At this year’s RSA Conference, there was strong focus on identifying where your company’s security posture is in terms of maturity. As Brian Krebs touched on in a recent post, there are many different maturity models outlining what your company is doing, and what it should be doing. Of course each company is different, and the path to reducing risk is never a straight line. It is, however, something that needs to be approached strategically, and taken seriously.
When I was the CISO at Providence Health, I used the Carnegie Mellon Maturity Model as a way to help the board and senior executives understand exactly how well we were doing from a security standpoint. It’s disconcerting how often a company relies on metrics such as “number of breaches stopped” or “number of vulnerabilities patched.” They’re just numbers. They only show that someone is performing a function, but do not necessarily indicate that the job is being done well.
When I moved to Core Security, I continued to face the same issue. Organizations I met with didn’t have a strategic approach to vulnerability management other than scan-and-patch plus PCI as a framework. This was another case of just numbers.
Knowing this was not the best approach, we wanted to pull together a Threat and Vulnerability Management Maturity Model that would allow any organization to significantly reduce the risk of breach. One of the challenges that often comes with attempting to follow such a model, as noted by some other folks commenting on Krebs’ initial post, is that they are often presented without actionable details. They’re simply a description of each level with no detail behind it on how to advance your organization or why you should do so. It’s one thing to show someone that their threat and vulnerability management (TVM) program is operating far below its potential; we sought to go a step beyond this by clearly outlining how to reach maturity.
People are focusing too much trying to patch every single vulnerability instead of focusing on the critical assets that are the most at risk and most important to the organization. They can prevent attacks by consolidating multiple vulnerability scanner feeds, analyzing based on known exploits, and prioritizing the most critical vulnerabilities for remediation. Further, by simulating potential attack paths through the IT infrastructure, they can efficiently and effectively protect their critical assets.
I’d love to get your feedback – where does your organization stand on this maturity model? Do the next steps seem realistic? What other maturity models have you followed successfully, and what made them effective? I believe that only once we move past the basics of counting breaches and patches and actually start maturing our approach to security, do we have a real chance to win this fight.