This model provides greater control by allowing the user organization to locate sensitive data and critical systems on premises or on dedicated resources in a private cloud but adds to the complexity of governance, management and security. The maturity of an organization to manage cyber security must now be judged in the context of this hybrid IT service model.

To understand the security implications of this hybrid model it is necessary to consider the IT service delivery stack. This is because the responsibilities for the different parts of the stack are shared between the CSP (Cloud Service Provider) and the cloud tenant in different ways. There are five distinct service delivery planes and each needs to be managed and secured. These planes range from the physical data centre through the logical infrastructure to the applications and data. For cloud services three of these planes correspond with the cloud service model (IaaS, PaaS and SaaS). When IT services are delivered on premises the responsibility for all five planes is clear. However, in the cloud model, responsibility for managing these planes is split between the customer and the CSP in a way that depends upon how the service is delivered. For each plane there are six important elements that are need to ensure security.

This is illustrated in Figure 1.

Hybrid IT Security Architecture
Figure 3: Hybrid IT Security Architecture

1.2 How to use the KuppingerCole Maturity Level Matrixes

The KuppingerCole Maturity Level Matrixes are tools for analysing the current state of IT programs and projects.

They provide information about levels, descriptive characteristics of these levels, and information about the organization and technologies involved at the various levels. Overall, they follow the established concept also found in the CMM (Capability Maturity Model), a methodology originally designed to develop and refine an organization's software development process.

Initiatives to measure cyber security not only enable an organization to understand and realize the potential benefits of investing in improvements to these areas but also provides guided direction on prioritizing projects in the development roadmap.

KuppingerCole recommends assessing your cyber security program on a five-point maturity scale formulated on the Carnegie Mellon Maturity Index. Below is a brief overview of the Maturity Index as applied to cyber security. The below-mentioned criteria are not intended to be comprehensive or complete at every level but are provided to exemplify the degree of maturity achieved at each level.

1. Level 1 – is ad hoc and reactive. Organizations in Level 1 have approached cyber security in an ad hoc manner to date and, for example, have multiple manual approaches.

  • Level 1 Business and Organizational Attributes

    • There is no real visibility of cyber security in the organization and there is no management support for cyber security as theme relevant to the organization. There are few, if any policies or guidelines for cyber security that are included in the organizational risk and security documentation. Cyber security KRIs and KPIs are not used. There is no consistent approach to security for cloud / on premises.
    • There is no policy for the use of standards and best practices for cyber security. These are adopted and used in an ad hoc manner.
    • There is no single point of responsibility for cyber security within the organization. The responsibilities are distributed across various parts of the organization in an ad hoc manner. There is no documented responsibility for cyber incident response. Cyber security SI partners suppliers and cloud services are managed on an ad hoc basis.
    • Cyber security related risks are managed on an ad hoc basis. There is no overall risk analysis process and documentation.
    • Cyber security controls and processes are chosen and implemented in an ad hoc manner. There is no standard process for cyber incidents. There is no project or program concerned with the improvement of cyber security across the organization.
    • The performance of internal cyber security controls is monitored in an ad hoc manner. There is no consistent process for assuring the security aspects of partners and externally provided IT services. There is no consistent approach to requiring performance improvements.
  • Level 1 Technology Attributes

    • There is no overall cyber security architecture – products are chosen and implemented on an ad hoc basis.
    • There is no common policy or approach to the security of data. There is no classification system for data. Identities and entitlements are provisioned and de-provisioned manually. There is no central directory and few automated tools. Authentication and authorization are managed in an ad hoc manner. There is no visibility or control over access to cloud services.
    • There is no consistent approach to managing the security of business applications. The development and acquisition of applications, middleware and tools takes an ad hoc approach to security aspects.
    • There is no consistent approach to the security of networking. The tools and processes for managing network security chosen in an ad hoc manner and are not integrated. There is no consistent approach to the use of public networks and the internet for business purposes.
    • The cyber security aspects of physical and virtual servers are managed on a case by case basis with no consistent objectives, processes or tools. The cyber security of physical and virtual storage devices and media managed on a case by case basis with no consistent objectives, processes or tools.
    • Physical access to premises is managed on an ad hoc basis. Access to data centres / computing equipment is managed on an ad hoc basis. There is little planning for business continuity in the event of physical disruptions (e.g. flood, fire, natural disaster and terrorism).

Organizations at level 1 are not well prepared to meet the challenges of cyber security. However, the organization has some measures in place, albeit rather ad hoc, and needs to take steps to determine and close gaps in technology, products, processes, and organizational structure. At this level an organization would find it difficult to provide evidence of compliance with laws and regulations.

4. Level 4 – is characterized by a higher level of automation and efficiency. In effect the processes defined for Level 3 are automated where practical or supported by workflows and other relevant tools.

  • Level 4 Business and Organizational Attributes

    • There is good visibility of cyber security in the organization and strong management support for cyber security as theme relevant to the organization. There are good policies or guidelines for cyber security that are included in the organizational risk and security documentation. Cyber security KRIs and KPIs are widely used. The governance of cloud and on premises security are integrated.
    • There is a general policy to use cyber security standards and best practices as widely as practical. These are supported by technology with little manual intervention needed.
    • The responsibility for cyber security within the organization is integrated with business risk and compliance. The responsibility for responding to cyber incidents is managed as a business risk. The incident response team is multi-disciplinary and has board level sponsorship. The responsibility for managing Cyber security SI partners is part of business risk. There is a clear responsibility for the management of the security / compliance aspects of each cloud service.
    • There is a common process for managing risks including cyber security related risks and this is mostly integrated with business risk. The compliance / security aspects of cloud services are included in the risk management process. The cyber risk management process is based on a standard framework. There is a complete risk register. Governance risk and compliance are managed through a common tool.
    • Cyber security controls and processes are systematically chosen and implemented based on risk assessments. Cyber security controls and processes are based on best practices. There are granular controls over the access to and the use of cloud services. There is well rehearsed documented process for responding to cyber incidents. There is a project or program concerned with the improvement of cyber security across the organization.
    • The performance of internal cyber security controls is automatically reviewed using standard KPIs/KRIs. There is an automated process for assuring the security aspects of partners and externally provided IT services. Externally provided services / cloud must provide regularly updated independent attestations of conformance to cyber security standards. Where performance needs improvement action is consistently taken.
  • Level 4 Technology Attributes

    • There is a cyber security architecture based a recognized standard (e.g. NIST 800-37). In some special cases products may be chosen and implemented outside of this. The architecture covers externally provided IT services and cloud in a standard way.
    • There is a classification system for data and tools are used to ensure that this is applied in most cases. Sensitive and regulated data is automatically encrypted, and key management is automated. Identities and entitlements are provisioned and de-provisioned using automated tools that ensure consistency. There is an integrated central directory. Authentication and authorization are implemented consistently using tools. There is control over access to sanctioned cloud applications. There is visibility and control over access to unsanctioned cloud applications.
    • The policies for the security of business applications take full account of the security needs and compliance obligations. The policies are based on standards and best practices such as ISO/IEC 27001 and COBIT. Applications are developed using secure development practices and automated tools to enforce checking and testing. The acquisition of applications, middleware and tools conform to these policies. There is a consistent approach to evaluating the security of cloud services used.
    • There are policies for the security of networking and the tools and processes for managing network security are based on these. The tools and processes follow best practices for network security (e.g. ISO/IEC 27033). There is a consistent approach to securing communications with and within cloud services. The tools are integrated into an SOC and there is some automation of analysis and response processes. There is a policy for the use of public networks and the internet for business purposes.
    • There are policies for the security of physical and virtual computer servers, storage devices and media. The processes and tools used for managing compute and storage security are based on these policies. The processes and tools used follow best practices (e.g. ISO/IEC 27001 and SANS). The processes and tools are mostly integrated with a high degree of automation.
    • The processes for on premises and cloud security are consistent and use common tools where practical.
    • There are policies for physical access to premises and data centres. There are consistent processes to control physical access. These include automated identity checks on entry and departure. Physical and logical identity management is partially integrated. There is a strong physical perimeter around sensitive installations (e.g. data centres). Physical locations are chosen taking into consideration their physical security profile. There is a plan for business continuity in the event of physical disruptions (e.g., flood, fire, natural disaster and terrorism).
    • This plan is regularly tested.

Organizations in competitive market segments depend on a high degree of automation to be able to act in a way that is both agile and cost effective. From a cyber security perspective this means having an effective and mature enterprise architecture that can accommodate the use of local, cloud based and hybrid services.

5. Level 5 – is the optimal level. It builds upon the processes and technologies described in Level 4.

  • Level 5 Business and Organizational Attributes

    • There is excellent visibility of cyber security in the organization and strong management support for cyber security as theme relevant to the organization. There are excellent policies or guidelines for cyber security that are included in the organizational risk and security documentation. Cyber security KRIs and KPIs are widely used as part of a continuous improvement process. The governance of cloud and on premises security are automated.
    • Cyber security standards and best practices are consistently used through the organization. These are widely supported by relevant technology with minimum / no manual intervention needed to demonstrate compliance.
    • Cyber security is seen as a business risk and responsibility lies with GRC. Elements are delegated as necessary, for example to IT. The responsibility for responding to cyber incidents a C Level Function. The incident response team is multi-disciplinary and has board level sponsorship. The responsibility for managing Cyber security SI partners is part of business risk. There is a single point of responsibility for the management of the security / compliance aspects of each cloud service used.
    • There is a common process for managing risks including cyber security related risks. Managing cyber risk is fully integrated with the management of other business risk. The compliance / security aspects of cloud services are automatically included in the risk management process. The cyber risk management process is fully based on a standard framework. There is a complete risk register. Governance risk and compliance are managed through a common tool.
    • Cyber security controls and processes are systematically chosen and implemented based on risk assessments. Cyber security controls and processes are systematically based on best practices. The controls over the access to and use of cloud services are fully integrated with those for on premises. There is well rehearsed standard process for cyber incidents. There is a continuous improvement process for cyber security across the organization. The performance of internal cyber security controls is automatically reviewed using standard KPIs/KRIs.
    • Processes and performance are continuously monitored against industry benchmarks. There is an automated process for assuring the security aspects of partners and externally provided IT services. Externally provided services / cloud must provide continuous evidence of conformance to cyber security standards. Suppliers and partners are required to have a continuous improvement program for cyber security. Where performance needs improvement action is consistently taken.
  • Level 5 Technology Attributes

    • A complete and comprehensive cyber security architecture is based on a recognized standard (e.g. NIST 800-37). Only in very exceptional cases are products chosen and implemented outside of this. The architecture comprehensively integrates the security of IT services however they are provided, in a standard and consistent manner.
    • There is a classification system for data and tools are used to ensure that this is consistently applied. Sensitive and regulated data is automatically encrypted, and key management is automated. Identities and entitlements are provisioned and de-provisioned using automated tools that ensure consistency. There is an integrated central directory. Authentication and authorization are implemented consistently using tools. There is control over access to sanctioned cloud applications. There is full visibility and control over access to unsanctioned cloud applications.
    • The policies for the security of business applications take full account of the security needs and compliance obligations. The policies are based on standards and best practices such as ISO/ 27001 and COBIT. Applications are developed using secure development practices and automated tools to enforce checking and testing. The processes for acquisition of applications, middleware and tools implement these policies. The process for acquiring cloud services ensures that they meet security and compliance needs.
    • There are policies for the security of networking that take full account of the security needs and compliance obligations. The tools and processes for managing network security implement these policies. The tools and processes follow best practices for network security (e.g. ISO/IEC 27033). There is a consistent approach to securing communications with and within cloud services. The tools are integrated into an SOC and there is a high degree of automation. There is a policy for the use of public networks and the internet for business purposes and this is enforced.
    • There are policies for the security of physical and virtual computer servers, storage devices and media. The processes and tools used for managing compute and storage security implement these policies. The processes and tools used follow best practices (e.g. ISO/IEC 27001 and SANS). The processes and tools are integrated with a high degree of automation. The processes for on premises and cloud security are consistent and use common tools.
    • There are policies for physical access to premises and data centres. There are consistent processes to control physical access. These include automated identity checks on entry and departure. Physical and logical identity management is fully integrated. There is a strong physical perimeter around sensitive installations (e.g. data centres). Physical locations are chosen taking into consideration to their physical security profile. There is a plan for business continuity in the event of physical disruptions (e.g., flood, fire, natural disaster and terrorism). The plan includes cold / hot standby to ensure near continuous service delivery. This plan is regularly tested.

Organizations are only at level 5 when their identity and access management processes and technologies are self-sustaining fully accommodate organizational requirements. Few organizations will reach this level without full executive support and a board of directors that understands the importance of this in terms of the business benefits and cyber security protection that this provides.

1.3 Key Support Attributes

In addition to the CMM model there are six additional Key Support Attributes.

These attributes are different for the organizational and the technology aspects and are listed in the following two tables. Thus, there are twelve attributes in total which can be used to judge the maturity of cyber security.

Governance & Policies Standards and Best Practice Management Organization Risk Management Controls Processes Audit and Assurance
How the objectives, policies and organization for cyber security are set and managed How well the organization has adopted and implemented security best practices and standards. How adequate the organization structure is to successfully implement cyber security policies and objectives How well the risks relating to cyber security and data protection are assessed and controls are designed How adequate the management processes are to implement the cyber security control objectives How well the cyber security processes and controls are assured, and action is taken to improve performance
Architecture Data and Access Application Security Network Security Compute and Storage Security Physical Security
A security architecture covering all aspects of the hybrid IT delivery model both in cloud and on premises How the security of business data and control of access to the data and applications are managed How the cyber security of the business application is managed. This includes the middleware and any related tools How the cyber security of the communications network and use of public networks is managed and controlled How the security of physical and virtual servers and storage devices is managed and controlled How the security of data centres and physical access is managed and controlled
Symbols representing attribute levels
Figure 4: Symbols representing attribute levels

The maturity of the above six supporting attributes are visually displayed, as described in the figure above. Where the shape fill is green this indicates that, based on KuppingerCole’s experience, this level is “good in class”. Where the shape fill is black this indicates that this level is “best in class”.

1.4 Using the Matrix and Supporting Attributes

As an example, the CISO of an organization is conducting a review of its overall cyber security program and security posture. The purpose of this review is to identify:

  • Where there are the greatest risks. The CISO is aware of the recent surge in cyber-attacks on organizations and wishes to ensure that the organization’s exposure to these is under acceptable.
  • Where there are opportunities for savings. All IT and security budgets are under scrutiny and there is a need to continuously justify current spending as well as any future investments for their cost effectiveness and to identify potential savings.
  • Where investments would provide returns. The CISO would like to identify and areas where investment in IT security would provide a measurable return. Ideally these would be in support of the organizational plans for digital transformation. However, the returns need to be measurable in terms of savings, improved efficiency or reduced risks.

The recommended approach:

The recommended approach when baselining existing systems and processes is start by considering the twelve key supporting attributes listed in the tables in section 1.3.

These attributes cover not only the technology aspects but also the organizational aspects. Only by considering these together is it possible to get a balanced view on the current state of play and where action is needed. Taking these all together make it possible for the CISO to accurately and effectively measure and understand the true maturity of the program as a whole.

Using maturity is also helpful as a way to communicate the results to the organization’s board of directors. Organizational and technology maturity is a concept that is grasped by board members while technical details of cyber security may not be readily understood. It allows the CISO to communicate using the language of the board.

One way to present the overall maturity of the organizational cyber security is as a spider chart. In this the maturity of each of the attributes is presented on a radial creating a form of star. If the industry norms are presented on the same chart it allows easy comparison of where the organization’s maturity is in comparison with these norms.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.