As an industry, we encourage a lot of spending.
There are a lot of products with a lot of capabilities, a lot of activity by a lot of people and a lot of second guessing about whether all that is actually helping. I find that when I talk to people, the common feeling is along the lines of, “I know I’m doing a lot. I know I’m spending a lot. What I don’t know is if it’s making me any more secure. Is it doing anything useful or am I just running in place?”
Thankfully, there’s an easy way to answer that question. It’s called a cybersecurity maturity assessment.
The purpose of a maturity assessment is to capture an objective view of what you’re doing and help you to gain a better understanding of your cybersecurity maturity. It helps your organization understand whether you’re doing the right stuff and if you’re doing the right stuff well.
Below I answered some questions to help those new to the idea of digital maturity assessments understand a little better why we do them and what to expect when you conduct yours.
Do I have to do a maturity assessment before I build my cybersecurity program?
The dirty secret is that nobody does a maturity assessment before they build a cybersecurity program. That’s actually part of the fundamental problem with our industry and the way security is approached. If we all were starting from scratch, we’d build a business already thinking about security and our customer’s data privacy and how we’re effectively protecting our business. But businesses never start like that; businesses start and security gets bolted on as the business grows. At some point, someone realizes “hey we need to do something with security,” and it becomes somebody’s part-time job and grows from there.
For a real life example of what this looks like, in 1994 I got my company, a small chemical manufacturer, connected to the internet. I was on the phone with the ISP as we finished the connection, and they said, “By the way, you might want to set up a firewall.” I had never heard of a firewall before, and that’s how I got drafted into security. If I had done it thoughtfully, I would have set up some security before connecting it to the internet but instead, I built the thing organically and then later realized I might want some security for it.
What can a maturity assessment tell me?
It’s one thing to have Splunk, but when you only have it being fed by 1% of your systems, you’re not really getting any of the benefits out of such an amazing technology. A digital maturity assessment will look at key areas of what you’re operating, assess if you’re using the technology’s capabilities to its fullest and if you have it widely deployed enough to be impactful.
One of the key benefits of a maturity assessment is that it will point out to you the areas where you have the right tool but are not using it the right way or if you have a tool that’s maybe not super great, but is easy to set up across your whole infrastructure and gets everything covered at last kind of. Of all the activities you’re doing, it will show you which ones are making the most impactful contribution.
What metrics or elements are used to determine maturity?
The deepwatch maturity model focuses on three key elements:
- Data Available: What are the data sources that you have available? What tools actually help you understand what’s happening in your environment? These inputs can be assets on your network, or they can be the kind of activities happening in your environment.
- Data Analytics: What are you doing with the data that you have? This could be sheer analytics and numbers, or it could be the ability to say “this activity is abnormal.”
- Data Coverage: How comprehensively are you collecting data and applying analytics insights across your whole environment? If you have insights for your servers, but not from, say, AWS servers, you’re not getting the full picture. Your overall maturity is still unknown.
There is no set level of “good maturity”. It’s all within context. To reflect this, our cybersecurity capability maturity model is not purely linear; it’s a logistic curve. When you’re first getting started, certain things can have an outsized impact because you have so few capabilities. Just having a firewall, even if you have the basic settings enabled, is better than being open to the internet.
As you get more sophisticated and as your maturity improves, adding more tools can have a diminishing effect. There actually comes a point where you might want to say “While I could add network detection response data, it won’t meaningfully change my security maturity.”
What changes impact maturity (positively or negatively)?
On the positive front, actually leveraging the tool to its maximum capability has a tremendous impact on maturity. There are five thousand vendors out there, and they all have good products. There’s just no way that you can buy and get everything out of them. In our experience, you get more value out of something even if it has middle of the road capabilities than scratching the surface of an expensive best of breed product.
Negative impact is actually the inverse of that and is typical of our industry. We spend a lot of money to bring in a best of breed solution that we either only ever leave in learning mode because we don’t have the ability to actually turn it to its active protection mode, or we’re not able to get it deployed in a sustainable enough way to provide a helpful boost. From a maturity standpoint that’s bad because that’s taken my time and dollars away from other things I could be getting value from.
How often should you check your maturity?
Seriously though – now, and it’s not that hard. deepwatch SCORE just takes a couple of minutes, and you’ll get an initial take of how your current environment fairs against our cybersecurity capability maturity model. Once you get your score, you’ll know where you’re at and how you compared to peers. deepwatch SCORE also offers recommendations on what you can do to improve. As you change things in your environment, as you have more budget or bring in new tools or get more comfortable with your capabilities, come back and see how those efforts impact your score.
To generate a score, we take those three components outlined above and apply some notion of diminishing returns or outside benefits early on, and we generate a score from 1-10 that represents what we believe your maturity is.
deepwatch customers get the luxury of an update anytime they log into their customer portal. We give our customers daily updates within the deepwatch MOBILE app, so they have a minute by minute understanding of how their maturity is doing. Because of the use of our cloud SecOps platform, we know exactly what new things have come online, what analytics have been activated, and when new devices have been deployed.
Combine your resources with our experience for a perfect match
Wherever you stand with your maturity, we’re here to help. As a vendor agnostic MSSP, we’ll work with whatever technologies you have, and if we think one may work better after undergoing a maturity assessment, let you know our recommendation. Collectively, we’ll work with you to find which tools and resources you need to improve your maturity.
Our years of experience mean we know the things that work well for customers in financial services compared to the things that work well for our energy generation customers, and we’re happy to share our expertise and experience with you. We work with the biggest names in the industry and can help you understand your best path to cybersecurity maturity. Let us know how we can help.