Level up: How to test and improve your cybersecurity maturity


Cybersecurity isn't an on/off switch. Instead, levels of maturity exist—the higher the level, the better companies are able to handle potential cybersecurity risks. Research firm McKinsey, however, found that just 10% of organizations said they were "approaching advanced cybersecurity functions," and only 20% had achieved mature cybersecurity. The remaining 70% were yet to adopt a mature approach, with the vast majority taking an ad-hoc approach to IT defense.

The result? While there's significant room for growth in many organizations, it requires an understanding of the cybersecurity maturity spectrum, testing of current frameworks to identify current maturity levels, and assessment of existing processes to pinpoint the most effective way forward.

Cybersecurity maturity: the basics

Originally developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), the Cyber Maturity Model Certification (CMMC) describes five "levels" of maturity to help companies determine where current processes and practices place them in terms of maturity.

• Level 1, basic cyber hygiene practice: Level 1 is a simple cybersecurity approach that includes 17 NIST SP 800-171 Rev. 2 controls. Basic controls include firewalls and endpoint management tools, but overall security processes are often "ad hoc."

• Level 2, intermediate cyber hygiene practice: Level 2 establishes standard operating procedures (SOPs) for all practices and includes all Level 1 requirements plus 55 more NIST SP 800-171 Rev. 2 controls.

• Level 3, good cyber hygiene practice: Level 3 implements processes to regularly review existing policies and provides proper funding for new initiatives. It includes an additional 58 NIST controls.

• Level 4, proactive practice: Level 4 takes a proactive approach by creating and reviewing consistent controls across the enterprise. An additional 26 controls are also required.

• Level 5, advanced/progressive practice: Level 5 includes advanced incident monitoring and management designed to optimize security processes. It includes 15 additional controls.

Cybersecurity maturity starts with the recognition that breaches are inevitable and tools are necessary. Next is the recognition that effective security doesn't happen in isolation, followed by the realization that robust detection is essential for defense. Put simply, it's the progression from perimeter protection to network barricade building to collective defense.

Assessing your organization's cybersecurity maturity

To assess your current cybersecurity maturity—and determine the most effective route to the next level of maturity— questions are critical. By asking the right questions, organizations can identify key pain points that limit security maturity and define processes that address these issues to help improve maturity levels.

Common questions include:

1. How many hours per day does your team spend handling false positives?

Numerous studies have shown that IT teams spend more time on false positives compared to actual security breaches. If analysis of false positives reveals that your team is devoting hours of their day to handling false positives rather than dealing with actual breaches, there's room for security maturity improvement. Here, tools capable of correlating detected network threats can help determine if alerts are actual issues or simply false positives.

2. How many security tools are currently in use?

While more security tools may increase overall protection, they can also lead to fragmentation of key data that makes it harder for companies to pinpoint and react to key issues. For example, if intrusion detection systems don't work well with data quarantine tools, the result can be attacks that spend longer in your systems than they should. Complete visibility of existing security stacks is critical to help boost overall maturity.

3. What types of threat intelligence are in place?

Threat intelligence and threat hunting can help identify potential attacks before they occur but are only as effective as the depth of knowledge available. Tools that offer deep dives into company networks but lack the breadth of knowledge that comes with understanding industry-wide attacks may provide some peace of mind but ultimately frustrate cybersecurity maturity.

The advent of collective threat intelligence tools, meanwhile, focuses on the exchange of anonymized threat data to build a more complete attack model.

4. Are current processes reactive or strategic?

If the priority of IT and security teams is "keeping the lights on," then this creates a reactive security posture that puts organizations on their back foot. When threats emerge, companies must respond as attacks are happening in real time. By adopting a more strategic approach that sees attack detection and threat intelligence exchange done simultaneously, businesses can boost overall maturity.

5. What does your "kill chain" look like?

Historically, if attackers were right just once, they could breach corporate networks. Security teams, meanwhile, had to be right all day, every day to prevent potential threats. The evolution of security approaches such as zero trust network architecture (ZTNA), however, introduced a segmented "kill chain" approach that allows teams to stop attackers at multiple inflection points.

Leveling up cybersecurity maturity

The process of improving security maturity doesn't happen overnight. By combining NIST best practices with an assessment of current pain points and strategies to reduce overall risk, it's possible for companies to move from at-risk, ad-hoc security to more proactive and protective processes that set the stage for ongoing cybersecurity growth. Ready to level up? Start strong with IronNet.

Want to keep reading?