Back when I was running an intrusion detection team for portions of a company whose main business lines had nothing to do with security, I encountered a problem that I don't think was entirely too uncommon. I found myself needing to explain why certain capabilities weren't possible, other capabilities weren't needed yet, and still other capabilities we already had weren't optimized. I discovered a language barrier between me, the practitioners, and the executive staff. In order to level set everyone on nomenclature, I decided to try my hand at a Capability Maturity Model (CMM), as that was an accepted model type at the time.
First, I wanted to see what was available out there. My searches for information security (infosec) CMMs fell flat at the time as virtually all of them were focused on governance, risk management, and compliance (GRC) concerns, though I understand there may be more operationally focused CMMs in existence now (e.g. energy.gov references). The GRC models kind of stopped at the protection or prevention piece of the cyber security puzzle but didn't take into account other real capabilities needed to actually protect my networks and data: threat detection, intelligence, and response. There is a time and place for GRC CMMs, but they didn't solve my problem. My problem was articulating where we were on the maturity scale from a security operations, or "infosec," or "cyber security" (terms I've used to differentiate cyber threat intel/prevention/detection/response from GRC) focus.
My second endeavor was to attempt to categorize "infosec" into discrete competencies. By "competency," I am referring to the inclusive set of people, processes, and technologies needed to represent its full effect. Also, "competency" is meant to describe a core goal, or effect, of an infosec program and is mostly self evident. For example, I don't immediately consider compliance a core goal; rather, I included a more abstract goal of Prevention as one competency of infosec. Compliance, however, is a key enabler shared by most competencies of infosec and GRC, just like tooling and security architecture and engineering. I acknowledge these and perhaps more key enablers of a mature infosec program, but I don't discretely call them out in my model.
Here are the core competencies I felt were needed in a mature infosec program or organization:
As evident in Figure 1, a core competency can exist at a different maturity level than others. However, I believe it is very difficult to fully mature one competency without the maturation of others as well. This can create an imbalanced posture, which can begin to undermine efficiencies in your infosec program.
Some quick definitions of terms in Figure 1:
Of the four core competencies, I'd argue that Intel is the easiest to achieve Level 5 - Adaptive status as some of this domain is still greenfield. Granted, that still doesn't mean it's easy. Next easiest would be IR as this is the only competency completely within your control - how you respond to a threat depends on your own risk tolerance and strategy. More difficult to achieve Level 5 status would be Detect - finding all threat activity known in our industry plus finding some of the unknown is a tall order. Finally, most difficult to achieve top maturity is Prevent. Detecting unknowns is one thing; preventing them takes it to an entirely different level.
More holistically, Figure 2 captures what an infosec organization may look and feel like at each maturity stage.
I estimate that there are virtually no organizations fully representative of Level 5 - Adaptive maturity. Or, at the least, it is extremely rare. To reach this level, maturity growth up the other levels is arguably sequential and cumulative. It's like math - you start with a solid foundation and then increasingly add abstractions and complexity. Additionally, I strongly believe to reach Level 5, and stay at Level 5, you must have very developed thought leadership and people leadership. Level 5 is less of a destination as it is an ideal of continual evolution and innovation after reaching the bleeding edge. I gather that most "mature" (from a surface, reputational, or anecdotal perspective) infosec programs out there are somewhere around Level 3 - Organized and possibly breaking into Level 4 - Optimized space, perhaps with just one or two core competencies.
I mentioned earlier my desire to create the four core competencies due to their real effect on security posture. To visualize what that effect is, Figure 3 attempts to reveal what the total threat presence on your network looks like as you mature up the CMM. "TTPs" = tactics, techniques, and procedures of an attacker.
The presence of the threat on your network should change as your infosec organization matures. Understanding how it changes over time represents maturity in threat knowledge, anticipation, and risk perspective. The Level 5 effects on the threat should be an ongoing and tightening spiral of improving cyber security TTPs that result in attackers modifying their TTPs.
I presented this model to my leadership at the time, and I do believe it considerably helped articulate strategy, especially in the realm of Detect, which I will write on in a future blog. I hope you find it just as helpful.